Table of Contents
The following **example** procedure demonstrates how to integrate Ambience with LDAP. Once integrated, you can authenticate LDAP users to Ambience.
The following procedure has been tested using Apache Directory Server. **Adapt the steps to your infrastructure**.
ID=elixirbase Suffix=dc=elixirbase,dc=com
.dc=elixirbase,dc=com
as the LDIF file includes it.elixirbase.ldif
which is in the misc
directory of the Elixir Ambience build.elixirbase.ldif
is now loaded into Apache Directory Server for LDAP queries.
run-server.sh
to run-ldap.sh
.-Delixir.usergroup.factory=com.elixirtech.arch.usergroup.ldap.LDAPUserGroupDomainFactory
Alternatively, you can add the following line to /etc/application.conf
, if you prefer:
elixir.usergroup.factory=com.elixirtech.arch.usergroup.ldap.LDAPUserGroupDomainFactory
run-ldap.sh
.If your LDAP server is running on a different host or port, there will be an error in the log. Navigate to Configuration > module > usergroupdb > ldap and alter the host and port values accordingly.
aimi
(an administrator): "users":["aimi"]
.aimi
with password: aimi
.SignIn
permissions for other users (subject to licence limits). Turn on access for user: david
, then log off and verify you can login as user: david
(with password: david
). David is not an admin user (those in group Atlas
are admin users), so you will need to login as user: aimi
to make further admin changes.aimi
, move the contents of /User/admin/cron
into /User/aimi/cron
, as otherwise the scheduler will attempt to run the jobs as admin
when that user exists in LDAP. You can then delete the default admin
and test
user folders.{"version":1, "connectionFactory":"com.elixirtech. \ arch.usergroup.ldap.DefaultLDAPConnectionFactory", "cxtFactory":"com.sun.jndi.ldap.LdapCtxFactory", "host":"localhost", "port":10389, "protocol":"default", "method":"simple", "user":"uid=admin,ou=system", "passwordEncrypted":"8Oz2e9XJ+Grd396E4QK91Q=="}
Edit the host and the port as needed to connect to a different server.
The user and password here represent LDAP credentials to read all users and groups.
DefaultLDAPConnectorFactory
(other custom connector factories may vary). Look at the contents of the sample LDIF to help understand these.
users
contains:
{"name":"ou=users,dc=elixirbase,dc=com", "mode":"one-level","returnAttr":"uid", "focus":{"left":"uid"}}
This indicates the location where the user information is stored in LDAP - one level below ou=users,dc=elixirbase,dc=com
. The user ID is stored as uid
and you must focus on this ID to get your set of user names.
groups
contains:
{"name":"ou=groups,dc=elixirbase,dc=com", "mode":"one-level","returnAttr":"roleOccupant", "focus":{"left":"cn","right":"uid"}}
This is similar to users
, but now we want to not only get the groups, but the users assigned to those groups. In a Map structure this is [Group-> List[User]]
.
The groups are found one-level below ou=groups,dc=elixirbase,dc=com
and the users are found in the roleOccupant
attributes. Focus your attention on cn
(which is the group name) and the uid
(which is the user name). This gives us [cn-> List[uid]]
(note the left and right positions).
Finally adminGroups
contains:
{"name":"ou=groups,dc=elixirbase,dc=com","mode":"subtree", "filter":"cn=Atlas","returnAttr":"cn","focus":{"left":"cn"}}
This filters all the groups, selecting the one whose name is Atlas
and returning the cn
of that group. This makes Atlas
the admin group and anyone who is a member of Atlas
is considered an administrator.
This sample represents a typical layout of users and groups in LDAP. However, some systems follow different structures.
If the particular LDAP cannot be modelled using these three query structures, then a custom LDAP mechanism can be included by altering:
"connectionFactory":"com.elixirtech.arch.usergroup.ldap.DefaultLDAPConnectionFactory"
to point to a custom implementation.
Contact Elixir Professional Services to get your custom implementation developed.