Configure LDAP authentication

The Lightweight Directory Access Protocol (LDAP) is a standard protocol for accessing directory services.

Semarchy xDM supports authentication with LDAP Directories using LDAP identity providers.

Supported capabilities

With an LDAP Identity Provider, the authenticating user credentials (user name and password) are entered in a login form.

The LDAP Identity Provider supports three authentication methods, configured with the Authentication Mode property:

  • In Bind mode, Semarchy xDM:

    1. Authenticates the authenticating user to the LDAP directory.

    2. Queries the directory for the user roles and profile properties using that user’s credentials.

  • In Comparison mode, Semarchy xDM:

    1. Connects to the directory using a Lookup User (Lookup User Name and Lookup User Password).

    2. Searches for a user object corresponding to the authenticating user in the directory, using the configuration provided with the User DN Pattern, User Search Base, User Search Filter, and User Search SubTree properties. In these properties, the username being searched for is marked with the {0} placeholder.

    3. Hashes the password provided by the user with the Password Hashing Algorithm, and compares it to the hashed password stored in the directory under the Password Attribute Name in order to authenticate the user.

    4. Queries the directory for the authenticated user roles and profile properties using the credentials of the Lookup User.

  • In Bind as User mode, Semarchy xDM:

    1. Authenticates the authenticating user to the LDAP directory.

    2. Queries the directory for the authenticated user roles and profile properties using the credentials of the Lookup User.

After the authentication:

  • The list of roles is retrieved as configured in the Role Search Base, Role Search Filter, etc. properties.

  • The profile properties are synchronized from attributes of the user object. This object is retrieved using the User DN Pattern, User Search Base, User Search Filter, and User Search SubTree properties.

The choice of the Bind or Comparison mode, as well as the other properties, depends on the type and configuration of your directory.

Using the LDAP identity provider for Active Directory

For Active Directory, use preferably the specific Active Directory identity provider.
If using LDAP to connect Active Directory, the Bind as User Authentication Mode is required.

Configuration

To configure LDAP authentication, follow the steps to configure an identity provider with the LDAP type, using the properties listed in the following table for reference.

Property Definition

Connectivity
The following properties configure the connection and the authentication mode.

Server URL

Connection URL to the LDAP host, with the port. For example: ldap://ldaphost.mydomain.com:389

Authentication Mode

Authentication method for a user:

  • Bind mode authenticates the user to the LDAP directory and queries the directory with that user.

  • Comparison mode connects to the directory using a lookup user and searches for the credentials of the authenticating user.

  • Bind as User mode authenticates the user to the LDAP directory and queries the directory with the lookup user.

Lookup User Name

User name used to connect and search users in LDAP. This field is available when using the Comparison and Bind as User authentication modes.

Lookup User Password

Password of the lookup user. This field is available when using the Comparison and Bind as User authentication modes.

User Authentication
The following properties are used to find the authenticated user object in the directory.

User DN Pattern

Pattern for the distinguished name (DN) of the user’s directory entry, with {0} marking where the actual username should be inserted. You can use this property instead of the User Search Base and User Search Filter properties.

User Search Base

Base DN to look for the user using the User Search Filter. This property is not used if you are using the User DN Pattern expression.

User Search Filter

Search filter applied when searching users under the User Search Base, with {0} marking where the actual username should be inserted. This property is not used if you are using the User DN Pattern expression.

User Search SubTree

This boolean value defines whether to go down the tree under the User Search Base to find the users, or remain at the base. This property is not used if you are using the User DN Pattern expression. The default value is false.

Password Attribute Name

Attribute in the user object containing the user password hashed with the Password Hashing Algorithm. This field is available for the Comparison authentication mode only.

Password Hashing Algorithm

Hashing algorithm used to encode passwords in the directory. This field is required when using Comparison Mode only. See Standard Java 8 algorithms for the full list of algorithms. Algorithms appearing in the list with the (Base64) suffix apply a Base64 encoding in addition to the hashing.

Roles
The following properties are used to retrieve the roles of an authenticated user from the directory.

Role Search Base

Base DN to look for the user roles, using the Role Search Filter.

Role Search Filter

Search filter applied when searching user roles under the Role Search Base, with {0} marking where the actual username should be inserted.

Role Name Attribute

Attribute in the role object containing the role name.

Role Search SubTree

This boolean defines whether to go down the tree under the Role Search Base to find the roles or remain at the base. The default value is false.

Role Nested Search

Defines whether to search for nested roles (roles into roles). The default value is false.

Profile synchronization

With LDAP, each profile property is synchronized from an attribute of the user object.

For example, if the LDAP directory stores a the user object as follows:

uid=johndoe,ou=users,ou=people,dc=acmecorp,dc=com
    roles=admin,dataStewart
    givenname=John
    surname=Doe
    department=Support

Setting User DN Pattern to uid={0},ou=users,ou=people,dc=acmecorp,dc=com retreives the user object, and the following values should be set in the Synchronize From field to synchronize the profile properties from the corresponding user object attributes:

Profile Property Synchronized From

First Name

givenname

Last Name

surname

Department

department