Versions Compared

Old Version 19

changes.mady.by.user Former user

Saved on

compared with

New Version 20

changes.mady.by.user Amit Munwes

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Ensure to have the following details before proceeding with the next configuration steps:

LDAP server (s) IP address(es)Up to 2 IP addresses may be configured - a primary IP address and an alternate oneThe IP address of the LDAP server
LDAP server port(s)e.g. 389 or 3268 if using Global Catalog in AD
ReferralsWhether LDAP referrals should be followed or ignored (usually ignored for better performance)
Query user distinguished name (DN)
and its password

A user that is used to connect to the LDAP server and can perform queries.
e.g. " cn=LDAP Query User,ou=people,dc=example,dc=org"

LDAP Users

To be able to authenticate users, DPOD needs to know what LDAP queries it needs to perform in order to verify usernames and passwords.

...

Ensure to have the following details before proceeding with the next configuration steps:

User search base entryThe location of user entries in the LDAP tree where user entries should be searched for. Specific locations have better performance than global ones.
e.g.  " ou=people,dc=example,dc=org"
User query search sub-treeWhether user entries should be queried in the entire sub-tree of the user search base entry (usually true).
User search filterThe search filter to use in order to find a user entry based on the login usernameuser name, using standard LDAP search filter syntax.
Usually the user search filter combines 2 conditions: First filter the entries based on the "objectClass" attribute and then filter the entries based on the login usernameuser name.
User entries can normally be identified by an "objectClass" of "person", "organizationalPerson" or "inetOrgPerson".
The user entry attribute that contains the login username user name is usually "uid", "sAMAccountName" or "cn".
e.g. " (&(objectClass=person)(sAMAccountName={0}))"
A user and its password for testingA real user defined in the LDAP user registry who will be using DPOD - will be used to verify that the configuration is valid.

LDAP Groups

To be able to assign roles to users, DPOD needs to know what LDAP queries it needs to perform in order to fetch the list of groups a user belongs to.

The best way to figure this out is  to to examine group entries within the LDAP server using an LDAP browsing software compatible with your LDAP server.

Ensure to have the following details before proceeding with the next configuration steps:

Group search base entryThe location of group entries in the LDAP tree where group entries should be searched for. Specific locations have better performance than global ones.
e.g.  " ou=groups,dc=example,dc=org"Role query sub
Group search sub-treeWhether group entries should be queried in the entire sub-tree of the group search base entry (usually true).
Nested groupsGroup search nestedWhether group entries can be nested within each other (usually true).
Group search filterThe search filter to use in order to fetch the list of groups a user belongs to once a user has authenticated successfully, using standard LDAP search filter syntax.
Usually the group search filter combines 2 conditions: First filter the entries based on the "objectClass" attribute and then filter the entries based on the authenticated user.
Group entries can normally be identified by an "objectClass" of "group" or "groupOfUniqueNames".
The group entry attribute that contains its members is usually "member" or "uniquemember".
e.g. " (&(objectClass=groupOfUniqueNames)(uniqueMember={1}))"
Group name role attribute name

The attribute name at the group entry that contains the group name.
Group names are used to assign groups to Custom Roles defined in DPODrole name (usually cn).
e.g. " cn"

Built-in Roles

For security reasons, authenticated users are assigned with built-in roles based on LDAP queries only.
This means, for example, that a user may be granted with Administrator privileges only if it is configured that way in the LDAP user repository.

...

Note

The most common scenario is Scenario B, where the group's name (cn) is used as the built-in group role attribute name attribute.
This scenario does not require extending any schemas - only creating groups with pre-defined names. See below for more details.

Scenario A - Define the Built-in Role Name as an

...

Attribute of the User Entry

In this scenario, the LDAP administrator defines an attribute for the user entry (e.g. DPOD_RoleDPODRole attribute) which contains the built-in role name of that user.

  • The attribute must be defined in the user class LDAP schema, which means that this schema might need to be extended.
  • Add the attribute with one of the built-in role names (e.g. OpDashAdminRole) to each user that should use DPOD's Web Console.
    For example, an administrator user named "john" (cn=john) should have the attribute "DPOD_RoleDPODRole=OpDashAdminRole".

If you choose this scenario, ensure to have the following details before proceeding with the next configuration steps:

User entry role attribute name

The attribute name of the user entry that contains the built-in role name of that user.
e.g. "DPOD_Role"DPODRole

Scenario B - Define the Built-in Role Name as an Attribute of the Group Entry

...

If you choose this scenario, ensure to have the following details before proceeding with the next configuration steps:

...