C2. LDAP Authentication

Top  Previous  Next

Settings are stored in the auth-ldap.xml configuration file.

General tags of the configuration file:

<enabled/> and <order/>—similar to the Active Directory.

<server/> specifies the LDAP server address.

<user-dn/> defines rules for translation of name to the DN (Distinguished Name) using DOS-like masks.

In the <user-dn/> tag, the following wildcard characters are allowed:

* replaces sequence of any characters, except . , = @ \ and spaces;

# replaces sequence of any characters.

<user-dn-expr/> defines rules for translation of name to the DN using regular expressions.

For example, the same rule in different variants:

<user-dn user="*@example.com" dn="CN=\1,DC=example,DC=com"/>
<user-dn-expr user="(.*)@example.com" dn="CN=\1,DC=example,DC=com"/>

\1 .. \9 defined the substitution place for values of the *, # or expression in brackets at the template.

According to this principle, if the user name is specified as login@example.com, after translation you will get DN: "CN=login,DC=example,DC=com".

<user-dn-extension-enabled/> allows the ldap-user-dn-translate.ds (from the extensions folder) Lua-script execution for translation usernames to DN. This script runs after attempts of using the user-dn, user-dn-expr rules, if appropriate rule is not found. Script has one parameter—specified username. Script returns the string that contains DN or nothing. If appropriate rule is not found and script is disabled or returns nothing, specified username is used as it is.

Attributes of LDAP object for DN determined as a result of translation and their possible values can be defined by tags (default values are presented):

<!-- DrWebAdmin attribute equivalent (OID 1.3.6.1.4.1.29690.1.3.1) -->
<admin-attribute-name value="DrWebAdmin" true-value="^TRUE$" false-value="^FALSE$"/>

As a values of true-value/false-value parameters, regular expressions are specified.

If undefined values of administrators attributes are present, and the <group-reference-attribute-name value="memberOf"/> tag is set in the configuration file, the value of the memberOf attribute is considered as the list of DN groups, to which this administrator is included, and the search of needed attributes is performed in this groups as for the Active Directory.