LDAP Connection V11

From Metadata Technology Wiki
Jump to navigation Jump to search

Overview

Fusion Metadata Registry can use LDAP as the authorization mechanism

Defininng an LDAP connection

Specifying the Connection Details

On the page page Security -> Authentication Service ensure the drop-down states "LDAP". The following fields are presented.

Item Description
Protocol and hostname Mandatory Either select ldap or ldaps (LDAP over SSL) in the left-side drop-down. In the input field, enter the server and if necessary port number. E.g. localhost:10389
Base DN The Base Distinguished Name identifies the entry in the directory from which searches initiated by LDAP clients occur. E.g dc=metdatatechnology,dc=com
Manager DN The manager DN used for querying the directory server and so this user must have privileges to search the directory. E.g. cn=admin,dc=metdatatechnology,dc=com
Manager Password The password for the manager account
User Search Base The starting point the LDAP server uses when searching for users authentication within your directory. This works in tandem with the base DN. E.g A value of "ou=people" would search under "ou=people" under the Base DN "dc=metdatatechnology,dc=com"
User Search Filter Used to identify the users under the User Search Base by a particular criteria. This is often likely to be: uid={0}
Group Search Base The starting point the LDAP server uses when searching for groups within your directory. This works in tandem with the base DN. E.g A value of "ou=people" would search for groups under "ou=people" under the Base DN "dc=metdatatechnology,dc=com"
Group Search Filter Used to identify the groups under the Group Search Base by a particular criteria. E.g. member={0}
Role Prefix An optional prefix which will be prepended to Granted Authority values loaded from the directory.
UserID Attribute Mandatory This is used to determine what value a user should be displayed as. It is likely this value will be uid

Troubleshooting

If you are having issues connecting to LDAP, please look at the logs of FMR. To aid in this, you may wish to increase the logging level of the LDAP connectors. Please add the following loggers to the file: logback.xml to set the logging to DEBUG for Spring classes

<logger name="org.springframework.security" level="DEBUG" additivity="false">
    <appender-ref ref="STDOUT" />
</logger>
<logger name="org.springframework.ldap" level="DEBUG" additivity="false">
    <appender-ref ref="STDOUT" />
</logger>

Example using OpenLDAP Docker Image

The following gives a concrete example of setting up FMR to communicate with an existing OpenLDAP instance.

Obtaining the OpenLdap Docker Image

A Docker OpenLdap instance is available and for more information can be found at: https://github.com/rroemhild/docker-test-openldap

The command to create and run the docker instance is:

 docker run --rm -p 10389:10389 -p 10636:10636 rroemhild/test-openldap

Docker Instance Users and Groups

Within this docker instance there are:

- 2 groups in the OpenLDAP system: "admin_staff" and "ship_crew" - 2 users in "admin_staff": "professor" and "hermes" - 3 users in "ship_crew": "fry", "bender" and "leela"

For convenience everyone's password is the same as their UID. These credentials will be used to login to the Registry.

Setting up the Registry

Specify the following connection values on the page Security -> Authentication Service

Security Service: LDAP

ldap:// localhost:10389

Base DN dc=planetexpress,dc=com

Manager DN cn=admin,dc=planetexpress,dc=com

Manager Password GoodNewsEveryone

User Search Base ou=people

User Search Filter uid={0}

Group Search Base ou=people

Group Search Filter member={0}

Role Prefix <blank>

UserID Attribute uid

Alternatively, use POSTMAN with the following values:

{"authType":"ldap","ldapServer":"ldap://localhost:10389","baseDn":"dc=planetexpress,dc=com","userSearchBase":"ou=people","userSearchFilter":"uid={0}","groupSearchBase":"ou=people","groupSearchFilter":"member={0}","rolePrefix":"","userID":"uid","managerDn":"cn=admin,dc=planetexpress,dc=com","managerPwd":"GoodNewsEveryone"}