Archive for January, 2010

LDAP configuration

Posted: 22 January 2010 in Architecture, Security, Teamsite, Users

To enable LDAP authentication for the teamsite environment, you need to look in the file

conf/roles/user_databases.xml

This file details each ldap server to connect to to authenticate the users. The root element is iwuser_databases and it contains iwldap elements defining each ldap direfctory you would like to use. The iwldap element contains the following sub elements:

  • server: the ip address or host name of the ldap server
  • port: the port number where the ldap server is linstening on. This is usually 389.
  • search_key: when searches are performed, what teamsite user field is being passed to the ldap server. This is where the account name is stored in the ldap. Leave this at uid in most cases.
  • dnBase: which ldap directory part contains the list of users.
  • attr_email: The ldap field that teamsite can use as the email address.
  • attr_display_name: the ldap field that teamsite will use to display user information on.
  • Additional elements are present to connect to the ldap and pass authentication to it:
  • ssl_port: to connect to the secure ldap server
  • CAFile: the path to the certificate authority file.
  • account: the username to connect to the ldap with (for non anonymous queries)
  • password: the ecrypted password to pass along with the username to connect to the ldap.

To retrieve the encrypted version of the password you want to pass, follow the following procedure:

IWCLT_PASSWORD="passwordIWantToEncrypt"
export IWCLT_PASSWORD
iwuseradm encrypt-userdatabase-pwd

This outputs a string to the standard output. Copy this as the value of the password element.

The iwldap element also has the following attributes:

  • id: internally unique identifyer to this ldap entry.
  • display_name: what the user administrator sees when querying the ldap, to select in the drop-down list when adding users for example.
  • os: either “t” or “f”, respectively for true or false. t indicates that a valid os account must also be associated with this ldap entry. f indicates that this ldap contains entries not associated with os accounts.

users can be synchronised with the ldap automatically (possibly the wrong choice of wording here from iwov!). That means that in that case, users get added to the ldap – not to teamsite. and it’s the ldap that manages the users on teamsite’s behalf. This is done by adding an attr_sync element. The ldap entry will in this case also contain which access is granted to a user in teamsite. The ldap field can contain the values

  • master,
  • tsuser,
  • ccpro,
  • ccstd,
  • ccpro_only,
  • ccstd_only,
  • or a comma-separated combination of the above, provided it makes sense (e.g. master|tsuser, ccpro|ccstd,ccpro_only|ccstd_only).

Which ldap field you use for this information is up to you. All you need to do is reference it in the name attribute of the attr_sync element. If you want to have the users added to teamsite manually with reference to the ldap, simply do not include the attr_sync element.