InnoTecSol >ICS >ICS Version: 0.7.2425 Documentation >http(x) >http ldap authentication extension library
ICS Version: 0.7.2425
http ldap authentication extension library

The ldap authentication plug-in provides the integration into an ldap directory for authentication purposes.

The following steps are required to activate and configure the ldap authentication provider:

^
Prerequisites

In order to activate the ldap authentication plug-in the httpauth and ldapauth extension library must be loaded according to extension library configuration.


<EXTLIBS>
	<LIB>httpauth</LIB>
	<LIB>ldapauth</LIB>
</EXTLIBS>
^
Configuration

The ldap authentication plug-in is activated by specifying LDAP as the provider name within the AUTHENTICATE configuration of the http authentication handler.

The ldap specific configuration is introduced by the LDAP tag and must be a child of the AUTHENTICATE tag.


<HANDLER TYPE="AUTH" NAME="HTTPAUTH">
   <AUTHENTICATE TYPE="BASIC" REALM="MYREALM" PROVIDER="LDAP" >
      <APPLYFORMETHOD>POST</APPLYFORMETHOD>
      <LDAP URL="ldap://ldapserver/ou=people,dc=example,dc=net">
         <REQUIRE TYPE="GROUP" GROUPATTRIBUTE="MEMBER" ISDN="OFF">cn=mygroup,ou=group,dc=example,dc=net</REQUIRE>
         <REQUIRE TYPE="USER">myuser</REQUIRE>
         <REQUIRE TYPE="DN">cn=myuser,ou=group,dc=example,dc=net</REQUIRE>
         <REQUIRE TYPE="ATTRIBUTE">
            <ATTRIBUTE NAME="city">NY</ATTRIBUTE>
            <ATTRIBUTE NAME="status">active</ATTRIBUTE>
         </REQUIRE>
      </LDAP>
   </AUTHENTICATE>
</HANDLER>

The LDAP tag comprises a

  • URL attribute that specifies Specifies the LDAP server, the base DN, the attribute to use in the search
LDAP URL

The URL with LDAP server, the base dn (distinguished name) to use for the authentication request.

It supports ldap and ldaps as scheme.

host:port The name/port of the ldap server (defaults to localhost:389 for ldap, and localhost:636 for ldaps)

basedn

The DN of the branch of the directory where the searches should start from.

attribute

The attribute to search for (if not attribute is specified uid is assumed).

Note:

When using ldaps you need to make sure that the certificate of the ldap server can be validated successfully on the client. Check with openssl s_client -connect ldap.example.com:636 -showcerts

^
Require

The REQUIRE tag specifies a property that is required to successfully authenticate the user.

REQUIRE supports the following types (TYPE=):

  • GROUP
  • USER
  • DN - currently not supported
  • ATTRIBUTE

GROUP

The group type validates that the user is part of the the specified ldap group.

The ldap plug-in authenticates with the user to the specified ldap server e.g. ldap://ldapserver.

It then searches the configured group DN and compares the specified GROUPATTRIBUTE (default=member) with the base dn spcified within the ldap URL e.g. uid=[username].ou=people,dc=example,dc=net. If attribute ISDN is set to OFF, the user identifier only is checked.

USER

The USER type validates that the ldap uid property matches the specified user.

The ldap plug-in authenticates with the user to the specified ldap server e.g. ldap://ldapserver.

It then checks whether the configured user is available with the configured attribute USERATTRIBUTE (default=uid) of the dn spcified within the ldap URL e.g. uid=[username].ou=people,dc=example,dc=net.

ATTRIBUTE

The ATTRIBUTE type validates that the users DN comprises the specified attributes value.

The ldap plug-in authenticates with the user to the specified ldap server e.g. ldap://ldapserver.

It then checks whether the configured attribute value is available with the configured attribute NAME of the dn spcified within the ldap URL e.g. uid=[username].ou=people,dc=example,dc=net.

About