|
Configuration File
Settings are stored in the auth-ldap-rfc4515.conf configuration file.
Configuration files with typical settings are also provided:
•auth-ldap-rfc4515-check-group.conf—configuration file template for administrators external authorization via LDAP using the simplified scheme with verification of belonging to an Active Directory group. •auth-ldap-rfc4515-check-group-novar.conf—configuration file template for administrators external authorization via LDAP using the simplified scheme with verification of belonging to an Active Directory group and using variables. •auth-ldap-rfc4515-simple-login.conf—configuration file template for administrators external authorization via LDAP using the simplified scheme. General tags of the auth-ldap-rfc4515.conf configuration file:
•<server />—LDAP server definition.
Attribute
|
Description
|
Default value
|
base-dn
|
DN of an object entry relative to which the search is to be performed.
|
The rootDomainNamingContext attribute value of the Root DSE object
|
cacertfile
|
Root certificates files (UNIX only).
|
–
|
host
|
LDAP server address.
|
•Domain controller for the server under Windows OS. •127.0.0.1 for the server under UNIX system-based OS. |
scope
|
Search scope. Allowed values:
•sub-tree—whole sub-tree below the base DN •one-level—direct descendants of the base DN •base—base DN. |
sub-tree
|
tls
|
Establish TLS on the connection to LDAP.
|
no
|
ssl
|
Use the LDAPS protocol at connect to LDAP.
|
no
|
•<set />—variables set by LDAP search.
Attribute
|
Description
|
Default value
|
attribute
|
Attribute name the value of which is assigned to a variable. Cannot be absent.
|
–
|
filter
|
RFC4515 search filter in LDAP.
|
–
|
scope
|
Search scope. Allowed values:
•sub-tree—whole sub-tree below the base DN •one-level—direct descendants of the base DN •base—base DN. |
sub-tree
|
search
|
DN of an object entry relative to which the search is to be performed.
|
If absent, the base-dn of the <server /> tag is used.
|
variable
|
Variable name. Must starts with the letter and contains letters and digits only. Cannot be absent.
|
–
|
Variables can be used in values of the add attributes of the <mask /> and <expr /> tags, in value of the value attribute of the <filter /> tag as the \varname, and also in value of the search attribute of the <set /> tag. Allowed recursion level in variables is 16.
If the search returns several found objects, only the first one is used.
•<mask />—user name templates.
Attribute
|
Description
|
add
|
String added to a search filter using the AND operation with substitution elements.
|
user
|
User name mask using the DOS-like meta symbols * and #. Cannot be absent.
|
For example:
<mask user="*@#" add="sAMAccountName=\1" />
<mask user="*\*" add="sAMAccountName=\2" />
|
\1 and \2 are the links on matching masks in the user attribute.
•<expr />—user name templates using regular expressions (attributes are the same as in the <mask />). For example:
<expr user="^(.*)@([^.,=@\s\\]+)$" add="sAMAccountName=\1" />
<expr user="^(.*)\\(.*)" add="sAMAccountName=\2" />
|
Correspondence between masks and regular expressions:
Mask
|
Regular expression
|
*
|
.*
|
#
|
[^.,=@\s\\]+
|
•<filter />—LDAP search filter.
Attribute
|
Description
|
value
|
String added to a search filter using the AND operation with substitution elements.
|
Filters concatenation
<set variable="admingrp" filter="&(objectclass=group)(cn=ESuite Admin)" attribute="dn" />
<mask user="*\*" add="sAMAccountName=\2" />
<filter value="&(objectClass=user)(memberOf=\admingrp)" />
|
If the admingrp get the "CN=ESuite Admins,OU=some name,DC=example,DC=com" value after the search, and the user input was domain\user, when the result filter is
"(&(sAMAccountName=user)(&(objectClass=user)(memberOf=CN=ESuite Admins,OU=some name,DC=example,DC=com)))"
|
Example of Configuring LDAP/AD Authentication
Here is an example of typical settings for authentication using LDAP. Settings are configured in the Control Center, in the Administration → Authentication → LDAP/AD-authentication section (for the Advanced settings).
Initial parameters of administrators who must be authenticated:
•domain: dc.test.local •Active Directory group: DrWeb_Admins Control Center settings:
Setting name
|
Value
|
Server type
|
Microsoft Active Directory
|
Server address
|
dc.test.local
|
Login templates of users to be authenticated
|
Account mask
|
test\* or *@test.local
|
Login
|
\1
|
Membership of users to be authenticated
|
Name
|
DrWeb_Admins
|
Type
|
group
|
|