LDAP Authentication

With this login type, LDAP servers will be used for authentication. The list of URLs represents a connection to the same replicated LDAP environment on different servers in the default configuration. The list will be checked top-down if a server is inaccessible, e.g., due to updates.

LDAP servers will be searched in the DNS of the current domain using the keys _ldap._tcp.<domain> and _ldaps._tcp.<domain> if the list is left empty.

Sample login URLs look like ldap://MyLdapServer:389/ or ldaps://MyLdapServer:636/ (with SSL).

The authentication provider supports both the Active Directory LDAP and OpenLDAP v3 backends. An AD backend automatically authenticates users, while OpenLDAP requires the following filters:

# OpenLDAP user search filter
(&(objectClass=person)(uid=<username>))

User groups are determined using the memberOf and primaryGroupId attributes of a user, meaning that groups will only be determined after the user successfully authenticates. The search query for user, used to load the available roles, includes a filter for AD as well:

# AD / OpenLDAP user search filter for determining groups
(|(&(objectCategory=person)(sAMAccountName=<username>))(&(objectClass=person)(uid=<username>)))

This option allows you to adjust the behaviour of checking LDAP URLs. As mentioned previously, all URLs are checked sequentially by default. This is the default option when only a single domain is to be served and additional URLs are used by fallback servers.

• Redundant accounts for failover: Servers are checked in sequence. If the login credentials are invalid for the first LDAP URL, the login fails. Only if the server is not responding is the next server checked.

• Separate accounts for multiple domains: Servers are checked in parallel. If the login credentials match on any of these servers, the login succeeds. This mode puts a higher load on the LDAP servers and can result in more login errors appearing in the log files of the LDAP and INETAPP servers. This mode could also be used for failover addresses, but it is important to note that these are also checked in parallel.

• Default value: Redundant accounts for failover

If checked, there will be no SSL verification when connecting to LDAP-URLs. This option can be used, when the certificate used on an LDAP-URL can not be trusted from the application side and uses, e.g., a private CA.

• Default value: false

The Default Domain is used in Windows environments to prefix the username during authentication in the form <WINDOWS DOMAIN NAME>\<username>. It allows users to log in to a Windows domain without prefixing the username with that domain.

Note: The domain should usually be specified as a Windows 2000 variant. The specific value can be found in the Active Directory in a user's settings.

• Default value: empty

The Bind User and Password are advanced options and may be required to search for user entries in the AD/OpenLDAP that does not allow anonymous binding. The Bind User has to be given in DN notation, e.g., cn=service,dc=mydomain,dc=local.

• Default value: empty (anonymous authentication)

The Base DN is an advanced option and allows setting a distinguished name that should be used as a search base for users and groups.

• Default value: empty (will be determined automatically)

The User RDN is an advanced option and allows setting a distinguished name relative to the Base DN that should be used as a search base for users.

• Default value: empty (Base DN is used)

The Groups RDN is an advanced option and setting to set a distinguished name relative to the Base DN that should be used as a search base for groups.

• Default value: empty (Base DN is used)