Differences
This shows you the differences between two versions of the page.
Last revision | |||
— | 72:ldap_hints [2018/07/16 16:00] – created bkkr | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | [[: | ||
+ | |||
+ | ====== Hints for Specific LDAP Server Products ====== | ||
+ | |||
+ | === Microsoft Active Directory Server (ADS) === | ||
+ | |||
+ | When the standard ADS layout is used by the ADS administrator, | ||
+ | |||
+ | If the standard ADS attributes are used, the following mapping can be used. | ||
+ | |||
+ | ^Stages Attribute Name^ADS Attribute Name| | ||
+ | |username |sAMAccountName| | ||
+ | |fullname|displayName| | ||
+ | |authenicationUsername|distinguishedName| | ||
+ | |||
+ | No standard attribute name exists for the e-mail address. Please use the LDAP browser to find out the attribute name valid for your installation. | ||
+ | |||
+ | ADS provides the LDAP distinguished name via the “distinguishedName“ attribute. Therefore, if the above mapping of the attribute is used, the key attribute of the ldap-provider statement can be set to “authenticationUsername“ and the principal attribute of the ldap-authentication statement can be set to “%“. | ||
+ | |||
+ | By default, ADS does not allow anonymous bindings. Therefore a user with readonly access to the directory is required. The account name and password of this user must be configured with the ldap-query-user statement. The login times for this user should not be limited. | ||
+ | |||
+ | ADS per default allows the retrieval of 1000 entries per query. To fully explore this potential, set the pageSize attribute of the ldap-provider statement to “1000“. | ||
+ | |||
+ | A sample configuration for a Microsoft Active Directory Server is as follows (italic: customer specific data): | ||
+ | |||
+ | < | ||
+ | < | ||
+ | url=" | ||
+ | ident=" | ||
+ | key=" | ||
+ | defaultRoles=" | ||
+ | pageSize=" | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | === OpenLDAP === | ||
+ | |||
+ | If the standard OpenLDAP attributes are used, the following mapping can be used. | ||
+ | |||
+ | ^Stages Attribute Name^Schema Attribute Name| | ||
+ | |username |uid| | ||
+ | |fullname|cd| | ||
+ | |||
+ | No standard attribute names exists for the e-mail address. Please use the LDAP browser to find out the e-mail attribute name valid for your installation. | ||
+ | |||
+ | Per default, OpenLDAP does not provide the LDAP distinguished name in each entry. To enable authentication via the distinguished name | ||
+ | |||
+ | * set the generateDn attribute of the ldap-provider statement to “true“ | ||
+ | * set the key attribute of the ldap-provider statement to “authenticationUsername“ | ||
+ | * set the principal attribute of the ldap-authentication statement to “%“ | ||
+ | |||
+ | \\ | ||
+ | |||