LDAP Configuration
Overview
3Sixty offers both LDAP Authentication and LDAP Sync for standard LDAP Servers as well as Microsoft Active Directory
Setting up LDAP Authentication and Sync
In order to update LDAP properties, look in 3sixty-admin/WEB-INF/classes/ldap_auth.properties
Note: Active Directory authentication has different requirements, found here.
Important: Admin User
When using LDAP or AD for authentication the default admin user will not be available. Be sure to have role mappings configured.
Authentication
| Property | Description | Default |
|---|---|---|
| auth.ldap.url | The full url of your LDAP instance, including domain information | ldap://test.ldap.com:389/dc=auth,dc=myorg,dc=com |
| auth.ldap.user.search.base | The base search name for individuals users | ou=users |
| auth.ldap.user.search.filter | The filter used to find users, based on their login | (uid={0}) |
| auth.ldap.group.search.base | The base search criteria for groups | ou=groups |
| auth.ldap.group.search.filter | The filter used to search for users within a group | (uniquemember={0}) |
Role Mappings
The values can be comma delimited to map multiple groups to a role. Spaces are allowed
Simflofy Admin Roles
| Property | Role |
|---|---|
| auth.ldap.adminGroupName | SIMFLOY_ADMIN |
| auth.ldap.orgAdminGroupName | ORG_ADMIN |
| auth.ldap.managerGroupName | MANAGER |
| auth.ldap.execGroupName | EXECUTOR |
| auth.ldap.monitorGroupName | MONITOR |
| auth.ldap.tsearchOnlyGroupName | TSEARCH |
Discovery Roles
| Property | Role |
|---|---|
| auth.ldap.tsearchAdminGroupName | TSEARCH_ADMIN |
| auth.ldap.tsearchUserGroupName | TSEARCH_USER |
| auth.ldap.rmManagerGroupName | TSEARCH_RM_MANAGER |
| auth.ldap.rmOfficerGroupName | TSEARCH_RM_OFFICER |
| auth.ldap.rmUserGroupName | TSEARCH_RM_USER |
These values will be converted to the format "ROLE_(AUTHORITY)", which is the standard format for an authority.
These values are checked when authenticating to assign a role to a new user.
Ex. auth.ldap.adminGroupName=exampleAdmins will become ROLE_EXAMPLEADMINS
Note: If an authority passed to the user mapper by the LDAP server does not begin with ROLE_, 3Sixty will prepend it. Additionally, all authorities are converted to uppercase.
Examples
Map LDAP group to 3Sixty Administrators
auth.ldap.adminGroupName=exampleAdmins
Map LDAP group to 3Sixty Read-Only Users
auth.ldap.monitorGroupName=exampleUsers
These two properties should reflect the name of the groups in your directory server.
User Attributes
Additionally, you can set what attribute fields are checked to map users from your LDAP. Here are the properties and their defaults.
| Property | Description | Default |
|---|---|---|
|
auth.ldap.attr.uid |
Required. The field that will become the user's login |
uid |
|
auth.ldap.attr.fname |
The user's first name |
displayName |
|
auth.ldap.attr.lname |
The user's last name |
sn |
|
auth.ldap.attr.mail |
The user's email address |
|
Group and User Sync
If you have groups and users you wish to automatically sync to 3Sixty you can use the following configurations. They are set to their default values here
LDAP Sync is executed at start-up and can be manually triggered or individual users or groups.
Note: LDIF REQUIREMENTS
This feature will only work if your LDAP groups contain the keys to their users.
| Property | Description | Default |
|---|---|---|
| auth.ldap.userdn | The distinguished named of the authenticating user. Used if your LDAP requires authentication | |
| auth.ldap.ldappass | The password for the authenticating user, if needed | |
| auth.ldap.map.groups | Map groups as start-up | false |
| auth.ldap.map.users | Map users with their groups. Only occurs if mapping groups. | false |
| auth.ldap.map.group.name.attribute | The name attribute of the ldap group. Will become the name of the user group, with "ldap:" prepended | ou |
| auth.ldap.map.group.member.attribute | The attribute on the group used to denote a member. Will be used to gather user ids. | uniqueMember |
| auth.ldap.map.group.class | The class of object to search for when looking for a group. | organizationalUnit |
| auth.ldap.map.user.class | The class of object to search for when looking for a user | organizationalPerson |
| auth.ldap.map.user.id.attribute | The id attribute for a user, which should represent their login name | uid |
| auth.ldap.map.user.name.attribute | The attribute which represents the full distinguished named of the user, including domain and group. | cn |
| auth.ldap.map.empty | Map groups that have no users. | false |
| auth.ldap.map.exclude | A comma delimited list of group names to skip mapping Ex. (Group1,Group2,...) |
Re-syncing a user
LDAP users are marked as such in the database. In the Admin)Users page you will see the sync icon available next to LDAP users.
Important: Multiple Roles
3Sixty does not support mapping the same groups to different roles and vice versa
Re-syncing a Group
Groups can be re-synced by editing them in the Admin > User Groups page.
Active Directory (3.1.1+)
3Sixty can also use Active Directory for authentication. In order to do so the following fields are required:
| Property | Description | Example Value |
|---|---|---|
| auth.ldap.ad | Let's 3Sixty know it's connecting to Active Directory | true |
| auth.ldap.ad.domain | Your AD Domain | yourdomain.com |
| auth.ldap.url | Your ldap url with port. Do not include any domain information | ldap://somehost:389 |
| auth.ldap.attr.uid | Will become the user's login. The example value is the default field for Active Directory. | sAMAccountName |
| auth.ldap.userdn | Active Directory always requires authentication to connect. Be sure the authenticating user has the authority to search | user@domain |
| auth.ldap.ldappass | The authenticating user's password | mypassword |
Note: The user does not need to supply the @domain during authentication
Active Directory Sync (3.1.1+)
In order to use the sync feature with Active Directory, the following fields must be populated. Their values for the default Active Directory configuration are included.
auth.ldap.map.user.id.attribute=sAMAccountName
auth.ldap.map.user.name.attribute=distinguishedName
auth.ldap.map.user.class=person
auth.ldap.map.groups.name.attribute=cn
auth.ldap.map.groups.member.attribute=member
auth.ldap.map.groups.class=group
LDAP Sync Order of operations
-
Search objectClass = auth.ldap.map.groups.class
-
Return group list by mapping names using auth.ldap.map.groups.name.attribute
Then, for each group name,
-
Check if a user group by that name exists. We add the ldap: prefix for sync groups.
-
Search for the group by name.
-
Extract a list of a members from the group using auth.ldap.map.groups.member.attribute
-
Search the ldap for that user with auth.ldap.map.user.name.attribute
-
Extract that user's uid using the auth.ldap.map.user.id.attribute
-
Add id to list of users
-
If mapping users, search for the user's authorities using their id.
-
Map the user to the 3Sixty database using the mapping attributes above.
-
Set the new user list on the group, and save.
Related Articles: