Skip to content

Latest commit

 

History

History
86 lines (71 loc) · 4.03 KB

ldap.md

File metadata and controls

86 lines (71 loc) · 4.03 KB

Apache Sling > Sling CMS > Administration > LDAP Authentication

LDAP Authentication

LDAP Authentication is provided via the Apache Jackrabbit Oak LDAP Integration. There are three steps to configure the integration:

  1. Create an Apache Jackrabbit Oak LDAP Identity Provider configuration
  2. Create a Default Sync Handler
  3. Create an External Login Module

Large Numbers of Groups and users

For implementations with large numbers of users and groups, Dynamic Group Membership can help ensure performance by essentially inverting the authentication paradigm to store the user's group membership on a protected property rep:externalPrincipalNames.

Example Configuration

The following example configuration shows how to setup LDAP Authentication.

  1. Setup the Docker image rroemhild/test-openldap
  2. Create the following configurations:

org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.[id].config

  userPool.maxActive=L"8"
  searchTimeout="60s"
  host.name="localhost"
  customattributes=[""]
  adminPool.maxActive=L"8"
  group.makeDnPath=B"false"
  user.baseDN="dc\=planetexpress,dc\=com"
  group.objectclass=["Group"]
  user.objectclass=["person"]
  userPool.lookupOnValidate=B"true"
  host.noCertCheck=B"false"
  user.makeDnPath=B"false"
  bind.dn="cn\=admin,dc\=planetexpress,dc\=com"
  group.baseDN="dc\=planetexpress,dc\=com"
  group.extraFilter=""
  user.extraFilter=""
  host.port=I"389"
  bind.password="GoodNewsEveryone"
  adminPool.lookupOnValidate=B"true"
  useUidForExtId=B"false"
  group.nameAttribute="cn"
  provider.name="ldap"
  host.ssl=B"false"
  host.tls=B"false"
  user.idAttribute="uid"
  group.memberAttribute="uniquemember"

org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DefaultSyncHandler.[id].config

  group.pathPrefix=""
  user.dynamicMembership=B"false"
  group.expirationTime="1d"
  user.membershipExpTime="1h"
  user.pathPrefix=""
  user.propertyMapping=["rep:fullname\=cn"]
  handler.name="default"
  enableRFC7613UsercaseMappedProfile=B"false"
  user.autoMembership=["administrators"]
  user.expirationTime="1h"
  group.propertyMapping=[""]
  group.autoMembership=[""]
  user.disableMissing=B"false"
  user.membershipNestingDepth=I"1"

org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModuleFactory.[id].config

  jaas.controlFlag="SUFFICIENT"
  jaas.ranking=I"99999"
  sync.handlerName="default"
  jaas.realmName=""
  idp.name="ldap"
  1. You should now be able to login with the credentials: professor/professor