Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page lists all the parameters required for LDAP configuration, and possible scenarios.

...

DPOD needs details about the LDAP servers so it can query the LDAP user registry.

LDAP servers IP addressesThe IP addresses of the LDAP servers
LDAP servers portse.g. 389 or 3268 if using Global Catalog in AD
LDAPS host name verificationWhether to verify host name against the certificate in case of using LDAPS (Secure LDAP over SSL/TLS)
ReferralsWhether LDAP referrals should be followed or ignored (usually ignored for better performance)
Query user distinguished name (DN)
and its password

A user that is used to connect to the LDAP server and perform queries.
e.g. cn=LDAP Query User,ou=people,dc=example,dc=org

...

You might find it useful to examine a user entry within the LDAP user registry using an LDAP browsing software compatible with your LDAP user registry.

User search base entryThe location in the LDAP tree where user entries should be searched for. Specific locations have better performance than global ones.
e.g. ou=people,dc=example,dc=org
User search filter

The LDAP filter (using LDAP filter syntax) to use in order to find a user entry, based on the user name entered in the login page.
Usually the user search filter combines 2 conditions: First filter the entries based on the "objectClass" attribute and then filter the entries based on the login user name.
User entries can usually be identified by an "objectClass" of "person", "organizationalPerson" or "inetOrgPerson".
The user entry attribute that contains the login user name is usually "uid", "sAMAccountName" or "cn".
Use {0} as a placeholder for the user name entered in the login page.
e.g. (&(objectClass=person)(sAMAccountName={0}))

User name attribute

The attribute name of the user entry that contains the name of that user (as entered in the login page).
This is usually the same attribute that is used in the user search filter described above.
Common attributes are "uid", "sAMAccountName" or "cn".

A user and its password for testingA real user defined in the LDAP user registry who will be using DPOD - will be used to verify that the configuration is valid.

...

You might find it useful to examine a group entry within the LDAP user LDAP registry using an LDAP browsing software compatible with your LDAP user registry.

Group search base entryThe location in the LDAP tree where group entries should be searched for. Specific locations have better performance than global ones.
e.g. ou=groups,dc=example,dc=org
Group membership search filter

The LDAP filter (using LDAP filter syntax) to use in order to fetch the list of groups a user belongs to once a user has authenticated successfully, based on the user entry's DN.
Usually the group membership search filter combines 2 conditions: First filter the entries based on the "objectClass" attribute and then filter the entries based on the authenticated user's DN.
Group entries can usually be identified by an "objectClass" of "group" or "groupOfUniqueNames".
The group entry attribute that contains its members is usually "member" or "uniquemember".
Use {0} as a placeholder for the full DN of the member user or the member group (in case of nested search).
e.g. (&(objectClass=groupOfUniqueNames)(uniqueMember={0}))

Group membership search nestedWhether to search for nested group membership (groups within groups). Usually set to "true".
Group name search filter

The LDAP filter (using LDAP filter syntax) to use in order to find a group entry, based on its name.
Usually the group name search filter combines 2 conditions: First filter the entries based on the "objectClass" attribute and then filter the entries based on the group name.
Group entries can usually be identified by an "objectClass" of "group" or "groupOfUniqueNames".
The group entry attribute that contains the group name is usually "cn".
Use {0} as a placeholder for the group name.
e.g. (&(objectClass=groupOfUniqueNames)(cn={0}))

Group name attribute

The attribute name of the group entry that contains the name of that group.
This is usually the same attribute that is used in the group name search filter described above.
The most common attribute is "cn".

...

To be able to assign built-in roles to users, DPOD needs to map values from LDAP entries (users or groups) to its built-in roles.

OpDashAdminRole mappingThe value of an attribute of LDAP entries that provide Admin access to users or groups. This is usually the name of the group of admins.
e.g. MyDpodAdminsGroup
OpDashPowerUserRole mappingThe value of an attribute of LDAP entries that provide Power User access to users or groups. This is usually the name of the group of power users.
e.g. MyDpodPowerUserGroup
OpDashOperatorRole mappingThe value of an attribute of LDAP entries that provide Operator access to users or groups. This is usually the name of the group of operators.
e.g. MyDpodOperatorsGroup
OpDashInvestigatorRole mappingThe value of an attribute of LDAP entries that provide Investigator access to users or groups. This is usually the name of the group of investigators.
e.g. MyDpodInvestigatorGroup
OpDashAppAdminRole mappingThe value of an attribute of LDAP entries that provide App Admin access to users or groups. This is usually the name of the group of DPOD installation admins.
e.g. MyDpodAppAdminsGroup

Custom Roles

Custom roles are based on LDAP user names and LDAP group names, and are defined by the administrator using DPOD's Web Console.

...