LDAP authentication¶

Users of Onegini Customer Service can authenticate via an LDAP Identity Provider instead of basic authentication. The application must be started with the Spring profile ldap to replace basic authentication with LDAP. This can be done via the environment variable SPRING_PROFILES_ACTIVE=ldap.

LDAP properties¶

The following environment variables must be configured:

Property	Example	Description
LDAP_ENABLED	false	Enables ldap features, this is `true` by default if you run with `ldap` spring profile
LDAP_STARTER_URL	ldap://ldap.example.com:389	URL of ldap server to connect to
LDAP_STARTER_LOGIN_USER_DN	uid=ldap,ou=Users,dc=example,dc=com	userdn that will be used to connect to ldap server
LDAP_STARTER_LOGIN_PASSWORD	P@ssword1	Password to be used when connecting to ldap
LDAP_STARTER_SEARCH_BASE	@ou=Users,dc=example,dc=com	baseDn of users that will authenticate within app
LDAP_STARTER_GROUP_SEARCH_BASE	ou=groups,dc=example,dc=com	baseDn of groups that contains users connecting to app
LDAP_STARTER_SEARCH_USER_FILTER	id={0}	filter used when searching for users

Authority mapping¶

Onegini Customer Service can restrict access to users based on the groups that user is member of in LDAP.

Property	Default	Example	Description
LDAP_FULL_ACCESS_GRANTED	false	false	If `true`, all authenticated users have full access to Onegini Customer Service. The properties below will be ignored then.
LDAP_AUTHORITIES_USERS_ALL ^*		(&(cn=support)(uniqueMember={0}))	Value of the role that gives access to managing users.
LDAP_AUTHORITIES_AGENTS_READ ^*		(&(cn=administrators)(uniqueMember={0}))	Value of the role that gives access to supervise agents.
LDAP_AUTHORITIES_STATISTICS_READ ^*		(&(cn=administrators)(uniqueMember={0}))	Value of the role that gives access to see application statistics.
LDAP_AUTHORITIES_anythingElse ^*		(&(cn=other)(uniqueMember={0}))	Value of roles that gives access using RBAC

^* this is a multivalue property. Separate values with a comma.