Next revision | Previous revision |
72:ldap_ex_config [2018/07/16 15:34] – created bkkr | 72:ldap_ex_config [2024/02/15 00:00] (current) – external edit 127.0.0.1 |
---|
| |
<code> | <code> |
<ldap refreshIntervalMinutes="120" maximumDeletionPercentage="0"> | |
| <ldap refreshIntervalMinutes="120" maximumDeletionPercentage="5"> |
<ldap-provider | <ldap-provider |
url=ldap://server.example.com:389/dc=domain,dc=example,dc=com | url=ldap://server.example.com:389/dc=domain,dc=example,dc=com |
defaultRoles="true" | defaultRoles="true" |
adoptUsers="true" | adoptUsers="true" |
matchUsersMode="username" | matchUsersMode="username"> |
> | |
<ldap-authentication | <ldap-authentication |
type="simple" | type="simple" |
Stages synchronizes every 120 minutes with the LDAP-provider. Of all Stages users that should have been synchronized, but could not, none is deleted. The Stages username is used for authentication with the LDAP-provider at the login (key="username"). Every LDAP-object where the attribute “objectClass“ starts with the word “user“ is a candidate for synchronization (searchFilter="(objectClass=user*)"). All imported users are assigned to the default role. | Stages synchronizes every 120 minutes with the LDAP-provider. Of all Stages users that should have been synchronized, but could not, none is deleted. The Stages username is used for authentication with the LDAP-provider at the login (key="username"). Every LDAP-object where the attribute “objectClass“ starts with the word “user“ is a candidate for synchronization (searchFilter="(objectClass=user*)"). All imported users are assigned to the default role. |
| |
Existing Stages accounts that have not been synchronized with LDAP yet are adapted so that future authentications/synchronizations will be done via the LDAP-provider. These accounts are adapted, if the value of the attribute sAMAccountName matches the Stages username (adoptUsers="true", matchUsersMode="username"). Further on the mapping between the LDAP sAMAccountName and the Stages username is defined ((<ldap-attributename="username" id="sAMAccountName"/>). | Existing Stages accounts that have not been synchronized with LDAP yet are adapted so that future authentications/synchronizations will be done via the LDAP-provider. These accounts are adapted, if the value of the attribute sAMAccountName matches the Stages username (adoptUsers="true", matchUsersMode="username"). Further on the mapping between the LDAP sAMAccountName and the Stages username is defined (<ldap-attribute name="username" id="sAMAccountName"/>). |
| |
A schema defines how the name for the authentication is build (principal="cn=%,ou=example,dc=test,dc=example,dc=com"). “%“ will be replaced by “username“. | A schema defines how the name for the authentication is build (principal="cn=%,ou=example,dc=test,dc=example,dc=com"). “%“ will be replaced by “username“. |
The user for the LDAP-queries is named “queryuser“ and has the password "pass“ (<ldap-query-user name="queryuser" credentials="pass"/>). | The user for the LDAP-queries is named “queryuser“ and has the password "pass“ (<ldap-query-user name="queryuser" credentials="pass"/>). |
| |
**Further Examples** | **Further Examples ** |
| |
| //Example// |
<code> | <code> |
<ldap refreshIntervalMinutes="1440" maximumDeletionPercentage="0"> | <ldap refreshIntervalMinutes="1440" maximumDeletionPercentage="5"> |
<ldap-provider url="ldap://ldap.abc:389/dc=xyzgroup,dc=com" | <ldap-provider url="ldap://ldap.abc:389/dc=xyzgroup,dc=com" |
ident="ldap_XY_intern" | ident="ldap_XY_intern" |
recursiveSearch="True" | recursiveSearch="True" |
generateDn="False" | generateDn="False" |
searchFilter="(&(|(departmentNumber=XY-1) | searchFilter="(&(|(departmentNumber=XY-1) |
(departmentNumber=XY-2)) | (departmentNumber=XY-2)) |
(mail=*)(sn=*)(objectClass=XYperson))" | (mail=*)(sn=*)(objectClass=XYperson))" |
</code> | </code> |
| |
| //Example// |
<code> | <code> |
<ldap refreshIntervalMinutes="60" maximumDeletionPercentage="50"> | <ldap refreshIntervalMinutes="60" maximumDeletionPercentage="50"> |
defaultRoles="true" | defaultRoles="true" |
recursiveSearch="true" | recursiveSearch="true" |
searchFilter="(&(|(memberOf=CN=ABC-Stages-User, | searchFilter="(&(|(memberOf=CN=ABC-Stages-User, |
OU=Groups Development,OU=Groups,OU=XYZ,DC=auto, DC=abc, | OU=Groups Development,OU=Groups,OU=XYZ,DC=auto, DC=abc, |
DC=com)(memberOf=CN=ABCD-Stages-W, OU=XYZ_Projekt, | DC=com)(memberOf=CN=ABCD-Stages-W, OU=XYZ_Projekt, |
</ldap-provider> | </ldap-provider> |
</ldap> | </ldap> |
| </code> |
| |
| //Example// |
| <code> |
| <ldap refreshIntervalMinutes="60" maximumDeletionPercentage="10"> |
| <ldap-provider ident="abc.def" |
| url="ldap:// abc.def:389/dc=abc,dc=def" |
| key="authenticationUsername" |
| defaultRoles="true" |
| recursiveSearch="true" |
| adoptUsers="true" |
| searchFilter="(memberOf=CN=ABC-Stages,CN=Users,DC=abc, |
| DC=def)"> |
| <ldap-authentication |
| type="simple" |
| principal="%"/> |
| <ldap-query-user name="CN=XYZ,OU=_pkit_completed,OU=Users, |
| OU=AB-DOMAIN,OU=Compelted,DC=abc,DC=def" |
| credentials="12345"/> |
| <ldap-attribute name="username" id="sAMAccountName"/> |
| <ldap-attribute name="fullname" id="displayName"/> |
| <ldap-attribute name="email" id="mail"/> |
| <ldap-attribute name="authenticationUsername" |
| id="distinguishedName"/> |
| </ldap-provider> |
| </ldap> |
| </code> |
| |
| //Example for "ondemand" synchronization// |
| <code> |
| <!-- Configuration for LDAP with Ondemand Account Creation. |
| This config works with an MS Active Directory server. |
| For other servers, the attribute names might need to be changed. --> |
| <!-- Synchronize every Saturday 03:30AM --> |
| <ldap synchronizeCronExpression="0 30 3 ? * SAT" maximumDeletionPercentage="5" |
| synchronize="ondemand" synchronizeOnStartup="false"> |
| <ldap-provider |
| url="ldap://LDAPSERVER.com:389/dc=CUSTOMER,dc=com" |
| ident="LDAP Primary Ondemand Server" |
| key="authenticationUsername" |
| defaultRoles="true" |
| defaultRolesUsername="default" |
| defaultLicenseType="FloatingDev" |
| pageSize="500" |
| generateDn="false" |
| ondemandFilter="(&(sAMAccountName=%)(objectClass=user))" |
| recursiveSearch="true"> |
| <ldap-authentication type="simple" principal="%"/> |
| |
| <ldap-attribute name="username" id="sAMAccountName"/> |
| <ldap-attribute name="fullname" id="displayName"/> |
| <ldap-attribute name="email" id="mail"/> |
| <ldap-attribute name="authenticationUsername" id="distinguishedName"/> |
| |
| <ldap-query-user name="cn=LDAP Account,ou=Users,dc=CUSTOMER,dc=com" credentials="PASSWORD" /> |
| </ldap-provider> |
| </ldap> |
</code> | </code> |
| |
| |