The ldap-login-service is provided as an OSGi bundle, which may be activated by
The maven artifact is:
The LDAP login service authenticates against users in an ADS domain or against users in an LDAP server configured for an individual domain.
tryLogin() needs credentials if run against a legacy LDAP Server.
For AD DS servers, an additional non-search authentication method
bindAds is implemented for
tryLogin(), which tries to bind using a principal in the form
getGroupMembers() need bind credentials and will only work in AD DS environments.
Sample Configuration for authentication against an ADS-Domain
The following sample configuration is the most common configuration OSGi configuration in PID
org.clazzes.login.ldap, which allows you to authenticate users against an Active Directory Domain.
All you need to know is the Windows/NetBIOS Name of your domain and the corresponding DNS name used to physically locate the Active Directory server.
In our example we use
EXAMPLE as the Windows/NetBIOS domain name with its DNS counterpart
The LDAP login service may be configured using the OSGi configuration PID
org.clazzes.login.ldap using these configuration values:
|The domain to use for principals, which do not contain a domain.|
|The server to contact. Supported URL schemes: |
|The method for authenticating a user. Supported methods: |
|The DN used for binding before searching something in the domain <domain>. For |
|The password used for binding searching something in the domain <domain>. For |
|The LDAP attribute to use for finding a given user name.|
|The LDAP attribute to try to use as pretty name for users and groups.|
|The LDAP attribute to try to use as primary e-mail address for users.|
There may be multiple domains in a configuration.
The URL schemes for a domain controller are ldap, ldaps and ads.
ads URL scheme for the URL
ads://mydomain.com undertakes a lookup for the DNS records
to auto-detect the apropriate