Configure LDAP authentication

The lightweight directory access protocol (LDAP) is a standard protocol for accessing directory services.

Semarchy xDM supports authentication with LDAP directories using LDAP identity providers.

Supported capabilities

With an LDAP identity provider, the authenticating user credentials (username and password) are entered in a login form.

The LDAP identity provider supports three authentication methods, configured using the Authentication Mode property:

  • In Bind mode, xDM:

    1. Authenticates the authenticating user to the LDAP directory.

    2. Queries the directory for the user roles and profile properties using that user’s credentials.

  • In Comparison mode, Semarchy xDM:

    1. Connects to the directory using a Lookup User (Lookup User Name and Lookup User Password).

    2. Searches for a user object corresponding to the authenticating user in the directory, using the configuration provided with the User DN Pattern, User Search Base, User Search Filter, and User Search SubTree properties. In these properties, the username being searched for is marked with the {0} placeholder.

    3. Hashes the password provided by the user with the Password Hashing Algorithm, and compares it to the hashed password stored in the directory under the Password Attribute Name in order to authenticate the user.

    4. Queries the directory for the authenticated user roles and profile properties using the credentials of the Lookup User.

  • In Bind as User mode, xDM:

    1. Authenticates the authenticating user to the LDAP directory.

    2. Queries the directory for the authenticated user roles and profile properties using the credentials of the Lookup User.

After the authentication:

  • The list of roles is retrieved as configured in the Role Search Base, Role Search Filter, and other properties.

  • The profile properties are synchronized from the user object’s attributes. This object is retrieved using the User DN Pattern, User Search Base, User Search Filter, and User Search SubTree properties.

The choice of the Bind or Comparison mode, as well as the other properties, depends on the type and configuration of your directory.

Using the LDAP identity provider for Active Directory

For Active Directory, use preferably the specific Active Directory identity provider.
If using LDAP to connect Active Directory, the Bind as User Authentication Mode is required.

Configuration

To configure LDAP authentication, follow the steps to configure an identity provider with the LDAP type, using the properties listed in the following table for reference.

Property Definition

Connectivity
The following properties configure the connection and the authentication mode.

Server URL

The connection URL to the LDAP host, including the port (e.g., ldap://ldaphost.mydomain.com:389).

Authentication Mode

The authentication method for a user:

  • Bind mode authenticates the user directly to the LDAP directory and performs queries with that user.

  • Comparison mode connects to the directory using a lookup user and searches for the credentials of the authenticating user.

  • Bind as User mode authenticates the user to the LDAP directory and queries the directory using the lookup user.

Lookup User Name

The username used to connect to and search users in LDAP. This field is available when using the Comparison and Bind as User authentication modes.

Lookup User Password

The password for the lookup user. This field is available when using the Comparison and Bind as User authentication modes.

User Authentication
The following properties are used to locate the authenticated user object in the directory.

User DN Pattern

The pattern for the distinguished name (DN) of the user’s directory entry, with {0} marking where the actual username should be inserted. You can use this property instead of the User Search Base and User Search Filter properties.

User Search Base

The base DN used to search for users with a user search filter. This property is ignored if the User DN Pattern expression is used.

User Search Filter

The filter used to search for users under the user search base, with {0} indicating where the actual username should be inserted. This property is ignored if the User DN Pattern expression is used.

User Search SubTree

A boolean value defines whether to search for users within the subtree under the user search base or to limit the search to the base level. This property is ignored if the User DN Pattern expression is used.
Default value: false

Password Attribute Name

The attribute within the user object that contains the user’s password, hashed using the specified password hashing algorithm. This field is only available when the authentication mode is set to Comparison.

Password Hashing Algorithm

The hashing algorithm used to encode passwords in the directory. This field is required exclusively for the Comparison mode. For a complete list of supported algorithms, see Standard Java 8 algorithms. Algorithms with the (Base64) suffix apply Base64 encoding in addition to hashing.

Roles
The following properties are used to retrieve the roles of an authenticated user from the directory.

Role Search Base

The base DN from which searches for user roles occur, using the Role Search Filter property.

Role Search Filter

The search filter applied when searching for user roles within the role search base, with {0} marking where the actual username should be inserted.

Using a more restrictive role search filter can significantly improve search performance and reduce login times, especially in environments with a large number of groups.

Role Name Attribute

The attribute in the role object that contains the role name.

Role Search SubTree

A boolean value that defines whether to search for roles within the subtree under the role search base or to limit the search to the base level.
Default value: false

Role Nested Search

A boolean value that defines whether to search for nested roles (i.e., roles within other roles).
Default value: false

Profile synchronization

With LDAP, each profile property is synchronized from an attribute of the user object.

For example, if the LDAP directory stores the user object as follows:

uid=johndoe,ou=users,ou=people,dc=acmecorp,dc=com
    roles=admin,dataStewart
    givenname=John
    surname=Doe
    department=Support

Setting User DN Pattern to uid={0},ou=users,ou=people,dc=acmecorp,dc=com retrieves the user object, and the following values should be set in the Synchronize From field to synchronize the profile properties from the corresponding user object attributes:

Profile property Synchronized from

First Name

givenname

Last Name

surname

Department

department