Skip to main content

LDAP authentication

The example below is given for an example LDAP schema but it can be easily transposed to other schemas.

Note: This document only applies to version 4.0 and above.

Webapp settings

The changes to be done are :

  • Remove all realm-related settings in WEB-INF/web.xml (security-constraint, login-config and security-role tags)
  • Optionaly remove also the realm definition in META-INF/context.xml
  • Remove all other authentication's mechanisms system parameters if present (e.g. OAUTH2_*, SAML_*, ...)

LDAP settings

The authentication mode in place consist in a bind to the LDAP with the provided credentials.

Make sure the LDAP is available from the application server (the authentication bind is done on server side).

Application settings

Add the LDAP configuration as a JSON value in the LDAP_AUTH_CONFIG private system parameter.

Example (if you want to use a single-level DN pattern for binding):

{
"url": "ldap://localhost:389",
"dnpattern": "uid=[USERNAME],ou=People,dc=simplicite,dc=com"
}

Example 2 (if you want first to search for DN to use for binding in the subtree of a base DN):

{
"url": "ldap://localhost:389",
"basedn": "ou=People,dc=simplicite,dc=com",
"filter": "&(uid=[USERNAME])"
}

After successful bind to LDAP, the user's entry is retreived from the LDAP using anonymous access. If authenticated requests are required for this, you need to add both userdn and userpassword in your LDAP_AUTH_CONFIG.

The following default LDAP attribute are used:

  • Email: mail
  • First name: givenName
  • Last name: sn

If you need other attribute mappings you need to add a mappings object in your LDAP_AUTH_CONFIG:

"mappings" : {
"email": "myCustomLDAPAttributeForEmail",
"firstname": "myCustomLDAPAttributeForFirstName",
"lastname": "myCustomLDAPAttributeForLastName"
}

Then you can implement GrantHooks's parseAuth method to handle the LDAP username if required (e.g. to map it to an actual application user).