Configure LDAP Server User Authentication
LDAP User Authentication
If your organisation has an LDAP Lightweight Directory Access Protocol server or an Active Directory Domain which can be used for user authentication, it is possible to use either as a Sintelix user repository. Adding a user repository involves modifying an XML file on the Sintelix server’s file system.
Sintelix can authenticate users by binding those users to an LDAP server. If the bind is successful, the users are considered authenticated.
User Emails
The email address associated with the LDAP is automatically added to the Sintelix user profile. If the LDAP email is different from the email address in the Sintelix User profile, then the user profile is updated to the LDAP email address.
Configure LDAP Authentication
To configure LDAP server user authentication:
-
Go to the file:
<Sintelix Database Directory>\external-users\user_repositories.xmlTo find the location of your Sintelix database folder, select the Status tab and find the System Configuration section. the location is displayed in the Main datastore location field.
- In the Configurations section under ‘example: an LDAP repository’, make the changes you require to the code. Use the examples below as a guide.
Examples
Example 1: User logs in using their DN (bind to LDAP using only the typed user name)
In this example, Sintelix builds a user DN uid=[user name],ou=people,dc=example,dc=com and attempts to bind to LDAP with it and the provided password.
<item class="com.sintelix.semanticportal.login.external.LdapConfiguration">
<url>ldap://localhost:389/</url>
<userSearchBase>ou=people,dc=example,dc=com</userSearchBase>
<userSearchFilter>uid={0}</userSearchFilter>
<groupSearchBase>ou=groups,dc=example,dc=com</groupSearchBase>
<groupSearchFilter>memberUid={0}</groupSearchFilter>
<groupRoleAttribute>cn</groupRoleAttribute>
<adminGroups>
<item>Admins</item>
</adminGroups>
<userGroups role="CONFIGURE">
<item>Admins</item>
</userGroups>
<userGroups role="ANALYST">
<item>Users</item>
</userGroups>
<allAdmins>false</allAdmins>
<allUsers role="CONFIGURE">false</allUsers>
</item>- url : the URL of the LDAP server (ldap:// or ldaps:// protocol).
- userSearchBase / userSearchFilter : configure how to find an object where the user's name can be found (by default: uid={0}).
- dnAttribute : the attribute to extract out of a found object (by default: uid).
- dnPattern : the DN pattern used to bind as the user. By default it's [dnAttribute]={0},[userSearchBase] (can be declared multiple times and the first successful bind is used).
- adminGroups : a list of LDAP groups which, if the user belongs to one of them, the user gets administrator access.
- userGroups : a list of LDAP groups which, if the user belongs to one of them, the user gets the user access of the given role (defaults to CONFIGURE, can be declared multiple times with different roles, evaluated in order of occurrence).
- allAdmins : overrides group search and gives all authenticated users administrator access.
- allUsers : overrides group search and gives all authenticated users the user access of the given role (defaults to CONFIGURE).
if [userSearchFilter],[userSearchBase] is equal to [dnPattern], then user search is unnecessary and Sintelix immediately builds dnPattern and binds with it. Otherwise, it needs to perform a search first. searchUser and searchPassword attributes are the credentials to use when searching. If they're missing, anonymous bind is used when searching groupSearchBase/groupSearchFilter/groupRoleAttribute: configure how to find a user's group.
Example 2: User logs in using some other LDAP attribute
When a user logs in using an attribute other than their DN this forces Sintelix to first execute a search for the user’s DN, then bind as that user. To execute the search Sintelix needs to bind to LDAP using another set of credentials, or anonymously if LDAP supports it.
If the search returns more than one possible user DN, login is prevented. Please use a unique attribute.
In this example, Sintelix first searches the LDAP for a user matching a query mail=[user name] under LDAP branch ou=people,dc=example,dc=com. If such objects are found, attribute "uid" is extracted from them and if it is unique, Sintelix builds a user DN uid=[found uid],ou=people,dc=example,dc=com and binds to the LDAP using this DN and the provided password.
<item class="com.sintelix.semanticportal.login.external.LdapConfiguration">
<url>ldap://localhost:389/</url>
<userSearchBase>ou=people,dc=example,dc=com</userSearchBase>
<userSearchFilter>mail={0}</userSearchFilter> <!-- {0} is the typed user name -->
<dnAttribute>uid</dnAttribute> <!-- attribute of the found object used for DN generation -->
<dnPattern>uid={0},ou=people,dc=example,dc=com</dnPattern> <!-- more than one pattern is possible, first that works is attempted -->
<!-- credentials used for user search -->
<searchUser>uid=administrator,ou=people,dc=example,dc=com</searchUser> <!-- remove to search using anonymous bind -->
<searchPassword>password</searchPassword> <!-- remove to search using anonymous bind -->
<groupSearchBase>ou=groups,dc=example,dc=com</groupSearchBase>
<groupSearchFilter>memberUid={0}</groupSearchFilter>
<groupRoleAttribute>cn</groupRoleAttribute>
<adminGroups>
<item>Admins</item>
</adminGroups>
<userGroups role="CONFIGURE">
<item>Admins</item>
</userGroups>
<userGroups role="ANALYST">
<item>Users</item>
</userGroups>
<allAdmins>false</allAdmins>
<allUsers role="CONFIGURE">false</allUsers>
</item>- userSearchFilter : an LDAP query syntax expression where the user name is substituted by {0}.
- dnAttribute : the attribute holding the user’s DN. It will be extracted from the search results and must be unique.
- dnPattern : the pattern built with dnAttribute’s value, which is then used to bind.
- searchUser and searchPassword : the credentials used for the initial search. If they’re missing, anonymous bind is used instead.