LDAP and AD User Interface Examples

the following examples can be used to set up the ldap active directory and ldap rfc2307bis form example the following form examples are active directory and ldap rfc2307bis active directory const provider config = { name 'openldap', type 'ldap2307bis', host 'ldap example com', port 389, tls false, binddn 'cn=system,dc=example,dc=com', binddnpassword 'password', usersearchbasedn 'ou=people,dc=example,dc=com', usersearchscope 'sub', userfilter '(objectclass=posixaccount)', userattrid 'uidnumber', userattrusername 'uid', userattrfirstname 'givenname', userattrlastname 'sn', groupsearchbasedn 'ou=groups,dc=example,dc=com', groupsearchscope 'sub', groupfilter '(objectclass=posixgroup)', groupattrname 'cn', groupattruser 'dn', groupattrtype 'member' }; ldap rfc2307bis const provider config = { name 'openldap', type 'ldap2307bis', host 'ldap example com', port 389, tls false, binddn 'cn=system,dc=example,dc=com', binddnpassword 'password', usersearchbasedn 'ou=people,dc=example,dc=com', usersearchscope 'sub', userfilter '(objectclass=posixaccount)', userattrid 'uidnumber', userattrusername 'uid', userattrfirstname 'givenname', userattrlastname 'sn', groupsearchbasedn 'ou=groups,dc=example,dc=com', groupsearchscope 'sub', groupfilter '(objectclass=posixgroup)', groupattrname 'cn', groupattruser 'dn', groupattrtype 'member' }; more examples for active directory filter can be found at http //adfilters blogspot com/2015/03/active directory ldap filter querys html field definitions definition description name name of this connector type the connector type only the generic type is currently supported connection these fields are attributes of the server connection host domain name or ip address of the ldap host port the ldap port use tls enable or disable laps protocol for a secure connection tls settings should match the port ldap servers use port 389 for ldap protocol and port 636 for ldaps protocol the connection fails if port 389 is specified and the use tls option is enabled bind dn account used to connect to the ldap server (only requires read and browse permissions) the distinguished name of the account used for accessing ldap server an anonymous connect is used of bind dn is not specified ca certificate chain trusted root certificate chain (only required if private ca is used by the server) the ca certificate chain file is only available if the use tls option is selected the ca certificate chain field can be left blank if the server certificate is issued by a public ca private root certificates can be added to the trusted store using system > certificates in this case, the ca certificate chain field can be left blank bind dn password password for bind dn users these attributes are used to find user accounts in the ldap server user search base dn distinguished name of the entity where search for users starts search scope the search scope is an option sub, one or base indicate the search scope (sub is the default) sub is used to indicate searching of all entries at all levels under and including the specified base dn one is used to indicate searching all entries on level under the base dn this does not include the base dn and any entries under that one level under the base dn base is used to indicate searching only the entry being returned it must meet the search filter criteria user search filter the ldap filter used to identify user accounts attribute for unique user id ldap attribute to uniquely identify a user the typical value is uidnumber for rfc2307 and object guid for ad attribute for username an ldap attribute containing the username for logging in it is usually uid for samaccountname for ad attribute for first name an ldap attribute that contains the first name of the user the default value is givenname attribute for last name an ldap attribute contains the last name of the user the default value is sn groups these attributes are used to find groups in the ldap server user roles are derived from group names for example, administrator is matched against litmus edge user roles group search base dn the distinguished name of the entity where search for group starts group search filter the ldap filter used to identify user groups group name attribute the attribute name containing the group name (usually cn) group membership attribute the attribute name that contains the list of group members (usually member) the most common group membership scheme is when the group object contains multiple member attributes that contain the dn name of the member account however, there is an old rfc2703 standard that uses the reverse mechanism when the user object contains a list of group names the old rfc2703 standard is not supported by the generic connector member value type the type of the member value (values are dnor uid) this attribute is case sensitive test these values are used for testing connectivity userid the userid password the password test failure if the test fails, you should receive a detailed message about the reason for failure here is a list of a few possible failure reasons unable to connect to the server wrong address/dns name or port of the of the ldap host protocol mismatch connecting with tls to the port that doesn't support authentication certificate validation failure missing or invalid rootca user not found indicates broad range of possible problems like invalid search path, invalid filter, or invalid attributes for username or userid user attribute not found when one of the user attributes is either missing or empty group not found if search path, scope, or filter are invalid group attribute not found if any of the group attributes is empty or missing authentication failure if authentication fails, this usually means invalid username or password authorization failure means that returned set of scopes does not match those of the requested role note the save button is only available if the test is successfully completed