LDAP Module
Content
Introduction
This module enables to synchronize users from LDAP sources into an ApiOmat LDAPUser. This subclass of a user can be used to authenticate in an app or via REST, while authentication is done directly against the LDAP directory.
Configuration
|
Server Hostname |
Hostname of the LDAP server |
|
Server Port |
Port of the LDAP server |
|
Bind DN |
User for bind operation, leave empty for anomyous |
|
Bind DN password |
User password for bind operation |
|
Base DN |
Root node of Directory |
|
User filter |
Filter to get all Users |
|
User ID |
Attribute name which contains a users ID |
|
Module of User class (optional) |
If you want to inherit the LDAPUser model, insert your modules name here to sync users to it |
|
User class name (optional) |
If you want to inherit the LDAPUser model, insert your classname here to sync users to it |
Backend
The LDAP Module provides a LDAPUser class, which contains all users from your LDAP directory. The usernames of these users can be used to authenticate against your app.
Module setup
Fill in the values fitting to your directory. An example would be:
|
Server Hostname |
ldap.example.com |
|
Server Port |
389 |
|
Bind DN |
uid=admin,ou=system |
|
Bind DN password |
123456 |
|
Base DN |
OU=com,DC=mycompany,DC=local |
|
User filter |
(objectCategory=Person) |
|
User ID |
uid |
Use
Everything to do is configuring the directory and wait until the next synchronization, which is done every hour. You can also manually start the synchronization via the MyModule page in dashboard or via REST:
curl -v $HOST/modules/ldap/spec/{APPNAME}/sync/$APPNAME -u $USER:$PASSWORDUser Authentication via OAuth2 Tokens
The synchronized users are objects of the class LDAPUser, which inherits from the User class in the Basics module. So you can facilitate the OAuth2 functionality that already exists and for example send a request to "YOURHOST/yambas/oauth/token" to receive an access token for the user. For more info about how this works in ApiOmat, see this: ApiOmat and OAuth2.
In the case of LDAP, you might want to force the user to authenticate against the LDAP as soon as the access token is expired, instead of allowing him to use the previously received refresh token. To do this, just change the value oAuth2RefreshTokenValiditySeconds in the yambas.conf to 0, or if you generally want refresh tokens to work and only not for LDAP, you can manually set the refresh token expiry in every request when fetching a token.