Stages Documentation

This is an old revision of the document!

Configure LDAP

Example Configurations

An example configuration followed by an explanation: 

<ldap refreshIntervalMinutes="120" maximumDeletionPercentage="0">
 <ldap-provider
 url=ldap://server.example.com:389/dc=domain,dc=example,dc=com
 key="username"
 searchFilter="(objectClass=user*)"
 defaultRoles="true"
 adoptUsers="true"
 matchUsersMode="username"
 >
 <ldap-authentication
 type="simple"
 principal="cn=%,ou=example,dc=test,dc=example,dc=com"/>
 <ldap-query-user name="queryuser" credentials="pass"/>
 <ldap-attribute name="username" id="sAMAccountName"/>
 <ldap-attribute name="fullname" id="displayName"/>
 <ldap-attribute name="email" id="mail"/>
 <ldap-ignore id="sAMAccountName" value="XYZ"/>
 </ldap-provider>
 ...
 </ldap>

Explanation:

Stages synchronizes every 120 minutes with the LDAP-provider. Of all Stages users that should have been synchronized, but could not, none is deleted. The Stages username is used for authentication with the LDAP-provider at the login (key=“username”). Every LDAP-object where the attribute “objectClass“ starts with the word “user“ is a candidate for synchronization (searchFilter=“(objectClass=user*)”). All imported users are assigned to the default role.

Existing Stages accounts that have not been synchronized with LDAP yet are adapted so that future authentications/synchronizations will be done via the LDAP-provider. These accounts are adapted, if the value of the attribute sAMAccountName matches the Stages username (adoptUsers=“true”, matchUsersMode=“username”). Further on the mapping between the LDAP sAMAccountName and the Stages username is defined 1)

1)
<ldap-attributename=“username” id=“sAMAccountName”/>). A schema defines how the name for the authentication is build (principal=“cn=%,ou=example,dc=test,dc=example,dc=com”). “%“ will be replaced by “username“. The user for the LDAP-queries is named “queryuser“ and has the password “pass“ (<ldap-query-user name=“queryuser” credentials=“pass”/>). Further Examples 
<ldap refreshIntervalMinutes="1440" maximumDeletionPercentage="0">
<ldap-provider url="ldap://ldap.abc:389/dc=xyzgroup,dc=com"
ident="ldap_XY_intern"
key="username"
defaultRoles="True"
pageSize="500"
recursiveSearch="True"
generateDn="False"
searchFilter="(&amp;(|(departmentNumber=XY-1)
 (departmentNumber=XY-2))
 (mail=*)(sn=*)(objectClass=XYperson))"
adoptUsers="True"
matchUsersMode="email">
<ldap-authentication
type="simple"
principal="uid=%,ou=people,dc=xyzgroup,dc=com"
url="ldap://defg123.abc:3892/dc=com">
<ldap-query-user
name="uid=pkit1,ou=people,ou=project users,dc=com"
 credentials="pkit1"/>
 </ldap-authentication>
 <ldap-query-user
 name="cn=pkit1,ou=projects,o=XYZ,dc=xyzgroup,dc=com"
 credentials="projk"/>
 <ldap-attribute name="username" id="uid"/>
 <ldap-attribute name="fullname" id="cn"/>
 <ldap-attribute name="email" id="mail"/>
 <ldap-attribute name="_KEY" id="uid"/>
</ldap-provider>
</ldap>
<ldap refreshIntervalMinutes="60" maximumDeletionPercentage="50">
 <ldap-provider
url="ldap://nu2c001:389/dc=auto,dc=abc,dc=com"
key="fullname"
defaultRoles="true"
recursiveSearch="true"
searchFilter="(&amp;(|(memberOf=CN=ABC-Stages-User,
OU=Groups Development,OU=Groups,OU=XYZ,DC=auto, DC=abc,
DC=com)(memberOf=CN=ABCD-Stages-W, OU=XYZ_Projekt,
OU=ABC-Common,OU=Groups,OU=Nuernberg,DC=auto,DC=abc,
DC=com)objectClass=person))">
<ldap-authentication
type="simple"
principal="cn=%,ou=ServiceAccounts,ou=Users,ou=XYZ,
 dc=auto,dc=abc,dc=com"/>
<ldap-query-user name="abc-ldap" credentials="12345"/>
<ldap-attribute name="username" id="sAMAccountName"/>
<ldap-attribute name="fullname" id="cn"/>
<ldap-attribute name="email" id="mail"/>
<ldap-attribute name="authenticationUsername"
 id="distinguishedName"/>
 </ldap-provider>
</ldap>