Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

The ldap-login-service is provided as an OSGi bundle, which may be activated by

obr:addurl http://maven.clazzes.org/repository.xml
obr:deploy ldap-login-service

The maven artifact is:

<groupId>org.clazzes.login</groupId>
<artifactId>ldap-login-service</artifactId>

Functionality

The LDAP login service authenticates against users in an ADS domain or against users in an LDAP server configured for an individual domain.

The function tryLogin() needs credentials if run against a legacy LDAP Server.

For AD DS servers, an additional non-search authentication method bindAds is implemented for tryLogin(), which tries to bind using a principal in the form user@domain.

The functions searchUser(), getGroups(), getGroupMembers() need bind credentials and will only work in AD DS environments.

Sample Configuration for authentication against an ADS-Domain
Anchor
sampleAdsConfig
sampleAdsConfig

The following sample configuration is the most common configuration OSGi configuration in PID org.clazzes.login.ldap, which allows you to authenticate users against an Active Directory Domain.

All you need to know is the Windows/NetBIOS Name of your domain and the corresponding DNS name used to physically locate the Active Directory server.

In our example we use EXAMPLE as the Windows/NetBIOS domain name with its DNS counterpart example.com.

Key
Value
defaultDomainEXAMPLE
domain.EXAMPLE.controllerUriads://example.com
domain.EXAMPLE.authMethodbindAds

Detailed Configuration

The LDAP login service may be configured using the OSGi configuration PID org.clazzes.login.ldap using these configuration values:

Key
Default Value
Description
defaultDomain The domain to use for principals, which do not contain a domain.
domain.<domain>.controllerUri The server to contact. Supported URL schemes: ldap, ldaps, ads. See below
domain.<domain>.authMethodsearchAndBindThe method for authenticating a user. Supported methods: searchAndBind, bindAds.
domain.<domain>.bindUser The DN used for binding before searching something in the domain <domain>. For tryLogin() this applies only to the authMethod searchAndBind.
domain.<domain>.bindPassword The password used for binding searching something in the domain <domain>. For tryLogin() this applies only to the authMethod searchAndBind.
domain.<domain>.userAttributesamAccountNameThe LDAP attribute to use for finding a given user name.
domain.<domain>.prettyNameAttributecnThe LDAP attribute to try to use as pretty name for users and groups.
domain.<domain>.eMailAddressAttributemailThe LDAP attribute to try to use as primary e-mail address for users.

There may be multiple domains in a configuration.

Controller Schemes

The URL schemes for a domain controller are ldap, ldaps and ads.

The ads URL scheme for the URL ads://mydomain.com undertakes a lookup for the DNS records

SRV _ldap._tcp.mydomain.com
TXT _ldap._tcp.mydomain.com

to auto-detect the apropriate ldap(s) URI.