LDAP Configuration Guide
LDAP Configuration Guide for OpenID and Active Directory Integration
This guide provides a step-by-step overview to help configure LDAP for syncing users, groups, and roles from Active Directory with OpenID. With this setup, users can authenticate using their Active Directory credentials, and roles will be mapped automatically based on group memberships.
Table of Contents
- Overview
- General Configuration Settings
- Connection and Authentication Settings
- LDAP Searching and Updating
- Group to Role Mapping
- Synchronization Settings
- Testing the Configuration
Overview
Integrating LDAP with OpenID enables seamless authentication and authorization by importing users and roles from Active Directory (AD). The following steps will guide you through setting up a working LDAP configuration:
- Users from Active Directory will log in with their credentials.
- Roles will be automatically assigned based on LDAP group memberships.
- The system will sync users and roles periodically to reflect any changes in AD.
1. General Configuration Settings
Set up the primary configuration for your LDAP provider.
Field | Sample Value | Description |
---|---|---|
UI display name | ldap | Name for identifying this LDAP configuration. |
Vendor | Active Directory | Select Active Directory from the vendor options. |
2. Connection and Authentication Settings
These settings define how OpenID connects and authenticates with your Active Directory server.
Field | Sample Value | Description |
---|---|---|
Connection URL | ldap://192.168.1.100:389 |
The IP or hostname of your AD server. |
Enable StartTLS | Off | Enable if your AD requires StartTLS. |
Use Truststore SPI | Always | Configures OpenID to use the Truststore. |
Connection pooling | Off | Use only if multiple concurrent requests are expected. |
Connection timeout | (Optional) Leave blank | Timeout for LDAP connections (in milliseconds). |
Bind type | Simple | Use Simple for straightforward authentication. |
Bind DN | CN=service_user,CN=Users,DC=example,DC=com |
The Distinguished Name of the account used to bind to AD. |
Bind credentials | Password123 |
Password of the bind account (keep this secure). |
Explanation:
- Connection URL: Use the correct protocol (ldap://
) and port (389
for standard LDAP).
- Bind DN: This is the service account used to query Active Directory.
- Bind credentials: Use the service account’s password.
Testing:
- Click Test connection to verify the server connection.
- Use Test authentication to confirm that the bind credentials are valid.
3. LDAP Searching and Updating
Configure how OpenID will search for users and groups.
Field | Sample Value | Description |
---|---|---|
Edit mode | READ_ONLY | Prevents changes to LDAP data from OpenID. |
Users DN | CN=Users,DC=example,DC=com |
Base DN where users are located. |
Username LDAP attribute | sAMAccountName |
Maps to the user's username in AD. |
RDN LDAP attribute | cn |
Relative DN attribute (usually cn ). |
UUID LDAP attribute | objectGUID |
Unique identifier for each LDAP entry. |
User object classes | person, organizationalPerson, user |
Defines the types of objects to import. |
User LDAP filter | (objectClass=user) |
Filter to only retrieve user objects. |
Search scope | Subtree | Searches within the entire subtree of the base DN. |
Pagination | Off | Enable if dealing with a large number of users. |
4. Group to Role Mapping
This section allows you to map LDAP groups to OpenID roles.
Field | Sample Value | Description |
---|---|---|
Name | LDAP Group to Roles |
Name for identifying this mapping. |
Mapper type | group-ldap-mapper |
Select the appropriate mapper type. |
LDAP Groups DN | OU=Groups,DC=example,DC=com |
Base DN where groups are located. |
Group Name LDAP Attribute | cn |
Attribute to use for the group name. |
Group Object Classes | group |
Defines the group object type. |
Membership LDAP Attribute | memberOf |
Attribute that stores the group memberships. |
Membership Attribute Type | DN | Defines how the memberships are stored. |
Membership User LDAP Attribute | cn |
Attribute used to reference users. |
Mode | IMPORT | Select IMPORT to bring in groups during sync. |
User Groups Retrieve Strategy | LOAD_GROUPS_BY_MEMBER_ATTRIBUTE | Strategy to retrieve groups based on membership. |
Mapped Group Attributes | (Leave Blank) | Optional: Map additional attributes if needed. |
5. Synchronization Settings
Control how often OpenID synchronizes with LDAP.
Field | Sample Value | Description |
---|---|---|
Import users | On | Enable to import users from LDAP. |
Sync Registrations | On | Sync user registrations automatically. |
Batch size | 100 | Number of records processed per batch. |
Periodic full sync | On | Enable regular full synchronization. |
Full sync period | 10 | Sync interval (in minutes). |
Periodic changed users sync | Off | Enable if you want to sync only changes. |
6. Testing the Configuration
Once all the settings are configured, follow these steps to test the setup:
- Test LDAP Connection:
- Go to Connection Settings and click Test connection.
-
If successful, you should see a confirmation message indicating the connection was established.
-
Test Authentication:
-
In the Connection Settings, use the Test authentication button to verify that the bind credentials are correct.
-
Sync Users and Groups:
- Go to the User Federation section in OpenID.
- Click on Synchronize all users to import users and their group memberships.
- Ensure the users and groups appear in the Users section of OpenID.
Troubleshooting Tips
- Failed Connection:
- Ensure the Connection URL is correct and the LDAP server is accessible.
-
Check firewall settings if the server is not reachable.
-
Invalid Credentials:
-
Double-check the Bind DN and password. Ensure the service account has the necessary read permissions.
-
Users Not Imported:
- Verify the Users DN and LDAP filter settings.
-
Ensure the objectClass matches the types of objects you're trying to import.
-
Groups Not Assigned:
- Confirm that the Group Name LDAP Attribute and Membership LDAP Attribute are correct.
- Run a full sync to ensure all groups are imported.
By following this guide, you can set up and configure LDAP integration with OpenID for seamless authentication and authorization. This setup will ensure that users and their roles are synchronized and that group memberships are correctly mapped to roles in OpenID.