ldapUserDataProvider
Description
A user data provider querying an LDAP server to authorize users and retrieve attributes.
Can be used in
basicAuthentication, cachingUserDataProvider, login, oauth2authserver, unifyingUserDataProvider and xenAuthentication
Syntax
<ldapUserDataProvider url="string" base="string" [binddn="string"] [bindpw="string"] searchPattern="string" [searchScope="subtree|onelevel|object"] [timeout="string"] [connectTimeout="string"] [passwordAttribute="string"] [readAttributesAsSelf="true"] > <map> <attribute from="string" to="string" />* </map> </ldapUserDataProvider>
Sample
<ldapUserDataProvider url="ldap://192.168.2.100" base="dc=predic8,dc=de" binddn="cn=Manager,dc=predic8,dc=de" bindpw="secret" searchPattern="(cn=%LOGIN%)" searchScope="subtree" timeout="1000" connectTimeout="1000" readAttributesAsSelf="true" > <map> <attribute from="telephoneNumber" to="sms" /> <attribute from="uidNumber" to="header-X-Security-UID" /> </map> </ldapUserDataProvider>
Attributes
Name | Required | Default | Description | Example |
---|---|---|---|---|
base | true | - | ||
binddn | false | - | ||
bindpw | false | - | ||
connectTimeout | false | 1000 | ||
passwordAttribute | false | - | ||
readAttributesAsSelf | false | true | ||
searchPattern | true | - | ||
searchScope | false | subtree | ||
timeout | false | 1000 | ||
url | true | - |
Explanation
The LDAP User Data Provider performs two jobs:
- Authentication of a username and password.
- Retrieval of user attributes.
To achieve this, it first binds to base on the LDAP server url. If binddn is not present, it binds to the LDAP server anonymously, elsewise binddn and bindpw are used for authentication.
Next, a search searchPattern with scope searchScope is executed where "%LOGIN%" is replaced by the escaped version of the username.
The search returning no node or more than one node is treated as failure.
If passwordAttribute is set, and the node has an attribute with this name and this attribute's value starts with "{x-plain}", the password is checked against the rest of the value for equality. If passwordAttribute is not set, a second binding is attempted on the node using the password the user provided.
The user attribute keys specified in the mapping are then renamed according to the mapping and used for further processing (see the other modules of the login interceptor).
For the initial binding, connectTimeout can be used to specify a timeout in milliseconds. For the search, timeout can be used.
If readAttributesAsSelf is not set, the user attributes are collected from the search result. If it is set, an additional request is made after the second successful binding to retrieve the node's attributes.
Child Elements
Position | Cardinality | Description | Element |
---|---|---|---|
1 | 0..1 | ssl or custom elements | |
2 | 0..1 | map |