LDAP Plugin Configuration Guide

Overview

LDAP plugin provides authentication against any LDAP server (including Microsoft AD) and services to lookup users and groups. So, it cannot be used with local-users module due to service conflicts. The services can be used without LDAP authentication, e.g. with Kerberos authentication scheme. To support this the plugin has optional prefix parameter where any Windows domain can be placed. Also it includes failover for cases when it configured inproperly to allow users to reconfigure it via UI.

Authentication

The plugin provides two authentication schemes:

ldap (Lighweight Directory Access Protocol)
ad (Active Directory)

The first one provides standard LDAP bind authentication and requires properties (look at properties description section for details):

genesis.plugin.ldap.server.url
genesis.plugin.ldap.user.search.filter
genesis.plugin.ldap.group.search.filter

The second one also provides bind authentication but has simplifications for Microsoft Active Directory. It requires the following parameters:

genesis.plugin.ldap.server.url
genesis.plugin.ldap.domain

NOTE: it simplifies authentication configuration for AD, but services still requires the rest of the options.

Both of these modes can be switched on using appropriate value at Genesis system property genesis.system.auth.mode.

Configuration

Parameter Name	Description	Example	Mandatory
genesis.plugin.ldap.server.url	LDAP server URL address	ldap://ldap.domain.com	yes
genesis.plugin.ldap.base	LDAP base suffix	dc=domain,dc=com	no
genesis.plugin.ldap.domain	LDAP authentication domain (used for 'ad' mode only)	domain.com	no
genesis.plugin.ldap.manager.dn	LDAP manager DN	Generic: CN=John Doe,OU=Users,DC=domain,DC=com AD: [email protected]	no
genesis.plugin.ldap.manager.password	LDAP manager password	s3cret	no
genesis.plugin.ldap.user.search.filter	User search filter - ldap records would be filtered using this clause. Username would be placed instead of {0}	uid={0}	yes
genesis.plugin.ldap.user.search.base	User search base - path to users subtree relatively to base	ou=users	no
genesis.plugin.ldap.group.search.filter	Group search filter - ldap records would be filtered using this clause. User DN would be placed instead of {0}. This property is for searching user's groups.	member={0}	yes
genesis.plugin.ldap.group.search.base	Group search base - path to groups subtree relatively to base	ou=Department Users	no
genesis.plugin.ldap.users.service.filter	Filter for users which is used by service	objectClass=person	yes
genesis.plugin.ldap.groups.service.filter	Filter for groups which is used by service	objectClass=groupOfNames	yes
genesis.plugin.ldap.service.domain.prefix	This property may be useful when Kerberos authentication is used. If your authentication provider returns principals and roles with domain prefix you can place the domain here	DOMAIN	no
genesis.plugin.ldap.cache.ttl	Plugin uses caching to speedup records lookup expirience. It is possible to control records expiration time (in seconds)	60	no
genesis.plugin.ldap.cache.maxEntries	In-memory cache size (in records)	1000	no

LDAP Plugin Configuration Guide

Overview

Authentication

Configuration

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally