Stages Documentation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
72:ldap_ex_config [2018/07/16 15:34] – created bkkr72:ldap_ex_config [2024/02/15 00:00] (current) – external edit 127.0.0.1
Line 6: Line 6:
  
 <code> <code>
-<ldap refreshIntervalMinutes="120" maximumDeletionPercentage="0">+ 
 +<ldap refreshIntervalMinutes="120" maximumDeletionPercentage="5">
  <ldap-provider  <ldap-provider
  url=ldap://server.example.com:389/dc=domain,dc=example,dc=com  url=ldap://server.example.com:389/dc=domain,dc=example,dc=com
Line 13: Line 14:
  defaultRoles="true"  defaultRoles="true"
  adoptUsers="true"  adoptUsers="true"
- matchUsersMode="username" + matchUsersMode="username"> 
- >+
  <ldap-authentication  <ldap-authentication
  type="simple"  type="simple"
Line 32: Line 33:
 Stages synchronizes every 120 minutes with the LDAP-provider. Of all Stages users that should have been synchronized, but could not, none is deleted. The Stages username is used for authentication with the LDAP-provider at the login (key="username"). Every LDAP-object where the attribute “objectClass“ starts with the word “user“ is a candidate for synchronization (searchFilter="(objectClass=user*)"). All imported users are assigned to the default role. Stages synchronizes every 120 minutes with the LDAP-provider. Of all Stages users that should have been synchronized, but could not, none is deleted. The Stages username is used for authentication with the LDAP-provider at the login (key="username"). Every LDAP-object where the attribute “objectClass“ starts with the word “user“ is a candidate for synchronization (searchFilter="(objectClass=user*)"). All imported users are assigned to the default role.
  
-Existing Stages accounts that have not been synchronized with LDAP yet are adapted so that future authentications/synchronizations will be done via the LDAP-provider. These accounts are adapted, if the value of the attribute sAMAccountName matches the Stages username (adoptUsers="true", matchUsersMode="username"). Further on the mapping between the LDAP sAMAccountName and the Stages username is defined ((<ldap-attributename="username" id="sAMAccountName"/>).+Existing Stages accounts that have not been synchronized with LDAP yet are adapted so that future authentications/synchronizations will be done via the LDAP-provider. These accounts are adapted, if the value of the attribute sAMAccountName matches the Stages username (adoptUsers="true", matchUsersMode="username"). Further on the mapping between the LDAP sAMAccountName and the Stages username is defined (<ldap-attribute name="username" id="sAMAccountName"/>).
  
 A schema defines how the name for the authentication is build (principal="cn=%,ou=example,dc=test,dc=example,dc=com"). “%“ will be replaced by “username“. A schema defines how the name for the authentication is build (principal="cn=%,ou=example,dc=test,dc=example,dc=com"). “%“ will be replaced by “username“.
Line 38: Line 39:
 The user for the LDAP-queries is named “queryuser“ and has the password "pass“ (<ldap-query-user name="queryuser" credentials="pass"/>). The user for the LDAP-queries is named “queryuser“ and has the password "pass“ (<ldap-query-user name="queryuser" credentials="pass"/>).
  
-**Further Examples**+**Further Examples ** 
 + 
 +//Example//
 <code> <code>
-<ldap refreshIntervalMinutes="1440" maximumDeletionPercentage="0">+<ldap refreshIntervalMinutes="1440" maximumDeletionPercentage="5">
 <ldap-provider url="ldap://ldap.abc:389/dc=xyzgroup,dc=com" <ldap-provider url="ldap://ldap.abc:389/dc=xyzgroup,dc=com"
 ident="ldap_XY_intern" ident="ldap_XY_intern"
Line 48: Line 51:
 recursiveSearch="True" recursiveSearch="True"
 generateDn="False" generateDn="False"
-searchFilter="(&amp;(|(departmentNumber=XY-1)+searchFilter="(&(|(departmentNumber=XY-1)
  (departmentNumber=XY-2))  (departmentNumber=XY-2))
  (mail=*)(sn=*)(objectClass=XYperson))"  (mail=*)(sn=*)(objectClass=XYperson))"
Line 72: Line 75:
 </code> </code>
  
 +//Example//
 <code> <code>
 <ldap refreshIntervalMinutes="60" maximumDeletionPercentage="50"> <ldap refreshIntervalMinutes="60" maximumDeletionPercentage="50">
Line 79: Line 83:
 defaultRoles="true" defaultRoles="true"
 recursiveSearch="true" recursiveSearch="true"
-searchFilter="(&amp;(|(memberOf=CN=ABC-Stages-User,+searchFilter="(&(|(memberOf=CN=ABC-Stages-User,
 OU=Groups Development,OU=Groups,OU=XYZ,DC=auto, DC=abc, OU=Groups Development,OU=Groups,OU=XYZ,DC=auto, DC=abc,
 DC=com)(memberOf=CN=ABCD-Stages-W, OU=XYZ_Projekt, DC=com)(memberOf=CN=ABCD-Stages-W, OU=XYZ_Projekt,
Line 96: Line 100:
  </ldap-provider>  </ldap-provider>
 </ldap> </ldap>
 +</code>
 +
 +//Example//
 +<code>
 +<ldap refreshIntervalMinutes="60" maximumDeletionPercentage="10">
 + <ldap-provider ident="abc.def"
 + url="ldap:// abc.def:389/dc=abc,dc=def"
 +key="authenticationUsername"
 +defaultRoles="true"
 +recursiveSearch="true"
 +adoptUsers="true"
 +searchFilter="(memberOf=CN=ABC-Stages,CN=Users,DC=abc,
 + DC=def)">
 + <ldap-authentication
 +type="simple"
 +principal="%"/>
 +<ldap-query-user name="CN=XYZ,OU=_pkit_completed,OU=Users,
 + OU=AB-DOMAIN,OU=Compelted,DC=abc,DC=def"
 + credentials="12345"/>
 +<ldap-attribute name="username" id="sAMAccountName"/>
 +<ldap-attribute name="fullname" id="displayName"/>
 +<ldap-attribute name="email" id="mail"/>
 +<ldap-attribute name="authenticationUsername"
 + id="distinguishedName"/>
 + </ldap-provider>
 +</ldap>
 +</code>
 +
 +//Example for "ondemand" synchronization//
 +<code>
 +    <!-- Configuration for LDAP with Ondemand Account Creation.
 +         This config works with an MS Active Directory server.
 +         For other servers, the attribute names might need to be changed. -->
 +          <!-- Synchronize every Saturday 03:30AM -->
 +    <ldap synchronizeCronExpression="0 30 3 ? * SAT" maximumDeletionPercentage="5"
 +          synchronize="ondemand" synchronizeOnStartup="false">
 +        <ldap-provider
 +                    url="ldap://LDAPSERVER.com:389/dc=CUSTOMER,dc=com"
 +                    ident="LDAP Primary Ondemand Server"
 +                    key="authenticationUsername"
 +                    defaultRoles="true"
 +                    defaultRolesUsername="default"
 +                    defaultLicenseType="FloatingDev"
 +                    pageSize="500"
 +                    generateDn="false"
 +                    ondemandFilter="(&amp;(sAMAccountName=%)(objectClass=user))"
 +                    recursiveSearch="true">
 +                    <ldap-authentication type="simple" principal="%"/>
 +
 +                    <ldap-attribute name="username" id="sAMAccountName"/>
 +                    <ldap-attribute name="fullname" id="displayName"/>
 +                    <ldap-attribute name="email" id="mail"/>
 +                    <ldap-attribute name="authenticationUsername" id="distinguishedName"/>
 +
 +                    <ldap-query-user name="cn=LDAP Account,ou=Users,dc=CUSTOMER,dc=com" credentials="PASSWORD" />
 +            </ldap-provider>
 +    </ldap>
 </code> </code>