Skip to content

LDAP Plugin Configuration Guide

azhuchkov edited this page Jan 14, 2013 · 2 revisions

Overview

LDAP plugin provides authentication against any LDAP server (including Microsoft AD) and services to lookup users and groups. So, it cannot be used with local-users module due to service conflicts. The services can be used without LDAP authentication, e.g. with Kerberos authentication scheme. To support this the plugin has optional prefix parameter where any Windows domain can be placed. Also it includes failover for cases when it configured inproperly to allow users to reconfigure it via UI.

Authentication

The plugin provides two authentication schemes:

  • ldap (Lighweight Directory Access Protocol)
  • ad (Active Directory)

The first one provides standard LDAP bind authentication and requires properties (look at properties description section for details):

  • genesis.plugin.ldap.server.url
  • genesis.plugin.ldap.user.search.filter
  • genesis.plugin.ldap.group.search.filter

The second one also provides bind authentication but has simplifications for Microsoft Active Directory. It requires the following parameters:

  • genesis.plugin.ldap.server.url
  • genesis.plugin.ldap.domain

NOTE: it simplifies authentication configuration for AD, but services still requires the rest of the options.

Both of these modes can be switched on using appropriate value at Genesis system property genesis.system.auth.mode.

Configuration

Parameter Name Description Example Mandatory
genesis.plugin.ldap.server.url LDAP server URL address ldap://ldap.domain.com yes
genesis.plugin.ldap.base LDAP base suffix dc=domain,dc=com no
genesis.plugin.ldap.domain LDAP authentication domain (used for 'ad' mode only) domain.com no
genesis.plugin.ldap.manager.dn LDAP manager DN
Generic: CN=John Doe,OU=Users,DC=domain,DC=com
no
genesis.plugin.ldap.manager.password LDAP manager password s3cret no
genesis.plugin.ldap.user.search.filter User search filter - ldap records would be filtered using this clause. Username would be placed instead of {0} uid={0} yes
genesis.plugin.ldap.user.search.base User search base - path to users subtree relatively to base ou=users no
genesis.plugin.ldap.group.search.filter Group search filter - ldap records would be filtered using this clause. User DN would be placed instead of {0}. This property is for searching user's groups. member={0} yes
genesis.plugin.ldap.group.search.base Group search base - path to groups subtree relatively to base ou=Department Users no
genesis.plugin.ldap.users.service.filter Filter for users which is used by service objectClass=person yes
genesis.plugin.ldap.groups.service.filter Filter for groups which is used by service objectClass=groupOfNames yes
genesis.plugin.ldap.service.domain.prefix This property may be useful when Kerberos authentication is used. If your authentication provider returns principals and roles with domain prefix you can place the domain here DOMAIN no
genesis.plugin.ldap.timeout LDAP request time limit - amount of milliseconds to search across directories. If searching process exceeds timeout then it stops and service returns records that have been found already. Use 0 (zero) to disable time limit. 1000 no
genesis.plugin.ldap.size.limit Amount of records that should be returned from service. As soon as amount of found records would be equal to the limit, searching process stops and service returns them. Note: size limit can be also configured on the server side and may not allow you to exceed its value. 500 no
Clone this wiki locally