Configuring user authentication using LDAP
LDAP authenticates users using a directory server, such as MS Active Directory, OpenLDAP, or OpenDJ.
- LDAP URL: Specify the LDAP URL to use for authentication.
- LDAP GUID Key: Specify the LDAP attribute name whose values are
unique on this LDAP server. For example:
uid
orCN
. - LDAP Group Class Key: Specify the LDAP objectClass that each of the
groups implements in LDAP. For example:
objectClass: group
. - LDAP Group Membership Key: Specify the LDAP attribute name on the
group object that contains the list of distinguished names for the user, group, and contact
objects that are members of the group. For example:
member
,uniqueMember
, ormemberUid
. - LDAP User Membership Key: Specify the LDAP attribute name on the user
object that contains groups of which the user is a direct member, except for the primary group,
which is represented by the primaryGroupId. For example:
memberOf
. - LDAP Basedn: Specify the base domain name.
-
LDAP User DN Pattern: Specify a pattern for the
distinguishedName
(DN) for all the users in the directory. This value could be a single DN if the LDAP user entities are co-located within a single root, or it could be a colon-separated list of all the DN patterns if the users are scattered across different trees or forests in the directory.Each DN pattern can contain a
%s
in it that will be substituted with the username (from the user filter) by the provider for user search queries.For example: For single DN, you can specify
CN=%s,CN=Users,DC=apache,DC=org
. For two DNs, you can specifyCN=%s,OU=Users,DC=apache,DC=org:uid=%s,CN=UnixUsers,DC=apache,DC=org
. -
LDAP Group DN Pattern: Specify a pattern for the
distinguishedName
(DN) for all the groups in the directory. This value could be a single DN if the LDAP Group entities are co-located, or it could be a colon-separated list of all DN patterns if the groups are scattered across different trees.Each DN pattern can contain a
%s
in it that will be substituted with the group name (from the group filter) by the provider for group search queries.For example: For single DN, you can specify
CN=%s,OU=Groups,DC=apache,DC=org
. For two DNs, you can specifyCN=%s,OU=Groups,DC=apache,DC=org:uid=%s,CN=Users,DC=apache,DC=org
. - LDAP Custom Query: There are several LDAP implementations available
for commercial use, with no standard set of attributes within each implementation. If any of
the filters listed in this topic do not meet the requirements for some unforeseen reasons, then
DAS can use a user-specified LDAP query string to execute against the LDAP server. This
configured query is expected to return a set of DNs that represent individual users. The
returned result is then used to adjudicate a GRANT/DENY decision to the authenticating user. To
support this configuration, this new configuration property has been introduced. For example:
group1,group2
. - LDAP Group Filter: Specify the group name filter that is to be
enforced by the
LDAPAtnProvider
. You can specify the individual groups using a comma-separated list. The user MUST belong to one or more of these groups for the authentication request to succeed. For example:group1,group2
. - LDAP User Filter: Specify a comma-separated list of all the usernames to whom you want to grant access. The Atn provider grants access to a user if the user is a part of this list, and denies access otherwise.
- LDAP Domain: Specify the base domain name.