Skip to Content

Changes for page org.clazzes.login.ldap

Last modified by wolfgang_glas@iteg_at on 2018-08-25 09.26:23
From version 3.1
edited by christoph_lechleitner@iteg_at
on 2013-02-02 05.21:48
Change comment: There is no comment for this version
To version 7.1
edited by wolfgang_glas@iteg_at
on 2018-08-25 09.26:23
Change comment: There is no comment for this version

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.christoph_lechleitner@iteg_at
1 +XWiki.wolfgang_glas@iteg_at
Content
... ... @@ -1,21 +1,7 @@
1 -The ldap-login-service is provided as an OSGi bundle, which may be activated by
1 += {{id name="org.clazzes.login.ldap-Functionality"/}}Functionality =
2 2  
3 -(% class="code" %)
4 -(((
5 -obr:addurl http:~/~/maven.clazzes.org/repository.xml
6 -obr:deploy ldap-login-service
7 -)))
3 +
8 8  
9 -The maven artifact is:
10 -
11 -(% class="code" %)
12 -(((
13 -<groupId>org.clazzes.login</groupId>
14 -<artifactId>ldap-login-service</artifactId>
15 -)))
16 -
17 -=== {{id name="org.clazzes.login.ldap-Functionality"/}}Functionality ===
18 -
19 19  The LDAP login service authenticates against users in an ADS domain or against users in an LDAP server configured for an individual domain.
20 20  
21 21  The function {{code language="none"}}tryLogin(){{/code}} needs credentials if run against a legacy LDAP Server.
... ... @@ -24,10 +24,59 @@
24 24  
25 25  The functions {{code language="none"}}searchUser(){{/code}}, {{code language="none"}}getGroups(){{/code}}, {{code language="none"}}getGroupMembers(){{/code}} need bind credentials and will only work in AD DS environments.
26 26  
27 -=== {{id name="org.clazzes.login.ldap-Configuration"/}}Configuration ===
13 += {{id name="org.clazzes.login.ldap-SampleConfigurationforauthenticationagainstanADS-Domain"/}}Sample Configuration for authentication against an ADS-Domain{{id name="org.clazzes.login.ldap-sampleAdsConfig"/}} =
28 28  
15 +The following sample configuration is the most common configuration OSGi configuration in PID {{code language="none"}}org.clazzes.login.ldap{{/code}}, which allows you to authenticate users against an Active Directory Domain.
16 +
17 +All you need to know is the Windows/NetBIOS Name of your domain and the corresponding DNS name used to physically locate the Active Directory server.
18 +
19 +In our example we use {{code language="none"}}EXAMPLE{{/code}} as the Windows/NetBIOS domain name with its DNS counterpart {{code language="none"}}example.com{{/code}}.
20 +
21 +(% class="wrapped" %)
22 +|=(((
23 +(% class="tablesorter-header-inner" %)
24 +(((
25 +Key
26 +)))
27 +)))|=(((
28 +(% class="tablesorter-header-inner" %)
29 +(((
30 +Value
31 +)))
32 +)))
33 +|(((
34 +{{code language="none"}}
35 +defaultDomain
36 +{{/code}}
37 +)))|(((
38 +{{code language="none"}}
39 +EXAMPLE
40 +{{/code}}
41 +)))
42 +|(((
43 +{{code language="none"}}
44 +domain.EXAMPLE.controllerUri
45 +{{/code}}
46 +)))|(((
47 +{{code language="none"}}
48 +ads://example.com
49 +{{/code}}
50 +)))
51 +|(((
52 +{{code language="none"}}
53 +domain.EXAMPLE.authMethod
54 +{{/code}}
55 +)))|(((
56 +{{code language="none"}}
57 +bindAds
58 +{{/code}}
59 +)))
60 +
61 += {{id name="org.clazzes.login.ldap-DetailedConfiguration"/}}Detailed Configuration =
62 +
29 29  The LDAP login service may be configured using the OSGi configuration PID {{code language="none"}}org.clazzes.login.ldap{{/code}} using these configuration values:
30 30  
65 +(% class="wrapped" %)
31 31  |=(((
32 32  (% class="tablesorter-header-inner" %)
33 33  (((
... ... @@ -124,13 +124,33 @@
124 124  )))|(((
125 125  The LDAP attribute to try to use as primary e-mail address for users.
126 126  )))
162 +|(((
163 +{{code language="none"}}
164 +domain.<domain>.mobileAttribute
165 +{{/code}}
166 +)))|(((
167 +\\
168 +)))|(((
169 +The LDAP attribute to try to use as mobile phone number for users. This number is used to send ephemerals OTP for two-factor-authentication to the user. If this option is activated, two-factor signons are mandatory for this domain. Usually, this option is configured to the value {{code language="none"}}mobile{{/code}} in order to activate ephemeral OTP two-factor-authentication.
170 +)))
171 +|(((
172 +{{code language="none"}}
173 +domain.<domain>.tokenIdsAttribute
174 +{{/code}}
175 +)))|(((
176 +\\
177 +)))|(((
178 +The LDAP attribute to try to use as a space separated list of 12-character YubiKey token IDs (like {{code language="none"}}cccccceiiuch{{/code}}) for users. These token IDs are used to check token OTPs for two-factor-authentication to the user. If this option is activated, two-factor signons are mandatory for this domain. Usually, this option is configured to the value {{code language="none"}}pager{{/code}} in order to activate token-based OTP two-factor-authentication.
179 +)))
127 127  
128 128  There may be multiple domains in a configuration.
129 129  
130 -=== {{id name="org.clazzes.login.ldap-ControllerSchemes"/}}Controller Schemes ===
183 +== {{id name="org.clazzes.login.ldap-ControllerSchemes"/}}Controller Schemes ==
131 131  
132 132  The URL schemes for a domain controller are ldap, ldaps and ads.
133 133  
187 +=== {{id name="org.clazzes.login.ldap-ADScontrollerscheme"/}}ADS controller scheme ===
188 +
134 134  The {{code language="none"}}ads{{/code}} URL scheme for the URL {{code language="none"}}ads://mydomain.com{{/code}} undertakes a lookup for the DNS records
135 135  
136 136  (% class="code" %)
... ... @@ -141,4 +141,30 @@
141 141  
142 142  to auto-detect the apropriate {{code language="none"}}ldap(s){{/code}} URI.
143 143  
199 +=== {{id name="org.clazzes.login.ldap-LDAPcontrollerscheme"/}}LDAP controller scheme ===
200 +
201 +When directly specifying the LDAP-Server using an URL like {{code language="none"}}ldap://ldap-01.mydomain.com{{/code}} it is possible to specify the baseDN for searches using a pseudo-path like in {{code language="none"}}ldap://ldap-01.mydomain.com/dc=mydomain,dc=com{{/code}}
202 +
203 += {{id name="org.clazzes.login.ldap-ManualinstallationinOSGicontainer"/}}Manual installation in OSGi container =
204 +
205 +I some software product has pointed to this page for configuration details, the bundle is probably already installed in the OSGi container the software product runs in.
206 +
207 +OSGi administrators maintaining an individual OSGi container can install the ldap-login-service bundle using these osgi commands:
208 +
209 +(% class="code" %)
210 +(((
211 +obr:addurl http:~/~/maven.clazzes.org/repository.xml
212 +obr:deploy ldap-login-service
213 +)))
214 +
215 += {{id name="org.clazzes.login.ldap-Developerinformation"/}}Developer information =
216 +
217 +The maven artifact is:
218 +
219 +(% class="code" %)
220 +(((
221 +<groupId>org.clazzes.login</groupId>
222 +<artifactId>ldap-login-service</artifactId>
223 +)))
224 +
144 144  
Confluence.Code.ConfluencePageClass[0]
Id
... ... @@ -1,1 +1,1 @@
1 -688786
1 +688656
URL
... ... @@ -1,1 +1,1 @@
1 -https://clazzes.atlassian.net/wiki/spaces/LOGIN/pages/688786/org.clazzes.login.ldap
1 +https://clazzes.atlassian.net/wiki/spaces/LOGIN/pages/688656/org.clazzes.login.ldap