Configure LDAP authentication
The Lightweight Directory Access Protocol (LDAP) is a standard protocol for accessing directory services.
Semarchy xDM supports authentication with LDAP Directories using LDAP identity providers.
Supported capabilities
With an LDAP Identity Provider, the authenticating user credentials (user name and password) are entered in a login form.
The LDAP Identity Provider supports three authentication methods, configured with the Authentication Mode property:
-
In Bind mode, Semarchy xDM:
-
Authenticates the authenticating user to the LDAP directory.
-
Queries the directory for the user roles and profile properties using that user’s credentials.
-
-
In Comparison mode, Semarchy xDM:
-
Connects to the directory using a Lookup User (Lookup User Name and Lookup User Password).
-
Searches for a user object corresponding to the authenticating user in the directory, using the configuration provided with the User DN Pattern, User Search Base, User Search Filter, and User Search SubTree properties. In these properties, the username being searched for is marked with the
{0}
placeholder. -
Hashes the password provided by the user with the Password Hashing Algorithm, and compares it to the hashed password stored in the directory under the Password Attribute Name in order to authenticate the user.
-
Queries the directory for the authenticated user roles and profile properties using the credentials of the Lookup User.
-
-
In Bind as User mode, Semarchy xDM:
-
Authenticates the authenticating user to the LDAP directory.
-
Queries the directory for the authenticated user roles and profile properties using the credentials of the Lookup User.
-
After the authentication:
-
The list of roles is retrieved as configured in the Role Search Base, Role Search Filter, etc. properties.
-
The profile properties are synchronized from attributes of the user object. This object is retrieved using the User DN Pattern, User Search Base, User Search Filter, and User Search SubTree properties.
The choice of the Bind or Comparison mode, as well as the other properties, depends on the type and configuration of your directory. |
Using the LDAP identity provider for Active Directory
For Active Directory, use preferably the specific Active Directory identity provider. |
Configuration
To configure LDAP authentication, follow the steps to configure an identity provider with the LDAP type, using the properties listed in the following table for reference.
Property | Definition |
---|---|
Connectivity |
|
Server URL |
Connection URL to the LDAP host, with the port. For example: |
Authentication Mode |
Authentication method for a user:
|
Lookup User Name |
User name used to connect and search users in LDAP. This field is available when using the Comparison and Bind as User authentication modes. |
Lookup User Password |
Password of the lookup user. This field is available when using the Comparison and Bind as User authentication modes. |
User Authentication |
|
User DN Pattern |
Pattern for the distinguished name (DN) of the user’s directory entry, with |
User Search Base |
Base DN to look for the user using the User Search Filter. This property is not used if you are using the User DN Pattern expression. |
User Search Filter |
Search filter applied when searching users under the User Search Base, with |
User Search SubTree |
This boolean value defines whether to go down the tree under the User Search Base to find the users, or remain at the base. This property is not used if you are using the User DN Pattern expression. The default value is |
Password Attribute Name |
Attribute in the user object containing the user password hashed with the Password Hashing Algorithm. This field is available for the Comparison authentication mode only. |
Password Hashing Algorithm |
Hashing algorithm used to encode passwords in the directory. This field is required when using Comparison Mode only. See Standard Java 8 algorithms for the full list of algorithms. Algorithms appearing in the list with the (Base64) suffix apply a Base64 encoding in addition to the hashing. |
Roles |
|
Role Search Base |
Base DN to look for the user roles, using the Role Search Filter. |
Role Search Filter |
Search filter applied when searching user roles under the Role Search Base, with {0} marking where the actual username should be inserted. |
Role Name Attribute |
Attribute in the role object containing the role name. |
Role Search SubTree |
This boolean defines whether to go down the tree under the Role Search Base to find the roles or remain at the base. The default value is |
Role Nested Search |
Defines whether to search for nested roles (roles into roles). The default value is |
Profile synchronization
With LDAP, each profile property is synchronized from an attribute of the user object.
For example, if the LDAP directory stores a the user object as follows:
uid=johndoe,ou=users,ou=people,dc=acmecorp,dc=com roles=admin,dataStewart givenname=John surname=Doe department=Support
Setting User DN Pattern to uid={0},ou=users,ou=people,dc=acmecorp,dc=com
retreives the user object, and the following values should be set in the Synchronize From field to synchronize the profile properties from the corresponding user object attributes:
Profile Property | Synchronized From |
---|---|
First Name |
|
Last Name |
|
Department |
|