Advanced LDAP configuration
The advanced LDAP settings are available since 8.0.03.03, 8.0.5.01
With the Elements/Attributes it is possible to adjust PIM to special LDAP environments. Especially if user authentication should not be done by the userPrincipalName (username@domain).
The following values are optional and additional to the parameters mentioned in "Server Configuration" -> "Authentication Setup" -> "LDAP Authentication (LDAPConfig.xml)" chapter.
|
Element/Attribute |
Description |
|
serviceBindDN |
(optional) Used to authenticate the management user. Overwrite <principal> |
|
domainComponentIdentifier |
(optional) Used to identify domain tokens. Default is 'DC' |
|
UserConfig |
|
|
accountBindDN |
(optional) Used to authenticate user. {userName} will be replaced with entered user name. {domainName} will be replaced with attribute domain value of directory. Default is authentication by principal name. |
|
accountNameFilterBaseDN |
(optional) Root node for accountNameFilter to filter user. Default is DC values to build the domain (like DC=domain,DC=com). |
Find a view samples below. It is possible to combine the LDAP fields and adjust the filters for the existing LDAP setup.
uid example
This sample uses the uid to authenticate and filter the users.
|
Action |
LDAP field |
|
Authenticate manager user |
uid |
|
Authenticate client user |
uid |
|
Filter client user |
uid |
|
LDAP configuration |
Additional comments |
|
|
DC identifier |
dc |
The domain setup looks like 'dc=myDomain,dc=com |
|
User object class |
inetOrgPerson |
|
|
Group object class |
groupOfNames |
<ldapConfig> <directory identifier="myLDAP" domain="myDomain.com" url="ldap://myLdap.com"> <principal>user@myDomain.com</principal> <password>myPassword</password> <serviceBindDN>serviceUserUid</serviceBindDN> <domainComponentIdentifier>dc</domainComponentIdentifier> <userConfig objectClass="inetOrgPerson" accountNameFilter="(&(uid={userName})(objectClass=inetOrgPerson))" sidFilter="(&(objectSid={sid})(objectClass=inetOrgPerson))" accountBindDN="{userName}" accountNameFilterBaseDN="dc=myDomain,dc=com"> <name>cn</name> <sid>objectSid</sid> <groups>groupMembership</groups> </userConfig> <groupConfig objectClass="groupOfNames" objectFilter="(objectCategory=groupOfNames)"> <name>name</name> <description>description</description> <sid>objectSid</sid> <refreshIntervalInMin>10</refreshIntervalInMin> </groupConfig> </directory></ldapConfig>CN example
This sample uses the CN to authenticate and filter the users.
|
Action |
LDAP field |
|
Authenticate manager user |
CN |
|
Authenticate client user |
CN |
|
Filter client user |
CN |
|
LDAP configuration |
Additional comments |
|
|
DC identifier |
DC |
The domain setup looks like 'DC=myDomain,DC=com |
|
User object class |
user |
|
|
Group object class |
group |
|
|
All your PIM users are below your OU |
yourOrg |
|
<ldapConfig> <directory identifier="myLDAP" domain="myDomain.com" url="ldap://myLdap.com"> <principal>user@myDomain.com</principal> <password>myPassword</password> <serviceBindDN>CN=serviceUser,OU=yourOrg,DC=myDomain,DC=com</serviceBindDN> <domainComponentIdentifier>DC</domainComponentIdentifier> <userConfig objectClass="user" accountNameFilter="(&(CN={userName},OU=yourOrg,DC=myDomain,DC=com)(objectClass=user))" sidFilter="(&(objectSid={sid})(objectClass=user))" accountBindDN="CN={userName},OU=yourOrg,DC=myDomain,DC=com" accountNameFilterBaseDN="OU=yourOrg,DC=myDomain,DC=com"> <name>sAMAccountName</name> <sid>objectSid</sid> <groups>groupMembership</groups> </userConfig> <groupConfig objectClass="group" objectFilter="(objectCategory=group)"> <name>name</name> <description>description</description> <sid>objectSid</sid> <refreshIntervalInMin>10</refreshIntervalInMin> </groupConfig> </directory></ldapConfig>Do not determine domain from username
By default P360 server tries to determine the user and the domain value from the given typed in user name. This means that given input user@domain.com will split into 2 parts. 'user' is used as user name - 'domain.com' is used as domain. The same if you use the pattern domain.com\user.
This default behavior can be changed via the parameter <extractDomainFromUserName>. This parameter is not mandatory and the default value is true. The value is used for all available <directory> entries. If the value is set to true the typed input is used as user name without any changes.
A sample configuration would look like this.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><ldapConfig> <directory identifier="myLDAP" domain="myDomain.com" url="ldap://myLdap.com"> <principal>user@myDomain.com</principal> <password>myPassword</password> <userConfig objectClass="user" accountNameFilter="(&(sAMAccountName={userName})(objectClass=user))" sidFilter="(&(objectSid={sid})(objectClass=user))"> <name>sAMAccountName</name> <sid>objectSid</sid> <groups>memberOf</groups> </userConfig> <groupConfig objectClass="group" objectFilter="(objectCategory=Group)"> <name>name</name> <description>description</description> <sid>objectSid</sid> <refreshIntervalInMin>10</refreshIntervalInMin> </groupConfig> </directory> <extractDomainFromUserName>false</extractDomainFromUserName></ldapConfig>