Stages Documentation

Differences

This shows you the differences between two versions of the page.


Last revision
72:ldap_hints [2018/07/16 16:00] – created bkkr
Line 1: Line 1:
 +[[:72:ldap|LDAP Configuration]]
 +
 +====== Hints for Specific LDAP Server Products ======
 +
 +=== Microsoft Active Directory Server (ADS) ===
 +
 +When the standard ADS layout is used by the ADS administrator, user entries can be found in the “<font inherit/Courier New,Courier,monospace;;inherit;;inherit>CN=Users</font>“ part of the directory. For larger organizations, this section is normally divided into different subsections to increase scalability and manageability.
 +
 +If the standard ADS attributes are used, the following mapping can be used.
 +
 +^Stages Attribute Name^ADS Attribute Name|
 +|username |sAMAccountName|
 +|fullname|displayName|
 +|authenicationUsername|distinguishedName|
 +
 +No standard attribute name exists for the e-mail address. Please use the LDAP browser to find out the attribute name valid for your installation.
 +
 +ADS provides the LDAP distinguished name via the “distinguishedName“ attribute. Therefore, if the above mapping of the attribute is used, the key attribute of the ldap-provider statement can be set to “authenticationUsername“ and the principal attribute of the ldap-authentication statement can be set to “%“.
 +
 +By default, ADS does not allow anonymous bindings. Therefore a user with readonly access to the directory is required. The account name and password of this user must be configured with the ldap-query-user statement. The login times for this user should not be limited.
 +
 +ADS per default allows the retrieval of 1000 entries per query. To fully explore this potential, set the pageSize attribute of the ldap-provider statement to “1000“.
 +
 +A sample configuration for a Microsoft Active Directory Server is as follows (italic: customer specific data):
 +
 +<code>
 +<ldap-provider
 +url="ldap://ADSSERVER:389/cn=Users,dc=YOURDC,dc=COMPANY,dc=com"
 +ident="Your Microsoft ADS Server Number 1"
 +key="authenticationUsername"
 +defaultRoles="true"
 +pageSize="1000">
 +<ldap-query-user name="LDAP_DN_OF_USER" credentials="PASSWORD"/>
 +<ldap-authentication type="simple" principal="%" />
 +<ldap-attribute name=„username“ id=„sAMAccountName“ />
 +<ldap-attribute name=„fullname“ id=„displayName“ />
 +<ldap-attribute name=„email“ id=„YOUR_EMAIL_ATTRIBUTE“ />
 +<ldap-attribute name=„authenticationUsername“
 + id=„distinguishedName“ />
 +</ldap-provider>
 +</code>
 +
 +=== OpenLDAP ===
 +
 +If the standard OpenLDAP attributes are used, the following mapping can be used.
 +
 +^Stages Attribute Name^Schema Attribute Name|
 +|username |uid|
 +|fullname|cd|
 +
 +No standard attribute names exists for the e-mail address. Please use the LDAP browser to find out the e-mail attribute name valid for your installation.
 +
 +Per default, OpenLDAP does not provide the LDAP distinguished name in each entry. To enable authentication via the distinguished name
 +
 +  * set the generateDn attribute of the ldap-provider statement to “true“
 +  * set the key attribute of the ldap-provider statement to “authenticationUsername“
 +  * set the principal attribute of the ldap-authentication statement to “%“
 +
 +\\
 +