| Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision |
| 72:ldap_ex_config [2018/07/16 15:37] – bkkr | 72:ldap_ex_config [2019/11/15 11:14] – [Example Configurations] etea |
|---|
| |
| <code> | <code> |
| <ldap refreshIntervalMinutes="120" maximumDeletionPercentage="0"> | |
| | <ldap refreshIntervalMinutes="120" maximumDeletionPercentage="5"> |
| <ldap-provider | <ldap-provider |
| url=ldap://server.example.com:389/dc=domain,dc=example,dc=com | url=ldap://server.example.com:389/dc=domain,dc=example,dc=com |
| defaultRoles="true" | defaultRoles="true" |
| adoptUsers="true" | adoptUsers="true" |
| matchUsersMode="username" | matchUsersMode="username"> |
| > | |
| <ldap-authentication | <ldap-authentication |
| type="simple" | type="simple" |
| Stages synchronizes every 120 minutes with the LDAP-provider. Of all Stages users that should have been synchronized, but could not, none is deleted. The Stages username is used for authentication with the LDAP-provider at the login (key="username"). Every LDAP-object where the attribute “objectClass“ starts with the word “user“ is a candidate for synchronization (searchFilter="(objectClass=user*)"). All imported users are assigned to the default role. | Stages synchronizes every 120 minutes with the LDAP-provider. Of all Stages users that should have been synchronized, but could not, none is deleted. The Stages username is used for authentication with the LDAP-provider at the login (key="username"). Every LDAP-object where the attribute “objectClass“ starts with the word “user“ is a candidate for synchronization (searchFilter="(objectClass=user*)"). All imported users are assigned to the default role. |
| |
| Existing Stages accounts that have not been synchronized with LDAP yet are adapted so that future authentications/synchronizations will be done via the LDAP-provider. These accounts are adapted, if the value of the attribute sAMAccountName matches the Stages username (adoptUsers="true", matchUsersMode="username"). Further on the mapping between the LDAP sAMAccountName and the Stages username is defined (<ldap-attribute | Existing Stages accounts that have not been synchronized with LDAP yet are adapted so that future authentications/synchronizations will be done via the LDAP-provider. These accounts are adapted, if the value of the attribute sAMAccountName matches the Stages username (adoptUsers="true", matchUsersMode="username"). Further on the mapping between the LDAP sAMAccountName and the Stages username is defined (<ldap-attribute name="username" id="sAMAccountName"/>). |
| name="username" id="sAMAccountName"/>). | |
| | A schema defines how the name for the authentication is build (principal="cn=%,ou=example,dc=test,dc=example,dc=com"). “%“ will be replaced by “username“. |
| | |
| | The user for the LDAP-queries is named “queryuser“ and has the password "pass“ (<ldap-query-user name="queryuser" credentials="pass"/>). |
| | |
| | **Further Examples ** |
| | |
| | //Example// |
| | <code> |
| | <ldap refreshIntervalMinutes="1440" maximumDeletionPercentage="5"> |
| | <ldap-provider url="ldap://ldap.abc:389/dc=xyzgroup,dc=com" |
| | ident="ldap_XY_intern" |
| | key="username" |
| | defaultRoles="True" |
| | pageSize="500" |
| | recursiveSearch="True" |
| | generateDn="False" |
| | searchFilter="(&(|(departmentNumber=XY-1) |
| | (departmentNumber=XY-2)) |
| | (mail=*)(sn=*)(objectClass=XYperson))" |
| | adoptUsers="True" |
| | matchUsersMode="email"> |
| | <ldap-authentication |
| | type="simple" |
| | principal="uid=%,ou=people,dc=xyzgroup,dc=com" |
| | url="ldap://defg123.abc:3892/dc=com"> |
| | <ldap-query-user |
| | name="uid=pkit1,ou=people,ou=project users,dc=com" |
| | credentials="pkit1"/> |
| | </ldap-authentication> |
| | <ldap-query-user |
| | name="cn=pkit1,ou=projects,o=XYZ,dc=xyzgroup,dc=com" |
| | credentials="projk"/> |
| | <ldap-attribute name="username" id="uid"/> |
| | <ldap-attribute name="fullname" id="cn"/> |
| | <ldap-attribute name="email" id="mail"/> |
| | <ldap-attribute name="_KEY" id="uid"/> |
| | </ldap-provider> |
| | </ldap> |
| | </code> |
| | |
| | //Example// |
| | <code> |
| | <ldap refreshIntervalMinutes="60" maximumDeletionPercentage="50"> |
| | <ldap-provider |
| | url="ldap://nu2c001:389/dc=auto,dc=abc,dc=com" |
| | key="fullname" |
| | defaultRoles="true" |
| | recursiveSearch="true" |
| | searchFilter="(&(|(memberOf=CN=ABC-Stages-User, |
| | OU=Groups Development,OU=Groups,OU=XYZ,DC=auto, DC=abc, |
| | DC=com)(memberOf=CN=ABCD-Stages-W, OU=XYZ_Projekt, |
| | OU=ABC-Common,OU=Groups,OU=Nuernberg,DC=auto,DC=abc, |
| | DC=com)objectClass=person))"> |
| | <ldap-authentication |
| | type="simple" |
| | principal="cn=%,ou=ServiceAccounts,ou=Users,ou=XYZ, |
| | dc=auto,dc=abc,dc=com"/> |
| | <ldap-query-user name="abc-ldap" credentials="12345"/> |
| | <ldap-attribute name="username" id="sAMAccountName"/> |
| | <ldap-attribute name="fullname" id="cn"/> |
| | <ldap-attribute name="email" id="mail"/> |
| | <ldap-attribute name="authenticationUsername" |
| | id="distinguishedName"/> |
| | </ldap-provider> |
| | </ldap> |
| | </code> |
| | |
| | //Example// |
| | <code> |
| | <ldap refreshIntervalMinutes="60" maximumDeletionPercentage="10"> |
| | <ldap-provider ident="abc.def" |
| | url="ldap:// abc.def:389/dc=abc,dc=def" |
| | key="authenticationUsername" |
| | defaultRoles="true" |
| | recursiveSearch="true" |
| | adoptUsers="true" |
| | searchFilter="(memberOf=CN=ABC-Stages,CN=Users,DC=abc, |
| | DC=def)"> |
| | <ldap-authentication |
| | type="simple" |
| | principal="%"/> |
| | <ldap-query-user name="CN=XYZ,OU=_pkit_completed,OU=Users, |
| | OU=AB-DOMAIN,OU=Compelted,DC=abc,DC=def" |
| | credentials="12345"/> |
| | <ldap-attribute name="username" id="sAMAccountName"/> |
| | <ldap-attribute name="fullname" id="displayName"/> |
| | <ldap-attribute name="email" id="mail"/> |
| | <ldap-attribute name="authenticationUsername" |
| | id="distinguishedName"/> |
| | </ldap-provider> |
| | </ldap> |
| | </code> |
| | |
| | //Example for "ondemand" synchronization// |
| | <code> |
| | <!-- Configuration for LDAP with Ondemand Account Creation. |
| | This config works with an MS Active Directory server. |
| | For other servers, the attribute names might need to be changed. --> |
| | <!-- Synchronize every Saturday 03:30AM --> |
| | <ldap synchronizeCronExpression="0 30 3 ? * SAT" maximumDeletionPercentage="5" |
| | synchronize="ondemand" synchronizeOnStartup="false"> |
| | <ldap-provider |
| | url="ldap://LDAPSERVER.com:389/dc=CUSTOMER,dc=com" |
| | ident="LDAP Primary Ondemand Server" |
| | key="authenticationUsername" |
| | defaultRoles="true" |
| | defaultRolesUsername="default" |
| | defaultLicenseType="FloatingDev" |
| | pageSize="500" |
| | generateDn="false" |
| | ondemandFilter="(&(sAMAccountName=%)(objectClass=user))" |
| | recursiveSearch="true"> |
| | <ldap-authentication type="simple" principal="%"/> |
| | |
| | <ldap-attribute name="username" id="sAMAccountName"/> |
| | <ldap-attribute name="fullname" id="displayName"/> |
| | <ldap-attribute name="email" id="mail"/> |
| | <ldap-attribute name="authenticationUsername" id="distinguishedName"/> |
| | |
| | <ldap-query-user name="cn=LDAP Account,ou=Users,dc=CUSTOMER,dc=com" credentials="PASSWORD" /> |
| | </ldap-provider> |
| | </ldap> |
| | </code> |
| |
| |