LDAP Overview

This section gives an overview of LDAP.

This page discusses:

See Also
OpenLDAP Security Source
Active Directory Security Source
Lotus Domino Security Source
Configure an LDAP Security Source

LDAP-Based Security Source

The LDAP-based security sources, as is the case for all Exalead CloudView security sources, provide two main functions:

  • User authentication.

  • User security tokens computing.

The former is possible only if user login functionality is enabled on the LDAP server. The latter authentication using an LDAP security source is a three-step procedure:

  • User full DN retrieval: First, using the user login, which may be the full DN or any other valid login value, the security source tries to guess the user’s full DN.

  • User identity validation: After the resolution of the user's full DN, the user's password is checked by opening an LDAP connection on the LDAP server. This action uses the user's full DN and the user's supplied password. If the connection is successfully opened, the computed user security tokens are returned.

  • Security tokens computing: In the final step of authentication, the security source computes the security groups that the user belongs to and returns all the user security tokens to the application.

Security Servers

There are many implementations of LDAP. There are, however, several commonly deployed LDAP security servers. For these specific LDAP implementations, there are dedicated security sources in Exalead CloudView. The following is the list supported:

  • OpenLDAP

  • Active Directory (Microsoft windows user/group repository)

  • Domino Directory (Lotus Domino user/group repository)

  • Domino Directory (native)

There is also a generic LDAP security source that is fully configurable, allowing you to configure any LDAP server.

Authentication Method

The LDAP security source primarily supports the following authentication methods:

  • None (anonymous access enabled)

  • Simple

Other values are permitted depending on your configuration and the LDAP implementation. For more details, see Context.SECURITY_AUTHENTICATION on http://docs.oracle.com/javase/jndi/tutorial/ldap/security/auth.html.

Authentication Protocol

The LDAP security source supports the following authentication protocol versions:

  • LDAP v2

  • LDAP v3

Caching Group Information

The groups a user belongs to are using:

  • Group parents attributes: the list of attributes that contain the parents of a given group.

  • Group members attributes: the list of attributes that contain the members of a given group.

  • Person parents attributes: the list of attributes that contain the parents of a given user.

Groups inclusion is the relationship between groups. When groups inclusion is configured in the LDAP server (group-expand=true), it is resolved once and set in the cache, as computation is very costly. It requires full LDAP groups listing. Use the Scheduler process to refresh the cache at an appropriate interval.

To refresh the source cache, click Manage and select MAMI master in the API Console. Under Configuration, select the setSchedulingConfig method and then edit the configuration:

<master:SetSchedulingConfig xmlns:cdesc="exa:com.exalead.mercury.component.config.descriptor" 
xmlns:secs="exa:com.exalead.security.sources.common" xmlns:bee="exa:exa.bee" 
xmlns:master="exa:com.exalead.mercury.mami.master.v10" xmlns:config="exa:exa.bee.config">
<master:SchedulingConfig>
   <master:JobConfigGroup name="refresh_security_group">
      <master:DispatchJobConfig name="refresh_myldap">
         <bee:DispatchMessage messageName="ReloadSecuritySource" serviceName="/mami/master">
            <bee:messageContent>
               <bee:KeyValue value="myldap" key="securitySourceName"/>
            </bee:messageContent>
         </bee:DispatchMessage>
      </master:DispatchJobConfig>
   </master:JobConfigGroup>
   <master:TriggerConfigGroup name="refresh_security_group">
      <master:CronTriggerConfig name="refresh_myldap" startTime="0" endTime="0" jobGroupName="refresh_security_group"
      jobName="refresh_myldap" cronExpression="00 00 01 * * ?"/>
   </master:TriggerConfigGroup>
  </master:SchedulingConfig>
</master:SetSchedulingConfig>

Testing Authentication for a User

For all security sources, the Security Manager allows you to test the authentication for a user. When you configure a LDAP-based security source, you can test the user authentication on the configuration page with the Test button. This allows you to specify a Login and a Password for authentication. If the user is:

  • Authenticated, the Display name and the security Tokens display.
  • Not authenticated, an error message displays.
You can choose whether or not to perform a password check.

Note: Each call performs a new group cache computation and may take a few minutes, depending on the size of the LDAP source.