LDAP parameter configuration

LDAP parameters must be set in the section with the configuration name:

  • ldapauthentication

This can be achieved by a SOAP request like the following:

<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
    xmlns:ns="http://www.tsystems.com/ima9/integrationws/messaging/201101">
  <soap:Header>
    <user:user xmlns:user="http://www.tsystems.com/ima/9.0/integrationws/header/user">powerUser</user:user>
    <role:role xmlns:role="http://www.tsystems.com/ima/9.0/integrationws/header/roles">powerUser</role:role>
  </soap:Header>
  <soap:Body>
    <ns:createDocument>
      <revision>
        <documentType name="_COMMONS_CONFIGURATION"/>
        <metadata>
<attribute name="_COMMONS_CONFIGURATION_CONFIGURATION_NAME">ldapauthentication</attribute>
<attribute name="_COMMONS_CONFIGURATION_CONFIGURATION"><![CDATA[<?xml version="1.0"
encoding="utf-8"?>
<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
<properties>
<comment>set up LDAP authentication</comment>
<entry key="managerAuthMethods">simple</entry>
<entry key="managerDN">cn=Manager,dc=imagemaster,dc=de</entry>
<entry key="managerPassword">ldap</entry>
<entry key="providerUrl">ldap://localhost:389</entry>
<entry key="requireManagerBind">true</entry>
<entry key="userAuthMethods">simple</entry>
<entry key="userBaseTemplate">ou=Users,dc=imagemaster,dc=de</entry>
<entry key="userFilter">(&(imageMasterRole=*)(cn={user}))</entry>
<entry key="userSearchScope">subtree</entry>
<entry key="useSSL">false</entry>
</properties>
]]></attribute>
        </metadata>
        <contents/>
      </revision>
    </ns:createDocument>
  </soap:Body>
</soap:Envelope>

Properties

The following property keys are required:

  • providerUrl

  • requireManagerBind

  • userFilter

  • userBaseTemplate

The properties with keys “requireManagerBind” and “useSSL” have Boolean values that are written as either "true" or "false". The property “maxReferrals” requires a positive integer number.

The following table provides a description of all LDAP properties that can be used for the authentication configuration:

Property

Description

managerAuthMethods

Use the following authentication method for binding as a manager (only if requireManagerBind is true). Possible values are "simple" and "strong".

managerDN

If requireManagerBind is true, use this distinguished name for binding before searching for a user record.

managerPassword

If requireManagerBind is true, use this password for binding as managerDN to the directory server.

maxReferrals

The parameter defines the maximum number of LDAP referrals to follow.

providerUrl

URL to LDAP server in the form ldap://<hostname>:<port>

Example:

ldap://ldap.blorf-corp.com:389

Microsoft Active Directory supports global catalog searches by using a specific port. For related troubleshooting information see Global catalog search issues.

requireManagerBind

Depending on its configuration, a directory server may disallow searching for users anonymously and require a valid login before searching. If such a login is required, set this property to "true" (otherwise "false").

userAuthMethods

Authentication method to use for binding user accounts, see managerAuthMethods for possible values.

userBaseTemplate

A template is used for building the search base when searching for user records. Like userDNTemplate, occurrences of {user} and {tenantName} are replaced by the actual username and current tenant name.

Example value (without a pattern):

ou=Users,dc=imagemaster,dc=de

userFilter

An LDAP filter expression is used to find the user (starting at the node selected by the configuration option userBaseTemplate, see below). The string is a template string and all occurrences of {user} and {tenantName} are replaced with the username (as provided on the login screen) and the current tenant's name.

The filter expression should include the expression imageMasterRole=* to select only records that have a value for the imageMasterRole attribute (only these users can login).

Example:

The template (&(imageMasterRole=*)(cn={user}))

will result in to the filter expression

(&(imageMasterRole=*)(cn=Hagbard_Celine))

if the username "Hagbard_Celine" is provided in ImageMaster's login screen.

In this example the account name is the same as cn, which is not the case for all LDAP installations. The template depends on the setup and layout of your LDAP directory.

A filter expression may be to unspecific to select exactly one user. (If there is no uniqueness constraint on the account name attribute, the LDAP search may find more than one user record, which evokes an error. This error is handled at run-time and login will be denied.)

userSearchScope

The search scope to be used for searching user records. Possible values are: "subtree", "onelevel" and "object".

useSSL

The parameter defines whether SSL should be used to connect to LDAP server. SSL certificates and trust chains are controlled using the standard java mechanisms. That is, the values of the following system properties control which client certificate is used and which server certificates are trustworthy:

  • javax.net.ssl.keyStore

  • javax.net.ssl.trustStore

  • javax.net.ssl.trustStorePassword

  • javax.net.ssl.keyStorePassword

Table 76: LDAP configuration properties