LDAP configuration requires many parameters. This page lists all the required parameters and possible scenarios.
DPOD needs details about the LDAP server so it can query the LDAP user registry.
Ensure to have the following details before proceeding with the next configuration steps:
| LDAP server IP address | The IP address of the LDAP server |
| LDAP server port | e.g. 389 or 3268 if using Global Catalog in AD |
| Referrals | Whether LDAP referrals should be followed or ignored (usually ignored for better performance) |
| Query user distinguished name (DN) and its password | A user that is used to connect to the LDAP server and perform queries. |
To be able to authenticate users, DPOD needs to know what LDAP queries it needs to perform in order to verify usernames and passwords.
The best way to figure this out is to examine user entries within the LDAP server using an LDAP browsing software compatible with your LDAP server.
Ensure to have the following details before proceeding with the next configuration steps:
| User search base entry | The location in the LDAP tree where user entries should be searched for. Specific locations have better performance than global ones. e.g. ou=people,dc=example,dc=org |
| User search sub-tree | Whether user entries should be queried in the entire sub-tree of the user search base entry (usually true). |
| User search filter | The search filter to use in order to find a user entry based on the login user name, using standard LDAP search filter syntax. Usually the user search filter combines 2 conditions: First filter the entries based on the "objectClass" attribute and then filter the entries based on the login user name. User entries can normally be identified by an "objectClass" of "person", "organizationalPerson" or "inetOrgPerson". The user entry attribute that contains the login user name is usually "uid", "sAMAccountName" or "cn". e.g. (&(objectClass=person)(sAMAccountName={0})) |
| A user and its password for testing | A real user defined in the LDAP user registry who will be using DPOD - will be used to verify that the configuration is valid. |
To be able to assign roles to users, DPOD needs to know what LDAP queries it needs to perform in order to fetch the list of groups a user belongs to.
The best way to figure this out is to examine group entries within the LDAP server using an LDAP browsing software compatible with your LDAP server.
Ensure to have the following details before proceeding with the next configuration steps:
| Group search base entry | The location in the LDAP tree where group entries should be searched for. Specific locations have better performance than global ones. e.g. ou=groups,dc=example,dc=org |
| Group search sub-tree | Whether group entries should be queried in the entire sub-tree of the group search base entry (usually true). |
| Group search nested | Whether group entries can be nested within each other (usually true). |
| Group search filter | The search filter to use in order to fetch the list of groups a user belongs to once a user has authenticated successfully, using standard LDAP search filter syntax. Usually the group search filter combines 2 conditions: First filter the entries based on the "objectClass" attribute and then filter the entries based on the authenticated user. Group entries can normally be identified by an "objectClass" of "group" or "groupOfUniqueNames". The group entry attribute that contains its members is usually "member" or "uniquemember". e.g. (&(objectClass=groupOfUniqueNames)(uniqueMember={1})) |
| Group role attribute name | The attribute name at the group entry that contains the role name (usually cn). |
For security reasons, authenticated users are assigned with built-in roles based on LDAP queries only.
This means, for example, that a user may be granted with Administrator privileges only if it is configured that way in the LDAP user repository.
In order to assign built-in roles to users, DPOD needs to associate a user or a group with its built-in roles using an LDAP entry attribute. There are 2 possible scenarios:
The most common scenario is Scenario B, where the group's name (cn) is used as the group role attribute name. |
In this scenario, the LDAP administrator defines an attribute for the user entry (e.g. DPODRole attribute) which contains the built-in role name of that user.
If you choose this scenario, ensure to have the following details before proceeding with the next configuration steps:
| User role attribute name | The attribute name of the user entry that contains the built-in role name of that user. |
In this scenario, the LDAP administrator defines an attribute at the group entry that contains the built-in role name of users that belong to that group.