Active Directory LDAP

Download

The Active Directory snippet provides a snippet of server configuration that can be used to configure the Liberty profile to authenticate users with Active Directory.

The password value can be plaintext, or the xor encoded value of the password.

In this example, the filters for Active Directory have been customized as an external activedLdapFilterProperties element, which is then referenced by the ldapRegistry element and the default values of ldap entity types, attributes, group configuration, context pool and cache configuration will be used.

<server description="LdapRegistry sample configuration">

    <!-- NOTE: This file is for reference only. -->

    <!-- Enable appSecurity-2.0 and ldapRegistry-3.0 features -->
    <featureManager>
        <feature>appSecurity-2.0</feature>
        <feature>ldapRegistry-3.0</feature>
    </featureManager>

	<!-- Sample configuration for LdapRegistry of Active Directory type.
         The password value can be plaintext, or the xor encoded value of the password.
         In this example, the filters for Active Directory have been customized as an external activedLdapFilterProperties element, which is then referenced by the ldapRegistry element and
         the default values of ldap entity types, attributes, group configuration, context pool and cache configuration will be used. -->

	<ldapRegistry id="ActiveDirectoryLDAP" realm="SampleLdapADRealm" host="host.domain.com" port="389" ignoreCase="true" baseDN="cn=users,dc=domain,dc=com" bindDN="cn=myuser,cn=users,dc=domain,dc=com" bindPassword="mypassword" loginProperty="cn" ldapType="Microsoft Active Directory" activedFilters="myactivedfilters">

      <!-- Below shown is the extended configuration. You may not required to add below configuration. Use below snippets only if you want to customize the configuration for ldap registry.

	  <ldapEntityType name="Group" searchFilter="(ObjectCategory=Group)">
        <objectClass>group</objectClass>
      </ldapEntityType>
      <ldapEntityType name="OrgContainer">
        <rdnProperty name="o">
    		<objectClass>organization</objectClass>
    	</rdnProperty>
    	<rdnProperty name="ou">
    		<objectClass>organizationalUnit</objectClass>
    	</rdnProperty>
    	<rdnProperty name="dc">
    		<objectClass>domain</objectClass>
    	</rdnProperty>
    	<rdnProperty name="cn">
    		<objectClass>container</objectClass>
    	</rdnProperty>
        <objectClass>organization</objectClass>
        <objectClass>organizationalUnit</objectClass>
        <objectClass>domain</objectClass>
        <objectClass>container</objectClass>
      </ldapEntityType>
      <ldapEntityType name="PersonAccount" searchFilter="(|(ObjectCategory=User)(ObjectClass=User))">
        <objectClass>user</objectClass>
      </ldapEntityType>
      <groupProperties>
        <memberAttribute name="member" dummyMember="uid=dummy" objectClass="group" scope="direct"/>
		<membershipAttribute name="memberof" scope="direct"/>
      </groupProperties>
      <attributeConfiguration>
      	<attribute defaultValue="544" name="userAccountControl" entityType="PersonAccount" />
      	<attribute name="samAccountName" propertyName="uid" entityType="PersonAccount" />
        <attribute defaultAttribute="cn" name="samAccountName" entityType="Group" />
        <attribute defaultValue="8" name="groupType" entityType="Group" />
        <attribute name="unicodePwd" propertyName="password" syntax="unicodePwd"/>
        <attribute name="userprincipalname" propertyName="kerberosId" entityType="PersonAccount" />
        <propertiesNotSupported name="description"/>
        <propertiesNotSupported name="jpegPhoto"/>
        <propertiesNotSupported name="labeledURI"/>
        <propertiesNotSupported name="carLicense"/>
        <propertiesNotSupported name="pager"/>
        <propertiesNotSupported name="roomNumber"/>
        <propertiesNotSupported name="localityName"/>
        <propertiesNotSupported name="stateOrProvinceName"/>
        <propertiesNotSupported name="countryName"/>
        <propertiesNotSupported name="employeeNumber"/>
        <propertiesNotSupported name="employeeType"/>
        <propertiesNotSupported name="businessCategory"/>
        <propertiesNotSupported name="departmentNumber"/>
        <propertiesNotSupported name="homeAddress"/>
        <propertiesNotSupported name="businessAddress"/>
      </attributeConfiguration>
      <contextPool enabled="true" initialSize="1" maxSize="0" timeout="0"
          waitTime="3000ms" preferredSize="3"/>
      <ldapCache>
        <attributesCache size="4000" timeout="1200s" enabled="true" sizeLimit="2000"/>
        <searchResultsCache size="2000" timeout="600s" enabled="true" resultsSizeLimit="1000"/>
      </ldapCache> -->
	</ldapRegistry>

	<!-- Filters configuration in all examples below is supported by federated user registry to only maintain the backward compatibility with stand-alone LDAP configuration.
		Although it is supported, we recommend to use details configuration of federated user registry instead of specifying filters. -->

	<activedLdapFilterProperties id="myactivedfilters" userFilter="(&(sAMAccountName=%v)(objectcategory=user))" groupFilter="(&(cn=%v)(objectcategory=group))" userIdMap="user:sAMAccountName" groupIdMap="*:cn" groupMemberIdMap="memberOf:member"/>

</server>