Versions Compared

Version Old Version 9 New Version 10
Changes made by

Amit Munwes

Amit Munwes

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • LDAP server(s) IP address(es) (up to 2 IP addresses may be configured - a primary IP address and an alternate one)
  • LDAP server port(s) (e.g. 389 or 3268 if using Global Catalog in AD)
  • Whether LDAP referrals should be followed or ignored (usually ignored for better performance)
  • A user distinguished name (DN) and its password which is used to connect to the LDAP server and can perform queries (e.g. "cn=LDAP Query User,ou=people,dc=example,dc=org")

LDAP Users

In order to authenticate users, DPOD needs to know what LDAP queries to perform in order to verify usernames and passwords.

...

  • User base entry - the location of user entries in the LDAP tree (e.g. ou=people,dc=example,dc=org). Specific locations have better performance than global ones.
  • Whether user entries should be queried in the entire sub-tree of the user base entry (usually true)
  • User search query - the query to perform in order to find a user entry based on the login username.
    Usually the user search query combines 2 conditions: First filter the entries based on "objectClass" attribute and then filter the entries based on the login username.
    Usually user entries may be identified by an "objectClass" of "person", "organizationalPerson" or "inetOrgPerson".
    The user entry attribute that contains the login username is usually "uid", "sAMAccountName" or "cn".
    An example of a user search query: (&(objectClass=person)(sAMAccountName={0}))
  • A username and password of a real user defined in the LDAP user registry who will be using DPOD - will be used to verify that the configuration is valid.

LDAP Groups

In order to assign roles to users, DPOD needs to know what LDAP queries to perform in order to fetch the list of groups a user belongs to.

The best way to discover it is to have a look at a group entry within the LDAP server using an LDAP browsing software compatible with your LDAP server.

Please make sure you have the following details:

  • Group base entry - the location of group entries in the LDAP tree (e.g. ou=groups,dc=example,dc=org). Specific locations have better performance than global ones.
  • Whether group entries should be queried in the entire sub-tree of the group base entry (usually true)
  • Whether group entries can be nested in each other (usually true)
  • Group search query - the query to perform in order to fetch the list of groups a user belongs to once a user has authenticated successfully.
    Usually the group search query combines 2 conditions: First filter the entries based on "objectClass" attribute and then filter the entries based on the authenticated user.
    Usually group entries may be identified by an "objectClass" of "group" or "groupOfUniqueNames".
    The group entry attribute that contains its members is usually "member" or "uniquemember".
    An example of a group search query: (&(objectClass=groupOfUniqueNames)(uniqueMember={1}))

Scenario A - Define Roles as attributes on the user directory entry

...