Stages Documentation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
72:ldap_ex_config [2018/07/16 15:37] bkkr72:ldap_ex_config [2024/02/15 00:00] (current) – external edit 127.0.0.1
Line 6: Line 6:
  
 <code> <code>
-<ldap refreshIntervalMinutes="120" maximumDeletionPercentage="0">+ 
 +<ldap refreshIntervalMinutes="120" maximumDeletionPercentage="5">
  <ldap-provider  <ldap-provider
  url=ldap://server.example.com:389/dc=domain,dc=example,dc=com  url=ldap://server.example.com:389/dc=domain,dc=example,dc=com
Line 13: Line 14:
  defaultRoles="true"  defaultRoles="true"
  adoptUsers="true"  adoptUsers="true"
- matchUsersMode="username" + matchUsersMode="username"> 
->+
  <ldap-authentication  <ldap-authentication
  type="simple"  type="simple"
Line 32: Line 33:
 Stages synchronizes every 120 minutes with the LDAP-provider. Of all Stages users that should have been synchronized, but could not, none is deleted. The Stages username is used for authentication with the LDAP-provider at the login (key="username"). Every LDAP-object where the attribute “objectClass“ starts with the word “user“ is a candidate for synchronization (searchFilter="(objectClass=user*)"). All imported users are assigned to the default role. Stages synchronizes every 120 minutes with the LDAP-provider. Of all Stages users that should have been synchronized, but could not, none is deleted. The Stages username is used for authentication with the LDAP-provider at the login (key="username"). Every LDAP-object where the attribute “objectClass“ starts with the word “user“ is a candidate for synchronization (searchFilter="(objectClass=user*)"). All imported users are assigned to the default role.
  
-Existing Stages accounts that have not been synchronized with LDAP yet are adapted so that future authentications/synchronizations will be done via the LDAP-provider. These accounts are adapted, if the value of the attribute sAMAccountName matches the Stages username (adoptUsers="true", matchUsersMode="username"). Further on the mapping between the LDAP sAMAccountName and the Stages username is defined (<ldap-attribute +Existing Stages accounts that have not been synchronized with LDAP yet are adapted so that future authentications/synchronizations will be done via the LDAP-provider. These accounts are adapted, if the value of the attribute sAMAccountName matches the Stages username (adoptUsers="true", matchUsersMode="username"). Further on the mapping between the LDAP sAMAccountName and the Stages username is defined (<ldap-attribute name="username" id="sAMAccountName"/>). 
-name="username" id="sAMAccountName"/>).+ 
 +A schema defines how the name for the authentication is build (principal="cn=%,ou=example,dc=test,dc=example,dc=com"). “%“ will be replaced by “username“. 
 + 
 +The user for the LDAP-queries is named “queryuser“ and has the password "pass“ (<ldap-query-user name="queryuser" credentials="pass"/>). 
 + 
 +**Further Examples ** 
 + 
 +//Example// 
 +<code> 
 +<ldap refreshIntervalMinutes="1440" maximumDeletionPercentage="5"> 
 +<ldap-provider url="ldap://ldap.abc:389/dc=xyzgroup,dc=com" 
 +ident="ldap_XY_intern" 
 +key="username" 
 +defaultRoles="True" 
 +pageSize="500" 
 +recursiveSearch="True" 
 +generateDn="False" 
 +searchFilter="(&(|(departmentNumber=XY-1) 
 + (departmentNumber=XY-2)) 
 + (mail=*)(sn=*)(objectClass=XYperson))" 
 +adoptUsers="True" 
 +matchUsersMode="email"> 
 +<ldap-authentication 
 +type="simple" 
 +principal="uid=%,ou=people,dc=xyzgroup,dc=com" 
 +url="ldap://defg123.abc:3892/dc=com"> 
 +<ldap-query-user 
 +name="uid=pkit1,ou=people,ou=project users,dc=com" 
 + credentials="pkit1"/> 
 + </ldap-authentication> 
 + <ldap-query-user 
 + name="cn=pkit1,ou=projects,o=XYZ,dc=xyzgroup,dc=com" 
 + credentials="projk"/> 
 + <ldap-attribute name="username" id="uid"/> 
 + <ldap-attribute name="fullname" id="cn"/> 
 + <ldap-attribute name="email" id="mail"/> 
 + <ldap-attribute name="_KEY" id="uid"/> 
 +</ldap-provider> 
 +</ldap> 
 +</code> 
 + 
 +//Example// 
 +<code> 
 +<ldap refreshIntervalMinutes="60" maximumDeletionPercentage="50"> 
 + <ldap-provider 
 +url="ldap://nu2c001:389/dc=auto,dc=abc,dc=com" 
 +key="fullname" 
 +defaultRoles="true" 
 +recursiveSearch="true" 
 +searchFilter="(&(|(memberOf=CN=ABC-Stages-User, 
 +OU=Groups Development,OU=Groups,OU=XYZ,DC=auto, DC=abc, 
 +DC=com)(memberOf=CN=ABCD-Stages-W, OU=XYZ_Projekt, 
 +OU=ABC-Common,OU=Groups,OU=Nuernberg,DC=auto,DC=abc, 
 +DC=com)objectClass=person))"> 
 +<ldap-authentication 
 +type="simple" 
 +principal="cn=%,ou=ServiceAccounts,ou=Users,ou=XYZ, 
 + dc=auto,dc=abc,dc=com"/> 
 +<ldap-query-user name="abc-ldap" credentials="12345"/> 
 +<ldap-attribute name="username" id="sAMAccountName"/> 
 +<ldap-attribute name="fullname" id="cn"/> 
 +<ldap-attribute name="email" id="mail"/> 
 +<ldap-attribute name="authenticationUsername" 
 + id="distinguishedName"/> 
 + </ldap-provider> 
 +</ldap> 
 +</code> 
 + 
 +//Example// 
 +<code> 
 +<ldap refreshIntervalMinutes="60" maximumDeletionPercentage="10"> 
 + <ldap-provider ident="abc.def" 
 + url="ldap:// abc.def:389/dc=abc,dc=def" 
 +key="authenticationUsername" 
 +defaultRoles="true" 
 +recursiveSearch="true" 
 +adoptUsers="true" 
 +searchFilter="(memberOf=CN=ABC-Stages,CN=Users,DC=abc, 
 + DC=def)"> 
 + <ldap-authentication 
 +type="simple" 
 +principal="%"/> 
 +<ldap-query-user name="CN=XYZ,OU=_pkit_completed,OU=Users, 
 + OU=AB-DOMAIN,OU=Compelted,DC=abc,DC=def" 
 + credentials="12345"/> 
 +<ldap-attribute name="username" id="sAMAccountName"/> 
 +<ldap-attribute name="fullname" id="displayName"/> 
 +<ldap-attribute name="email" id="mail"/> 
 +<ldap-attribute name="authenticationUsername" 
 + id="distinguishedName"/> 
 + </ldap-provider> 
 +</ldap> 
 +</code> 
 + 
 +//Example for "ondemand" synchronization// 
 +<code> 
 +    <!-- Configuration for LDAP with Ondemand Account Creation. 
 +         This config works with an MS Active Directory server. 
 +         For other servers, the attribute names might need to be changed. --> 
 +          <!-- Synchronize every Saturday 03:30AM --> 
 +    <ldap synchronizeCronExpression="0 30 3 ? * SAT" maximumDeletionPercentage="5" 
 +          synchronize="ondemand" synchronizeOnStartup="false"> 
 +        <ldap-provider 
 +                    url="ldap://LDAPSERVER.com:389/dc=CUSTOMER,dc=com" 
 +                    ident="LDAP Primary Ondemand Server" 
 +                    key="authenticationUsername" 
 +                    defaultRoles="true" 
 +                    defaultRolesUsername="default" 
 +                    defaultLicenseType="FloatingDev" 
 +                    pageSize="500" 
 +                    generateDn="false" 
 +                    ondemandFilter="(&amp;(sAMAccountName=%)(objectClass=user))" 
 +                    recursiveSearch="true"> 
 +                    <ldap-authentication type="simple" principal="%"/> 
 + 
 +                    <ldap-attribute name="username" id="sAMAccountName"/> 
 +                    <ldap-attribute name="fullname" id="displayName"/> 
 +                    <ldap-attribute name="email" id="mail"/> 
 +                    <ldap-attribute name="authenticationUsername" id="distinguishedName"/> 
 + 
 +                    <ldap-query-user name="cn=LDAP Account,ou=Users,dc=CUSTOMER,dc=com" credentials="PASSWORD" /> 
 +            </ldap-provider> 
 +    </ldap> 
 +</code>