DE EN EN (Google)

LDAP

When enabled and configured, LDAP is used as an additional authentication method when the username and password are entered. LDAP is basically tried after easydb’s own authentication and is only used if there is no easydb user with the given name.

HINT: Please check your easydb contract, whether you have licensed “authentication” to link easydb to single-sign-on and authentication systems (e.g. LDAP).

LDAP Referrals are currently not supported. If the configured server can’t supply the information, it won’t be found.

Variables

Name of variable: Type: Requirered: Default: Description:
ldap: List no Contains the configuration informations about ldap servers
- user: Hierarchy yes Contains the ldap informations about the user login
  protocol: String yes ldap Defines the protocol to use (ldap/ldaps)
  server: String yes Defines the address where easydb can reach the ldap server
  port: String yes 389 Defines the port where easydb should listen at the remote ldap server
  basedn: String yes Defines the search level where easydb should look at the ldap server
  filter: String yes Defines the search filter easydb should use, to match user entries. Example: ‘(&(objectClass=posixAccount)(uid=%(Login)s))’
  user: String no Defines the user to search with. Must be in DN syntax.
  password: String no Defines the password for the search-user
group: Hierarchy no Contains the ldap informations about ldap groups
  protocol: String yes ldap Defines the protocol to use (ldap/ldaps)
  server: String yes Defines the address where easydb can reach the ldap server
  port: String yes 389 Defines the port where easydb should listen at the remote ldap server
  basedn: String yes Defines the search level where easydb should look at the ldap server
  filter: String yes Defines the search filter easydb should use, to match group entries. Example: ‘(&(objectClass=posixGroup)(memberUid=%(Login)s))’
  user: String no Defines the user to search with. Must be in DN syntax.
  password: String no Defines the password for the search-user
enviroment: Hierarchy no
  mapping: [ ] Hierarchy no Contains the ldap-easydb mapping
   <replace-me> Hierarchy no Sets a name for specific mapping which allows us later to to retrieve data from
    attr: String yes Defines which ldap-attribute should be mapped
    regex_match: String no Defines a regex which should be activated over the attr containing data
    regex_replace: String no Defines a bunch of characters which should be set instead the regex-matched data
  user: Hierarchy yes Defines the ldap user attributes easydb should user for login etc.
   login: String yes Defines the attribute easydb should use for user logins. Example: '%(user.uid)s'
   displayname: String no Defines the attribute easydb should use for user displaynames. Example: '%(user.givenName)s %(user.sn)s'
   email: String no Defines the attribute easydb should user for users emailaddress. Example: '%(user.mail)s'
  group: List no Defines a list of group attributes easydb should look for to find users groups
   - attr: String yes Defines a specific group. Example: 'group.cn' or via. mapping: g_ldap_prefixed

Frequently Asked Questions

How to map easydb rights to members of LDAP groups

How to map LDAP groups to easydb goups

How to find the correct name of the LDAP group

Depending on your LDAP configuration (see below), the correct name to use in the group mapping may be the common name of the LDAP group or the distinguished name or even some other version of the LDAP group name.

To see the group names which your easydb is comparing during mapping…: - Log into your easydb using an LDAP account which is a member of at least one group. This group should match all requirements used in your easydb configuration (see above). - Read the last few log messages of the easydb server which include the string group. Here is a typical linux command to do this:

grep groups /srv/easydb/easydb-server/var/imexporter.log | tail

The output could look like the following line:

[c13ea92a][2018-12-31T23:59:59.999999][    68][    INFO][           base.ldap] user record: {'_groups': ['Alle-Mitarbeiter', 'sec_Kommunikation', 'Bilderarchiv'],

In the example below you should use one of the three group names as written there, without the single quotes, e.g. sec_Kommunikation

How to see the easydb groups of a login session

Who is allowed to login?

All accounts in LDAP are allowed to login into easydb. If you want to restrict Login to certain Groups in your LDAP, then please contact us and we will discuss the implementation.

Plugin configuration

Enable LDAP support for easydb

LDAP is implemented as a plug-in, which must be activated explicitly:

plugins:
  enabled+:
    - base.ldap

Examples

A list (indicated by the “-” after ldap: the example given below) of configurations is defined. The first configuration is used in which the user can be authenticated. A configuration consists of a block for authenticating the user (user), a group for finding linked groups (group) and a block for mapping the LDAP information in the easydb (environment).

plugins:
  enabled+:
    - base.ldap

ldap:
  - user:
      protocol: ldap
      server: first.ldap.example.com
      basedn: dc=example,dc=com
      filter: '(&(objectClass=posixAccount)(uid=%(Login)s))'
    group:
      protocol: ldap
      server: first.ldap.example.com
      basedn: dc=example,dc=com
      filter: '(&(memberUid=%(user.uid)s)(objectClass=posixGroup))'
    environment:
      mapping:
        u_login:
          attr: user.uid
          regex_match: '$'
          regex_replace: '@LDAP'
        g_ldap_prefixed:
          attr: group.cn
          regex_match: '^'
          regex_replace: 'ldap.'
      user:
        login: '%(u_login)s'
        displayname: '%(user.givenName)s %(user.sn)s'
        email: '%(user.mail)s'
      groups:
        - attr: g_ldap_prefixed

Remarks:

Addressing multiple ldap servers

plugins:
  enabled+:
    - base.ldap

ldap:
  - user:
      protocol: ldap
      server: first.ldap.example.com
      basedn: dc=example,dc=com
      filter: '(&(objectClass=posixAccount)(uid=%(Login)s))'
    group:
      protocol: ldap
      server: first.ldap.example.com
      basedn: dc=example,dc=com
      filter: '(&(memberUid=%(user.uid)s)(objectClass=posixGroup))'
    environment:
      mapping:
        u_login:
          attr: user.uid
          regex_match: '$'
          regex_replace: '@LDAP'
        g_ldap_prefixed:
          attr: group.cn
          regex_match: '^'
          regex_replace: 'ldap.'
      user:
        login: '%(u_login)s'
        displayname: '%(user.givenName)s %(user.sn)s'
        email: '%(user.mail)s'
      groups:
        - attr: g_ldap_prefixed
  - user:
      protocol: ldap
      server: second.ldap.example.com
      basedn: dc=example,dc=com
      filter: '(&(objectClass=posixAccount)(uid=%(Login)s))'
    group:
      protocol: ldap
      server: second.ldap.example.com
      basedn: dc=example,dc=com
      filter: '(&(memberUid=%(user.uid)s)(objectClass=posixGroup))'
    environment:
      mapping:
        u_login:
          attr: user.uid
          regex_match: '$'
          regex_replace: '@LDAP'
        g_ldap_prefixed:
          attr: group.cn
          regex_match: '^'
          regex_replace: 'ldap.'
      user:
        login: '%(u_login)s'
        displayname: '%(user.givenName)s %(user.sn)s'
        email: '%(user.mail)s'
      groups:
        - attr: g_ldap_prefixed

LDAP using bind account

plugins:
  enabled+:
    - base.ldap

ldap:
  - user:
      protocol: ldap
      server: first.ldap.example.com
      basedn: dc=example,dc=com
      filter: '(&(objectClass=posixAccount)(uid=%(Login)s))'
      user: dn=cn=searchonly,ou=people,dc=example,dc=com
      password: binduserpassword
    group:
      protocol: ldap
      server: first.ldap.example.com
      basedn: dc=example,dc=com
      filter: '(&(memberUid=%(user.uid)s)(objectClass=posixGroup))'
      user: dn=cn=searchonly,ou=people,dc=example,dc=com
      password: binduserpassword
    environment:
      mapping:
        u_login:
          attr: user.uid
          regex_match: '$'
          regex_replace: '@LDAP'
        g_ldap_prefixed:
          attr: group.cn
          regex_match: '^'
          regex_replace: 'ldap.'
      user:
        login: '%(u_login)s'
        displayname: '%(user.givenName)s %(user.sn)s'
        email: '%(user.mail)s'
      groups:
        - attr: g_ldap_prefixed
        - attr: group.cn

Secure Connection

To use the ldaps protocol, in other words “SSL encryption”, configure:

      protocol: ldaps

… instead of protocol: ldap in the user and group sections.

You may also need some or all of the following:

TLS_REQCERT never
docker run -d -ti \
[...]
    --volume $DIRECTORY_OUTSIDE_OF_CONTAINER/ldap.conf:/etc/ldap/ldap.conf \
    docker.easydb.de/pf/server-$SOLUTION
docker run -d -ti \
[...]
    --volume $DIRECTORY_OUTSIDE_OF_CONTAINER/mycerts.pem:/etc/ssl/certs/mycerts.pem \
    docker.easydb.de/pf/server-$SOLUTION