| Back | Main view
External directory synchronization and authentication using generic LDAP plugin
Product: | IMiS/ARChive |
Release: | Since 9.8.1710 |
Date: | 08/30/2021 |
Case:
Generic LDAP plugin enables external directory synchronization and authentication with LDAP servers (IBM Lotus Domino, OpenLDAP ...). In this article we present configuration examples how to configure generic LDAP plugin to communicate with external LDAP servers.
Description:
Generic LDAP plugin links IMiS ARChive Server directory fields with fields on LDAP server during synchronization process. Required directory fields are:
- "sys:dir:Account": represent user/group account name (single value). Value must be "string".
- "sys:dir:UUID": represent user/group unique identifier for external synchronization service (single value). Value must be "binary" (base64 encoded).
For complete list of other supported directory fields, check article "External directory synchronization and authentication using ActiveDirectory plugin". Mapping between directory and LDAP fields is done with XML configuration tag "<Field>". Configuration tag has next attributes:
- "key": defines field name where value will be mapped (attribute is required).
- "type": defines field type (attribute is required).
- "script": defines javascript expression which will be evaluated after field value is inserted into result map (optional attribute).
- "preScript": defines javascript expression which will be evaluated before field value is inserted into result map (optional attribute).
- "typeExt": defines field evaluation embedded translation rules. Attribute is optional except for field types "bitfield" and "boolean" where attribute is required.
- "default": defines default value which will be used when value from LDAP server is missing (optional attribute).
- "scope": attribute defines "user" or "group" scope where field configuration will be used. Attribute is optional, if it is missing then field configuration is used during user and group processing.
Supported field types for generic LDAP plugin are next:
- STRING: represents string values.
- BINARY: represents base64 encoded binary values.
- BITFIELD: represents true/false value parsed from bitfield values (flags ...).
- BOOLEAN: represents true/false value.
- INT: represents numeric value.
- DISTINGUISHED_NAME: represents LDAP distinguished name (value is taken from current context and not LDAP field).
- EXPRESSION: represents values which are processed from other fields.
- LDAP_AUTHENTICATION: field is used during LDAP authentication and is not part of synchronization process.
Field type evaluation order during synchronization is next:
- STRING, BINARY, BITFIELD BOOLEAN and INT field types are evaluated first, evaluation order between this fields is random.
- DISTINGUISHED_NAME field types are evaluated second, evaluation order between this fields is random.
- EXPRESSION field types are evaluated last, so that values from previously evaluated fields can be used. Evaluation order of this fields is the same as they are defined in configuration xml.
Execution order of embedded translation rules and javascript expression for each field is next:
- embedded translation rules
- javascript expression in "preScript"
- javascript expression in "script"
For details about embedded translation rules check article "Generic connector field evaluation using embedded translation rules", article "Generic connector field evaluation using javascript" contains detailed information about javascript expression evaluation. Since IMiS ARChive Server 10.1.2010 SP1, javascript is supported for all field types not just "expression". All configuration examples in this article uses 10.1.2010 SP1 generic LDAP plugin and Microsoft Active Directory for LDAP server. For details about additional LDAP configuration tags, please check article "External directory synchronization and authentication using ActiveDirectory plugin".
Example 1: Generic LDAP plugin is configured the same way as ActiveDirectory plugin for user and group synchronization.
ActiveDirectory plugin configuration example:
<Arguments>
<Class>com.imis.imisarc.server.aaa.impl.ActiveDirectory</Class>
<LdapURL>ldap://ldapserver.company.com</LdapURL>
<LdapUsername>username</LdapUsername>
<LdapPassword>password</LdapPassword>
<LdapAuthenticationType>DIGEST-MD5</LdapAuthenticationType>
<LdapBaseDN>DC=company,DC=com</LdapBaseDN>
<LdapUserDN>OU=Users</LdapUserDN>
<LdapGroupDN>OU=Groups</LdapGroupDN>
<LdapUserObjectFilter>(objectClass=user)</LdapUserObjectFilter>
<LdapGroupObjectFilter>(objectClass=group)</LdapGroupObjectFilter>
<LdapAuthenticationFilter>(&(objectCategory=person)(objectClass=user)(|(userPrincipalName=%s)(mail=%s)(sAMAccountName=%s)))</LdapAuthenticationFilter>
<AccountAliasList>sAMAccountName,userPrincipalName,distinguishedName</AccountAliasList>
</Arguments>
Generic LDAP plugin configuration with the same synchronization functionality as ActiveDirectory plugin:
<Arguments>
<Class>com.imis.imisarc.server.aaa.impl.GenericLdapConnector</Class>
<LdapURL>ldap://ldapserver.company.com</LdapURL>
<LdapUsername>username</LdapUsername>
<LdapPassword>password</LdapPassword>
<LdapAuthenticationType>DIGEST-MD5</LdapAuthenticationType>
<LdapBaseDN>DC=company,DC=com</LdapBaseDN>
<LdapUserDN>OU=Users</LdapUserDN>
<LdapGroupDN>OU=Groups</LdapGroupDN>
<LdapUserObjectFilter>(objectClass=user)</LdapUserObjectFilter>
<LdapGroupObjectFilter>(objectClass=group)</LdapGroupObjectFilter>
<LdapAuthenticationFilter>(&(objectCategory=person)(objectClass=user)(|(userPrincipalName=%s)(mail=%s)(sAMAccountName=%s)))</LdapAuthenticationFilter>
<Field key="sys:dir:Account" type="string">sAMAccountName</Field>
<Field key="sys:dir:FirstName" type="string" scope="user">givenName</Field>
<Field key="sys:dir:LastName" type="string" scope="user">sn</Field>
<Field key="sys:dir:LastName" type="string" scope="group">name</Field>
<Field key="sys:dir:Description" type="string">description</Field>
<Field key="sys:dir:Email" type="string">mail</Field>
<Field key="sys:dir:UUID" type="binary">objectGUID</Field>
<Field key="sys:dir:Icon" type="binary">thumbnailPhoto</Field>
<Field key="sys:dir:GroupMembers" type="string" scope="group">member</Field>
<!-- distinguished_name and user_principal_name are fields used in sys:dir:Aliases processing and are not processed by IMiS ARChive server -->
<Field key="distinguished_name" type="string">distinguishedName</Field>
<Field key="user_principal_name" type="string" scope="user">userPrincipalName</Field>
<Field key="sys:dir:Flags:Enabled" type="bitfield" typeExt="OFF=1,NEG=true">userAccountControl</Field>
<Field key="sys:dir:Flags:Locked" type="boolean" typeExt="VAL=0,NEG=true" scope="user">lockoutTime</Field>
<Field key="sys:dir:Aliases" scope="user" type="expression" typeExt="DEL=#">%distinguished_name%#%user_principal_name%</Field>
<Field key="sys:dir:Aliases" scope="group" type="expression">%distinguished_name%</Field>
</Arguments>
Example 2: Using generic LDAP plugin configuration from example 1 we add LDAP_AUTHENTICATION field type to enable LDAP authentication. If authentication type is set to "None" or "Simple", then AD attribute "distinguishedName" should be used, otherwise "sAMAccountName" should be used. In current case, "DIGEST-MD5" authentication type is used so we use "sAMAccountName" attribute. For field key we simply use random generated uuid because field is not part of synchronization process.
<Arguments>
...
<Field key="f7c6ac46-b240-11eb-b905-005056ab19ce" type="ldap_authentication">sAMAccountName</Field>
...
</Arguments>
Example 3: Next example demonstrates usage of DISTINGUISHED_NAME field type with Microsoft AD. When using this field type, mapping value is not required because value is taken from LDAP context.
<Arguments>
...
<Field key="context_distinguished_name" type="distinguished_name"/>
<Field key="sys:dir:Aliases" scope="user" type="expression" typeExt="DEL=#">%context_distinguished_name%#%user_principal_name%</Field>
<Field key="sys:dir:Aliases" scope="group" type="expression">%context_distinguished_name%</Field>
...
</Arguments>
Related Documents:
https://docs.oracle.com/javase/8/docs/api/javax/naming/Context.html#getNameInNamespace
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ada1/56da5a9b-485d-4d7c-a226-1a54a43d9013
- External directory synchronization and authentication using ActiveDirectory plugin
- Generic connector field evaluation using embedded translation rules
- Generic connector field evaluation using javascript
| Back | Main view