LDAP authentication¶
In LDAP authentication the users log in with their credentials that are stored in an LDAP server. LDAP authentication is enabled by default but requires some configuration to be made.
Configuration¶
LDAP Access¶
| Property | Example | Description |
|---|---|---|
| TOKEN_SERVER_ADMIN_LDAP_ENABLED | true | Flag to enable or disable LDAP authentication. By default it is enabled. |
| TOKEN_SERVER_ADMIN_LDAP_SERVER_URLS | ldap://localhost:1389 | Comma separated list of LDAP server URLs. |
| TOKEN_SERVER_ADMIN_LDAP_BASE_DN | dc=example,dc=com | Base DN of the LDAP server. Single value. |
| TOKEN_SERVER_ADMIN_LDAP_BIND_DN | cn=Directory Manager | The bind user. This user is used to lookup subjects and group memberships in the LDAP. Single value. |
| TOKEN_SERVER_ADMIN_LDAP_BIND_PWD | Admin123 | Password of the bind user. Single value. |
User search configuration¶
There are two configuration options to lookup the user during login.
The first option can be used when the username is the same as its unique identifier in the LDAP:
| Property | Default value | Description |
|---|---|---|
| TOKEN_SERVER_ADMIN_LDAP_USER_DNS | uid={0},ou=users | Semicolon ; separated list of LDAP user search DNs. Relative from base DN. The {0} maps to the username field in the login form. |
The second option is necessary when the user can enter a different value for the username than the unique identifier, e.g. their email address. The filter must return a unique result.
| Property | Default value | Example | Description |
|---|---|---|---|
| TOKEN_SERVER_ADMIN_LDAP_USER_SEARCH_BASE | ou=people | The start point for the user search, relative to TOKEN_SERVER_ADMIN_LDAP_BASE_DN. An empty value is valid. Single value. | |
| TOKEN_SERVER_ADMIN_LDAP_USER_SEARCH_SUBTREE | true | false | Boolean to indicate if users can be searched in subtrees of the base. true or false. Default is true. Single value. |
| TOKEN_SERVER_ADMIN_LDAP_USER_SEARCH_FILTER | email={0} | LDAP user search filter. LDAP query syntax is supported. Single value | |
| TOKEN_SERVER_ADMIN_LDAP_USER_SEARCH_TIME_LIMIT_IN_MS | 0 | 5000 | Timeout for the user search in milliseconds. Default is 0 (no timeout). Single value. |
Note: You can leave property TOKEN_SERVER_ADMIN_LDAP_USER_DNS blank when the username in the login form is not the same as the unique identifier.
Group search configuration¶
Access to (parts of) the management interface is restricted to users with specific roles. These roles can be mapped to the group(s) they are member of in the LDAP. LDAP users that are not a member of the configured groups cannot get access to the management interface. At least one role must be mapped to a group to get access.
The following properties are needed to lookup the groups in the above configured LDAP.
| Property | Default value | Description |
|---|---|---|
| TOKEN_SERVER_ADMIN_LDAP_GROUP_SEARCH_SUBTREE | true | Boolean to indicate if groups can be searched in subtrees of the base. true or false |
| TOKEN_SERVER_ADMIN_LDAP_GROUP_SEARCH_FILTER | uniqueMember={0} | LDAP group membership search filter. Single value. |
| TOKEN_SERVER_ADMIN_LDAP_GROUP_SEARCH_BASE | ou=groups | LDAP group search DN. Single value, relative from the base DN. |
| TOKEN_SERVER_ADMIN_LDAP_GROUP_SEARCH_GROUP_NAME_ATTRIBUTE | cn | Name attribute for the group. Single value. |
Group mapping¶
The groups from LDAP should be mapped to roles within the Token Server Admin console. The access rights for the roles are described in the Roles overview page.
The following properties are needed to map the groups to roles:
| Property | Default value | Description |
|---|---|---|
| TOKEN_SERVER_ADMIN_LDAP_GROUPS_ADMIN_GROUP_NAME | admin | Comma separated list of groups that have Admin rights. |
| TOKEN_SERVER_ADMIN_LDAP_GROUPS_OPERATOR_GROUP_NAME | operator | Comma separated list of groups that have Operator rights. |
| TOKEN_SERVER_ADMIN_LDAP_GROUPS_HELPDESK_GROUP_NAME | helpdesk | Comma separated list of groups that have Helpdesk rights. |
Examples¶
Basic example¶
- Users are stored under
ou=users,dc=example,dc=com - The username in the login form is the same as the
uidin LDAP
- TOKEN_SERVER_ADMIN_LDAP_SERVER_URLS=ldap://localhost:389
- TOKEN_SERVER_ADMIN_LDAP_BASE_DN=dc=example,dc=com
Active Directory with multiple servers¶
- Two servers:
ad1andad2, both on port 1389 - Users are stored under
ou={department name},ou=Users,dc=example,dc=com - Users enter their
userPrincipalName(email address) in the login form. The domain name (example.com) is optional in this form. userPrincipalNameis not the same as theirDN.- A time out of 5 seconds is configured for the user lookup
- Group membership is read from the
memberattribute- admin: Administrators
- operator: Developers and Testers
- helpdesk: Support
- TOKEN_SERVER_ADMIN_LDAP_SERVER_URLS=ldap://ad1:1389,ldap://ad2:1389
- TOKEN_SERVER_ADMIN_LDAP_BASE_DN=dc=example,dc=com
- TOKEN_SERVER_ADMIN_LDAP_USER_DNS=
- TOKEN_SERVER_ADMIN_LDAP_USER_SEARCH_BASE=ou=Users
- TOKEN_SERVER_ADMIN_LDAP_USER_SEARCH_SUBTREE=true
- TOKEN_SERVER_ADMIN_LDAP_USER_SEARCH_FILTER=(|(userPrincipalName={0})(userPrincipalName={0}@example.com))
- TOKEN_SERVER_ADMIN_LDAP_USER_SEARCH_TIME_LIMIT_IN_MS=5000
- TOKEN_SERVER_ADMIN_LDAP_GROUP_SEARCH_FILTER=member={0}
- TOKEN_SERVER_ADMIN_LDAP_GROUPS_ADMIN_GROUP_NAME=Administrators
- TOKEN_SERVER_ADMIN_LDAP_GROUPS_OPERATOR_GROUP_NAME=Developers,Testers
- TOKEN_SERVER_ADMIN_LDAP_GROUPS_HELPDESK_GROUP_NAME=Support