6.x LDAP User Source
Note: This configuration is also valid for 7.x and 8.x or as specifically noted for some features
Note: There are two supported sources: XML User Source, and LDAP User Source.
Provides users and user attributes from LDAP. The following configuration properties are supported. When a user attempts to sign-in to the WAMulator and this source is queried for the user the source first binds using the search-bind-dn and search-bind-pwd. Then a search is made for a cn matching the username submitted from the sign-in page and performing a subtree search beneath the search-base-dn. If the user is found then the WAMulator attempts to bind via the dn of the user and the submitted password. If successful then the attributes specified via attributes are returned and a user with those attributes is created and injected into WAMulator's UserManager for the duration of the session. If attributes is not specified then all available attributes for the user will be used.
|url||Literal text or macro||The ldap URL up to and including host and port such as ldap://ldap-host.domain.net:636. Note that TLS is used for connecting via ldap's SSL extension mechanism unless disable-tls=true is specified. See below. Therefor, the scheme should be ldap not ldaps.|
|search-base-dn||Literal text or macro||The dn of the base of the search beneath which entities will be looked for having a cn equal to the username submitted from the sign-in page.|
|search-bind-dn||Literal text or macro||The dn of the user used to perform the search.|
|search-bind-pwd||Literal text or macro||The password of the search user.|
|disable-tls||Literal text or macro||(Optional) (since V6.2) If set to true then LDAP connections will not leverage the LDAP TLS/SSL extension. Defaults to using TLS.|
|attributes||Literal text or macro||(Optional) A comma separated list of attributes to be injected from LDAP for a user after successful user authentication. If not specified then all available attributes will be injected.|
|aggregation||Literal text or macro||(Optional) Available in 8.0.3+. One of 'MERGE' or 'REPLACE' indicating if user attributes loaded from LDAP should be merged with existing attribute values already had or should replace any that were previously loaded via any user source. Defaults to 'MERGE'.|
An example of setting up an ldap user-sources for a hypothetical LDAP store is shown below.
<?xml version='1.0' encoding='UTF-8'?> <config console-port='auto' proxy-port='auto'> ... other directives ... <user-source type='ldap'> url=ldap://ldap-host.domain.net:636 search-base-dn=ou=people,o=world search-bind-dn=cn=searcher,ou=searchers,ou=world search-bind-pwd=lucky attributes=mail, preferredlang, preferredname, accountnumber, phone </user-source> </config>
Note that multiple <user-source> elements can be declared and each will be searched for a given user at sign-in until a source finds the user independently of whether the user can successfully authenticate or not. Although all three sources load their users into the WAMulator's User Manager, the [[6.x XML User Source |XML user source]] is unique in that it only loads from XML when configuration is injected. It searches for users in WAMulator's User Manager. This has an interesting side effect if combined with the LDAP source following afterward in document order and with no user's defined in the XML of the [[6.x XML User Source |XML user source]]. Upon a user first signing in no user object will be found in the XML source which really looks in the User Manager. So sign-in proceeds to the next user source, the LDAP source. But this source looks first to LDAP and authenticates the user and injecting users as incurred at sign-in. But once injected the user is now in User Manager. So the next time the user signs in their information will be found in the XML source backed by the User Manager and no more calls will be made to load that user. If LDAP finds the user and authenticates them it replaces the user in User Manager every time to ensure that the user information tracks changes in the backing LDAP store. If that behavior is not desired then placing an empty XML user source in front of LDAP will allow users to be loaded once from LDAP and the cached versions used thereafter.
<?xml version='1.0' encoding='UTF-8'?> <config console-port='auto' proxy-port='auto'> ... other directives ... <user-source type='xml'> xml=<users/> </user-source> <user-source type='ldap'> url=ldap://ldap-host.domain.net:636 search-base-dn=ou=people,o=world search-bind-dn=cn=searcher,ou=searchers,ou=world search-bind-pwd=lucky attributes=mail, preferredlang, preferredname, accountnumber, phone </user-source> </config>