InnoTecSol >ICS >ICS Version: 0.4.8888 Documentation >http(x) >http ldap authentication extension library
ICS Version: 0.4.8888
http ldap authentication extension library

The ldap authentication plug-in provides the integration into an ldap directory for authentication purposes.

The following steps are required to activate and configure the ldap authentication provider:

^
Prerequisites

In order to activate the ldap authentication plug-in the httpauth and ldapauth extension library must be loaded according to extension library configuration.


<EXTLIBS>
	<LIB>httpauth</LIB>
	<LIB>ldapauth</LIB>
</EXTLIBS>
^
Configuration

The ldap authentication plug-in is activated by specifying LDAP as the provider name within the AUTHENTICATE configuration of the http authentication handler.

The ldap specific configuration is introduced by the LDAP tag and must be a child of the AUTHENTICATE tag.


<HANDLER TYPE="AUTH" NAME="HTTPAUTH">
   <AUTHENTICATE TYPE="BASIC" REALM="MYREALM" PROVIDER="LDAP" >
      <APPLYFORMETHOD>POST</APPLYFORMETHOD>
      <LDAP URL="ldap://ldapserver/ou=people,dc=example,dc=net">
         <REQUIRE TYPE="GROUP">cn=mygroup,ou=group,dc=example,dc=net</REQUIRE>
         <REQUIRE TYPE="USER">myuser</REQUIRE>
         <REQUIRE TYPE="DN">cn=myuser,ou=group,dc=example,dc=net</REQUIRE>
         <REQUIRE TYPE="ATTRIBUTE">
            <ATTRIBUTE NAME="city">NY</ATTRIBUTE NAME="city">
            <ATTRIBUTE NAME="status">active</ATTRIBUTE NAME="city">
         </REQUIRE>
      </LDAP>
   </AUTHENTICATE>
</HANDLER>

The LDAP tag comprises an URL parameter that specifies the ldap URL with the base dn (distinguished name) to use for the authentication request.

^
Require

The REQUIRE tag specifies a property that is required to successfully authenticate the user.

REQUIRE supports the following types:

  • GROUP
  • USER
  • DN - currently not supported
  • ATTRIBUTE - currently not supported

GROUP

The group type validates that the user is part of he the specified ldap group.

The ldap plug-in binds anonymously to the specified ldap server e.g. ldap://ldapserver.

It then checks whether the specified group dn has a member of uid with the base dn spcified within the ldap URL e.g. uid=[username].ou=people,dc=example,dc=net.

USER

The USER type validates that the ldap uid property matches the specified user.

The ldap plug-in binds anonymously to the specified ldap server e.g. ldap://ldapserver.

It then checks whether the specified user is available with the uid of the dn spcified within the ldap URL e.g. uid=[username].ou=people,dc=example,dc=net.

About