Differences

This shows you the differences between two versions of the page.

Link to this comparison view

72:ldap_hints [2018/07/16 16:00] (current)
bkkr created
Line 1: Line 1:
 +[[:​72:​ldap|LDAP Configuration]]
 +
 +====== Hints for Specific LDAP Server Products ======
 +
 +=== Microsoft Active Directory Server (ADS) ===
 +
 +When the standard ADS layout is used by the ADS administrator,​ user entries can be found in the “<font inherit/​Courier New,​Courier,​monospace;;​inherit;;​inherit>​CN=Users</​font>​“ part of the directory. For larger organizations,​ this section is normally divided into different subsections to increase scalability and manageability.
 +
 +If the standard ADS attributes are used, the following mapping can be used.
 +
 +^Stages Attribute Name^ADS Attribute Name|
 +|username |sAMAccountName|
 +|fullname|displayName|
 +|authenicationUsername|distinguishedName|
 +
 +No standard attribute name exists for the e-mail address. Please use the LDAP browser to find out the attribute name valid for your installation.
 +
 +ADS provides the LDAP distinguished name via the “distinguishedName“ attribute. Therefore, if the above mapping of the attribute is used, the key attribute of the ldap-provider statement can be set to “authenticationUsername“ and the principal attribute of the ldap-authentication statement can be set to “%“.
 +
 +By default, ADS does not allow anonymous bindings. Therefore a user with readonly access to the directory is required. The account name and password of this user must be configured with the ldap-query-user statement. The login times for this user should not be limited.
 +
 +ADS per default allows the retrieval of 1000 entries per query. To fully explore this potential, set the pageSize attribute of the ldap-provider statement to “1000“.
 +
 +A sample configuration for a Microsoft Active Directory Server is as follows (italic: customer specific data):
 +
 +<​code>​
 +<​ldap-provider
 +url="​ldap://​ADSSERVER:​389/​cn=Users,​dc=YOURDC,​dc=COMPANY,​dc=com"​
 +ident="​Your Microsoft ADS Server Number 1"
 +key="​authenticationUsername"​
 +defaultRoles="​true"​
 +pageSize="​1000">​
 +<​ldap-query-user name="​LDAP_DN_OF_USER"​ credentials="​PASSWORD"/>​
 +<​ldap-authentication type="​simple"​ principal="​%"​ />
 +<​ldap-attribute name=„username“ id=„sAMAccountName“ />
 +<​ldap-attribute name=„fullname“ id=„displayName“ />
 +<​ldap-attribute name=„email“ id=„YOUR_EMAIL_ATTRIBUTE“ />
 +<​ldap-attribute name=„authenticationUsername“
 + ​id=„distinguishedName“ />
 +</​ldap-provider>​
 +</​code>​
 +
 +=== OpenLDAP ===
 +
 +If the standard OpenLDAP attributes are used, the following mapping can be used.
 +
 +^Stages Attribute Name^Schema Attribute Name|
 +|username |uid|
 +|fullname|cd|
 +
 +No standard attribute names exists for the e-mail address. Please use the LDAP browser to find out the e-mail attribute name valid for your installation.
 +
 +Per default, OpenLDAP does not provide the LDAP distinguished name in each entry. To enable authentication via the distinguished name
 +
 +  * set the generateDn attribute of the ldap-provider statement to “true“
 +  * set the key attribute of the ldap-provider statement to “authenticationUsername“
 +  * set the principal attribute of the ldap-authentication statement to “%“
 +
 +\\
 +