Project Kaiser supports LDAP authentication using one or multiple LDAP directories. To make LDAP authentication working administrator should create authenticator in Administration / Security / Authenticators.
Authenticator works as follows. If user enters login name which contains character '@', e.g. ivan@mycompany, then system tries to find an authenticator which key is equal to login domain name ( mycompany in the given example). If authenticator is found it is used to check user password.
If LDAP server has more than one directory, additinal authenticator with key mycompany-sales would allow to use logins like paul@mycompany-sales.
When authenticator is created system generates text property files which should be configured according to particular needs.
host = ldap://localhost:389
onTheFlyCreation = 1
If 1, then user account is created automatically during the first time user logs in Project Kaiser.
This is the directory which contains user records
lookupDirectory = ou=People,dc=maxcrc,dc=com
Other examples:
lookupDirectory = ou=people,o=company lookupDirectory = CN=users,DC=host,DC=domain,DC=org lookupDirectory = DC=DepartmentName,DC=OrganizationName,DC=local
Filter which is used to find particular user by login inside lookup directory
userFilter = uid={0}User DN - template to build user distinguished name, this value and password are passed to LDAP server.
userDN = uid={0}, ou=People, dc=maxcrc, dc=comIt is possible to use parameters like "{n}"
| Parameter | Value | Example, for ivan@maxcrc.com |
|---|---|---|
| {0} | User id | ivan |
| {1} | Password | |
| {2} | Domen | maxcrc.com |
| {3} | Entire login name | ivan@maxcrc.com |
This account is used to read users email and display name.
accountToReadUserInfo = cn=Manager,dc=maxcrc,dc=com accountToReadUserInfoPwd = secret
If users are allowed to read info about themselves, it is possible to use:
accountToReadUserInfo = uid={0}, ou=People, dc=maxcrc, dc=com
accountToReadUserInfoPwd = {1}
Project Kaiser tries to read two attributes, mail and display name:
userMailAttr = mail userDisplayNameAttr = displayName