This is an old revision of the document!


LDAP Synchronization

Configuring Authentication

Every user is authenticated against the LDAP directory server where it was synchronized from. For the synchronization it may be necessary to specify a certain LDAP user who will be used to connect to the LDAP directory server and to query that server. This user can be specified using the ldap-query-user tag.

Specifying a Query User

A query user can be specified using the optional <font inherit/Courier New,Courier,monospace;;inherit;;inherit>ldap</font><font inherit/Courier New,Courier,monospace;;inherit;;inherit>-query-user</font> tag. This tag has to be nested inside an ldap-provider tag as shown below:

<ldap-provider url="SERVER_URL" key="AUTHENTICATION_KEY">
…
 <ldap-query-user name="USERNAME" credentials="PASSWORD"/>
 …
</ldap-provider>

The ldap-query-user tag has two required attributes:

  • name: the DN (DN = Distinguished Name) of a user with read access to the LDAP directory
  • credentials: the password of the above user

NOTE: If no query user is specified then an anonymous bind is used to connect to the LDAP directory.

Name Attribute

The name attribute specifies the name of the LDAP user used for synchronization. There are two possibilities to build up and set the distinguished name of the user, respectively:

The distinguished name can be set directly to the name attribute as shown in the example below:

<font inherit/Courier New,Courier,monospace;;inherit;;inherit><ldap-query-user name=“cn=pkit1,o=XYZ,dc=xyzgroup,dc=com” credentials=“somepw”/></font>

If the name attribute does not contain an equal sign (‘=’) or a comma (‘,’), then this value is set to the authentication schema in order to build up the distinguished name of the special query user.

In the example below “id123“ would be set to the schema to build up the user’s distinguished name.

<font inherit/Courier New,Courier,monospace;;inherit;;inherit><ldap-query-user name=“id123” credentials=“SOME_CREDENTIALS”/></font>

The credentials Attribute

The credentials attribute holds the password of the query user.

The authentication Schema

The authentication schema is used to build up the distinguished name of a synchronized user for authentication purposes. The schema can be specified using the optional ldap-authentication tag, which has to be nested inside an ldap-provider tag if used.

<ldap-provider url="SERVER_URL" key="AUTHENTICATION_KEY">
…
<ldap-authentication type="simple" principal="SOME_PRINCIPAL"/>
…
</ldap-provider>

The ldap-authentication tag has two required attributes:

  • type
  • principal

The type Attribute

The <font inherit/Courier New,Courier,monospace;;inherit;;inherit>type</font> attribute specifies the authentication mode to synchronize a user. Currently only the mode “simple“ is supported.

The principle Attribute

The <font inherit/Courier New,Courier,monospace;;inherit;;inherit>principal</font>attribute holds a schema to build up the distinguished name for user authentication. The special character “%“ is used to specify where to set in the user’s fullname or username to build the corresponding distinguished name.

Example: <font inherit/Courier New,Courier,monospace;;inherit;;inherit>principal=“cn=%,cn=Users,dc=company,dc=com“</font>

NOTE: It depends on the value of the key attribute of the ldap-provider tag whether the user’s fullname or username will be set into the schema.

The optional URL Attribute

The ldap-authentication tag comes with the optional url attribute. The attribute can be used to set the URL of the authentication server if synchronization and authentication is done on different machines. An exemplary url attribute value is given below: url=“ldap://authsrv.methodpark.de:389/cn=Users,dc=company,dc=com“

NOTE: To allow authentication via SSL, set the prefix “<font inherit/Courier New,Courier,monospace;;inherit;;inherit>ldap</font>“ to “<font inherit/Courier New,Courier,monospace;;inherit;;inherit>ldaps</font>“.