LDAP Module
Content
Introduction
This module synchronizes users from LDAP sources into ApiOmat LDAPUsers. LDAPUser is a subclass of a User and can be used to authenticate within an application or via REST. The authentication is done directly against the LDAP directory.
Configuration
|
Server Hostname |
Hostname(s) of the LDAP server(s), comma separated |
|
Server Port |
Port(s) of the LDAP server(s), comma separated, defaults to 389 |
|
Bind DN |
User for bind operation, leave empty for anomyous |
|
Bind DN password |
User password for bind operation |
|
Base DN |
Root node of Directory |
|
User filter |
Filter to get all Users |
|
User ID |
LDAP attribute name which contains a user ID, this field will be used for the userName, defaults is set to sAMAccountName |
|
Module of User class (optional) |
If you want to inherit the LDAPUser model, insert your modules name here to sync users to it. |
|
User class name (optional) |
If you want to inherit the LDAPUser model, insert your classname here to sync users to it. |
|
Write user attributes map |
If set to true, all attributes will be written to the "userAttributes" map of the LDAPUser (additionally to the fields that match the attribute names) |
|
Overwrite missing attributes |
If set to true (defaults to false), fields on the class will be set to null, if the related attribute does not exist (or is empty) in LDAP. |
|
Disable auth for the sync |
If set to true (default), no auth checks will be done during user-synchronization. This increases the synchronization speed. |
|
Log all messages async |
If set to true, all messages of the synchronization process will be logged asynchronously. |
Module setup
Fill in the values fitting to your directory. An example would be:
|
Server Hostname |
ldap.example.com |
|
Server Port |
389 |
|
Bind DN |
uid=admin,ou=system |
|
Bind DN password |
123456 |
|
Base DN |
OU=com,DC=mycompany,DC=local |
|
User filter |
(objectCategory=Person) |
|
User ID |
uid |
Custom user class
You can set a custom user class where the LDAP users get synced to. Therefore, you have to create a class that inherits from the LDAPUser in the LDAP module and then set the module name and class name in the module configuration for the properties "Module of User class" and "User class name".
You can add additional attributes that match the attribute names for your entities on the LDAP server. The values of these attributes will automatically get mapped on the synchronized objects. If you only need the attributes that exist on your class and don't want to have all attributes stored in the "userAttributes" attribute of the LDAPUser, you can set the "Write user attributes map" flag to false in your module configuration. This may speed up the synchronization process a bit and saves bandwith when retrieving the users whithin a frontend.
Synchronization
The synchronization process splits up into two parts.
In the first part, all users that exist on the LDAP server will be imported as LDAPUser (or whichever class you've set in your configuration). Users that already exist as the configured class instance will be updated if there are changes on the object. Otherwise the existing ApiOmat Object won't get touched.
In the second part, the existing ApiOmat users of the configured class will get checked whether they still exist on the LDAP server. If they do not exist anymore, they will be deleted from ApiOmat.
If your LDAP server is not available at time of sync, the sync will be aborted and the data on ApiOmat remain unchanged. If there is an error during the creation, update or deletion of a single user (e.g. through an already existing user with the same user name in another class) the error will be logged and the synchronization will proceed with the next user.
If more than one LDAP server is configured, the module tries to connect to each server until it finds a working connection. The first working connection is then used for synchonization. The list of ports are related to the hostnames. If no ports are given, port 389 will always be used. Otherwise, you have to write the ports in the corresponding order of the hostnames. For instance, if you have one ldap server on ldap1.yourcompany.com listening on port 489 and another server ldap2.yourcompany.com on port 589, you have to enter "ldap1.yourcompany.com,ldap2.yourcompany.com" in the hosts configuration and "489,589" in the ports configuration field.
Use
All you have to do is configure the directory and wait until the next synchronization, which is done every hour. You can also manually start the synchronization via the MyModule page in dashboard or via REST:
curl -v $HOST/modules/ldap/spec/$APPNAME/sync/$APPNAME -u $USER:$PASSWORDAfter a successful synchronization, you have to set the LDAPUser class (or if you configured another class for synchronization) as Authentication class in your backend configuration to authenticate to your LDAP server. Please note that we cannot synchronize the passwords of the users. Therefore you have to set the class as authentication class. We will then check the credentials against your LDAP server.
User Authentication via OAuth2 Tokens
The synchronized users are objects of the class LDAPUser, which inherits from the User class in the Basics module. So you can facilitate the OAuth2 functionality that already exists and for example send a request to "YOURHOST/yambas/oauth/token" to receive an access token for the user. For more info about how this works in ApiOmat, see this: ApiOmat and OAuth2.
In the case of LDAP, you might want to force the user to authenticate against the LDAP as soon as the access token is expired, instead of allowing them to use the previously received refresh token. To do this, just change the value yambas.oAuth2TokenValiditySeconds.standard.refresh in the apiomat.yaml to 0, or if you generally want refresh tokens to work and only not for LDAP, you can manually set the refresh token expiry in every request when fetching a token.