Versions Compared

Old Version 6

changes.mady.by.user Christoph Lechleitner

Saved on

compared with

New Version Current

changes.mady.by.user Wolfgang Glas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In our example we use EXAMPLE as the Windows/NetBIOS domain name with its DNS counterpart example.com.

Key
Value
defaultDomainEXAMPLE
domain.EXAMPLE.controllerUriads://example.com
domain.EXAMPLE.authMethodbindAds

Detailed Configuration

The LDAP login service may be configured using the OSGi configuration PID org.clazzes.login.ldap using these configuration values:

Key
Default Value
Description
defaultDomain The domain to use for principals, which do not contain a domain.
domain.<domain>.controllerUri The server to contact. Supported URL schemes: ldap, ldaps, ads. See below
domain.<domain>.authMethodsearchAndBindThe method for authenticating a user. Supported methods: searchAndBind, bindAds.
domain.<domain>.bindUser The DN used for binding before searching something in the domain <domain>. For tryLogin() this applies only to the authMethod searchAndBind.
domain.<domain>.bindPassword The password used for binding searching something in the domain <domain>. For tryLogin() this applies only to the authMethod searchAndBind.
domain.<domain>.userAttributesamAccountNameThe LDAP attribute to use for finding a given user name.
domain.<domain>.prettyNameAttributecnThe LDAP attribute to try to use as pretty name for users and groups.
domain.<domain>.eMailAddressAttributemailThe LDAP attribute to try to use as primary e-mail address for users.
domain.<domain>.mobileAttribute
The LDAP attribute to try to use as mobile phone number for users. This number is used to send ephemerals OTP for two-factor-authentication to the user. If this option is activated, two-factor signons are mandatory for this domain. Usually, this option is configured to the value mobile in order to activate ephemeral OTP two-factor-authentication.
domain.<domain>.tokenIdsAttribute
The LDAP attribute to try to use as a space separated list of 12-character YubiKey token IDs (like cccccceiiuch) for users. These token IDs are used to check token OTPs for two-factor-authentication to the user. If this option is activated, two-factor signons are mandatory for this domain. Usually, this option is configured to the value pager in order to activate token-based OTP two-factor-authentication.

There may be multiple domains in a configuration.

Controller Schemes

The URL schemes for a domain controller are ldap, ldaps and ads.

ADS controller scheme

The ads URL scheme for the URL ads://mydomain.com undertakes a lookup for the DNS records

...

to auto-detect the apropriate ldap(s) URI.

LDAP controller scheme

When directly specifying the LDAP-Server using an URL like ldap://ldap-01.mydomain.com it is possible to specify the baseDN for searches using a pseudo-path like in ldap://ldap-01.mydomain.com/dc=mydomain,dc=com

Manual installation in OSGi container

...