-
Notifications
You must be signed in to change notification settings - Fork 10
LDAP Plugin Configuration Guide
LDAP plugin provides authentication against any LDAP server (including Microsoft AD) and services to lookup users and groups. So, it cannot be used with local-users module due to service conflicts. The services can be used without LDAP authentication, e.g. with Kerberos authentication scheme. To support this the plugin has optional prefix parameter where any Windows domain can be placed. Also it includes failover for cases when it configured inproperly to allow users to reconfigure it via UI.
The plugin provides two authentication schemes:
- ldap (Lighweight Directory Access Protocol)
- ad (Active Directory)
The first one provides standard LDAP bind authentication and requires properties (look at properties description section for details):
- genesis.plugin.ldap.server.url
- genesis.plugin.ldap.user.search.filter
- genesis.plugin.ldap.group.search.filter
The second one also provides bind authentication but has simplifications for Microsoft Active Directory. It requires the following parameters:
- genesis.plugin.ldap.server.url
- genesis.plugin.ldap.domain
NOTE: it simplifies authentication configuration for AD, but services still requires the rest of the options.
Both of these modes can be switched on using appropriate value at Genesis system property genesis.system.auth.mode.
Parameter Name | Description | Example | Mandatory |
---|---|---|---|
genesis.plugin.ldap.server.url | LDAP server URL address | ldap://ldap.domain.com | yes |
genesis.plugin.ldap.base | LDAP base suffix | dc=domain,dc=com | no |
genesis.plugin.ldap.domain | LDAP authentication domain (used for 'ad' mode only) | domain.com | no |
genesis.plugin.ldap.manager.dn | LDAP manager DN |
Generic: CN=John Doe,OU=Users,DC=domain,DC=com
|
no |
genesis.plugin.ldap.manager.password | LDAP manager password | s3cret | no |
genesis.plugin.ldap.user.search.filter | User search filter - ldap records would be filtered using this clause. Username would be placed instead of {0} | uid={0} | yes |
genesis.plugin.ldap.user.search.base | User search base - path to users subtree relatively to base | ou=users | no |
genesis.plugin.ldap.group.search.filter | Group search filter - ldap records would be filtered using this clause. User DN would be placed instead of {0}. This property is for searching user's groups. | member={0} | yes |
genesis.plugin.ldap.group.search.base | Group search base - path to groups subtree relatively to base | ou=Department Users | no |
genesis.plugin.ldap.users.service.filter | Filter for users which is used by service | objectClass=person | yes |
genesis.plugin.ldap.groups.service.filter | Filter for groups which is used by service | objectClass=groupOfNames | yes |
genesis.plugin.ldap.service.domain.prefix | This property may be useful when Kerberos authentication is used. If your authentication provider returns principals and roles with domain prefix you can place the domain here | DOMAIN | no |
genesis.plugin.ldap.timeout | LDAP request time limit - amount of milliseconds to search across directories. If searching process exceeds timeout then it stops and service returns records that have been found already. Use 0 (zero) to disable time limit. | 1000 | no |
genesis.plugin.ldap.size.limit | Amount of records that should be returned from service. As soon as amount of found records would be equal to the limit, searching process stops and service returns them. Note: size limit can be also configured on the server side and may not allow you to exceed its value. | 500 | no |