LDAP Integration

The installation guide shows you how to authenticate users against a list of hard-coded credentials, this section will describe how to authenticate users against LDAP.

In login.xml you will find the following definition

    <bean id="ldap" class="com.kapowtech.mc.config.LdapLogin" lazy-init="true">
        <property name="ldapServerURL" value="ldap://change-to-ldapHost:389"/>
        <property name="userDn" value="CN=LDAP test,CN=Users,DC=kapowdemo,DC=local"/>
        <property name="password" value="change-to-passowrd"/>
        <property name="userSearchBase" value="OU=Users,OU=TheEnterprise,DC=kapowdemo,DC=local"/>
        <property name="userSearchFilter" value="(userPrincipalName={0}@kapowdemo.local)"/>
        <property name="userSearchSubtree" value="true"/>
        <property name="groupSearchBase" value="OU=Security Groups,OU=TheEnterprise,DC=kapowdemo,DC=local"/>
        <property name="groupSearchFilter" value="(member={0})"/>
        <property name="groupRoleAttribute" value="cn"/>
        <property name="groupSearchSubtree" value="true"/>
        <property name="convertToUpperCase" value="true"/>
        <property name="allGroupsFilter" value="cn=E*"/>
        <property name="fullNameAttribute" value="displayName"/>
        <property name="emailAttribute" value="userPrincipalName"/>

    </bean>

This defines an LdapLogin bean named ldap. The bean defines a number of properties that controls the LDAP integration. If you are familiar with the way Tomcat integrates to LDAP this should be quite familiar.

Property

Description

ldapServerURL The URL to the LDAP server. This uses the ldap:// protocol.
userDn The DN (distinguished name) used to log in to LDAP to authenticate other users.
password The password for the userDN account. As the password will be stored in clear text in this file you should use an account that only has 'read' access.
userSearchBase The sub-directory in the LDAP tree where users can be found.
userSearchFilter The filter that is applied to find the username.
userSearchSubtree set this to true if users may be located in the sub-directory of the userSearchBase.
groupSearchBase The sub-directory in the LDAP tree where groups can be found.
groupSearchFilter The filter that is applied to identify the users in this group.
groupRoleAttribute The attribute that holds the group name.
groupSearchSubtree set this to true if groups may be located in the sub-directory of the groupSearchBase.
convertToUpperCase Should the group names be converted to upper case, true by default.
allGroupsFilter Optional. Controls which groups are displayed when creating project permissions, see below.
fullNameAttribute The attribute to fetch the full name of the user.
emailAttribute he attribute to fetch the email of the user.

LDAP properties


If you want to use an LDAP account to administer the Management Console, you must add one of the groups that you are are a member of to the adminGroups bean in login.xml, as described in Project Permissions. Be advised that anyone that is a member of a group listed in adminGroups will be a Management Console administrator, so you may want to create a new LDAP group for this purpose. Take care to use the upper case group name if convertToUpperCase is true.

When you select a project permission you will see that all the group names have been pulled from LDAP to populate the drop down. The groups are located by using the groupRoleAttribute to construct a filter to fetch all groups. Sometimes you don't want all LDAP groups displayed here, in which case override this behavior by providing your own filter, this is done by adding an additional property to the LdapLogin.

       <property name="allGroupsFilter" value="(cn=*)"/>

will find all group names, if the group name is in the cn attribute (this is the default). If you only want groups starting with the letter 'e' you could use

       <property name="allGroupsFilter" value="(cn=E*)"/>

The filter uses basic LDAP queries, so you can find documentation elsewhere for more complex queries.