Page tree
Skip to end of metadata
Go to start of metadata

Overview

The Active Directory Authentication Provider, the LDAP Authentication Provider, the Active Directory Principal Scanner and the LDAP Principal Scanner are part of the Active Directory Security Module (security-ad). These authentication providers and principal scanners can be configured to use a simple shared configuration bean which contains all configuration required to connect to an Active Directory (AD) server or an LDAP server. By using this shared-configuration approach, you can centralize your AD or LDAP configuration and keep all relevant settings in a single location.

View incoming links.

ActiveDirectoryConfig Bean Properties

The ActiveDirectoryConfig bean can be configured as follows:

<project-dir>/conf/bean/activeDirectoryConfig.xml
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xmlns:util="http://www.springframework.org/schema/util" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

  <bean name="activeDirectoryConfig" class="com.attivio.securityad.ActiveDirectoryConfig">
  	<property name="realmId"       	    value="ActiveDirectoryRealm"/>
  	<property name="url"           	    value="ldap://hostname"/>
  	<property name="bindDn"        	    value=""/>
	<property name="bindPassword"  	    value=""/>
	<property name="userSearchBase"     value="DC=attivio,DC=com"/>
	<property name="userSearchFilter"   value=""/>
	<property name="groupSearchBase"    value="DC=attivio,DC=com"/>
	<property name="groupSearchFilter"  value=""/>
  </bean>

</beans>

Property

Description

realmId

The realm assigned to all principals ingested from this Active Directory server.

url

URL for the Active Directory server. See JDNI Tutorial for syntax.

bindDn

The distinguished name of an Active Directory user (who must have search permission).

bindPassword

Password for the bindDn user. This field can be encrypted using the "aie-exec password" command.

userSearchBase

Organizational Unit (aka folder) on the Active Directory server that contains all user principal objects.

userSearchFilter

Only objects passing this LDAP-syntax filter will be fed as user principals. May be left blank.

groupSearchBase

Organizational Unit (aka folder) on the Active Directory server that contains all group principal objects.

groupSearchFilter

Only objects passing this LDAP-syntax filter will be fed as group principals. May be left blank.

schema(Optional) A reference to a DirectorySchemaInfo bean defining the Active Directory server's schema.

LdapDirectoryConfig Bean Properties

The LdapDirectoryConfig bean can be configured as follows:

<project-dir>/conf/bean/ldapDirectoryConfig.xml
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xmlns:util="http://www.springframework.org/schema/util" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

  <bean name="ldapDirectoryConfig" class="com.attivio.securityad.LdapDirectoryConfig">
  	<property name="realmId"       	    value="LdapDirectoryRealm"/>
  	<property name="url"           	    value="ldap://hostname"/>
  	<property name="bindDn"        	    value=""/>
	<property name="bindPassword"  	    value=""/>
	<property name="userSearchBase"     value="DC=attivio,DC=com"/>
	<property name="userSearchFilter"   value=""/>
	<property name="groupSearchBase"    value="DC=attivio,DC=com"/>
	<property name="groupSearchFilter"  value=""/>
  </bean>
</beans>

Property

Description

realmId

The realm assigned to all principals ingested from this LDAP server.

url

URL for the LDAP server. See JDNI Tutorial for syntax.

bindDn

The distinguished name of an LDAP user (who must have search permission).

bindPassword

Password for the bindDn user. This field can be encrypted using the "aie-exec password" command.

userSearchBase

Organizational Unit (aka folder) on the LDAP server that contains all user principal objects.

userSearchFilter

Only objects passing this LDAP-syntax filter will be fed as user principals. May be left blank.

groupSearchBase

Organizational Unit (aka folder) on the LDAP server that contains all group principal objects.

groupSearchFilter

Only objects passing this LDAP-syntax filter will be fed as group principals. May be left blank.

schema(Optional) A reference to a DirectorySchemaInfo bean defining the LDAP server's schema.

Examples

Active Directory - Basic Configuration

The following example illustrates a simple configuration which uses distinguished name Administrator and password password to bind to the Active Directory server at ldap://corp.example.com and should return all user and group principals found beneath the DC=example,DC=com path on that server:

<project-dir>/conf/bean/activeDirectoryConfig.xml
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xmlns:util="http://www.springframework.org/schema/util" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

  <bean name="activeDirectoryConfig" class="com.attivio.securityad.ActiveDirectoryConfig">
  	<property name="realmId"       	    value="ActiveDirectoryRealm"/>
  	<property name="url"           	    value="ldap://corp.example.com"/>
  	<property name="bindDn"        	    value="Administrator" />
	<property name="bindPassword"  	    value="password" />
	<property name="userSearchBase"     value="DC=example,DC=com"/>
	<property name="userSearchFilter"   value=""/>
	<property name="groupSearchBase"    value="DC=example,DC=com"/>
	<property name="groupSearchFilter"  value=""/>
  </bean>

</beans>

Active Directory - Fetch Users by Membership

The following example illustrates how to restrict users that are a direct or in-direct member of CN=Administrators,DC=example,DC=com group.
The memberOf:1.2.840.113556.1.4.1941: attribute is a Microsoft AD specific feature which resolves all ancestors.

<project-dir>/conf/bean/activeDirectoryConfig.xml
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xmlns:util="http://www.springframework.org/schema/util" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
  
  <bean name="activeDirectoryConfig" class="com.attivio.securityad.ActiveDirectoryConfig">
  	<property name="realmId"       	    value="ActiveDirectoryRealm"/>
  	<property name="url"           	    value="ldap://corp.example.com"/>
  	<property name="bindDn"        	    value="Administrator" />
	<property name="bindPassword"  	    value="Administrator" />
	<property name="userSearchBase"     value="DC=example,DC=com"/>
	<property name="userSearchFilter"   value="memberOf:1.2.840.113556.1.4.1941:=CN=Administrators,DC=example,DC=com"/>
	<property name="groupSearchBase"    value="DC=example,DC=com"/>
	<property name="groupSearchFilter"  value=""/>
  </bean> 

</beans>

Active Directory - Custom Schema Configuration

The ActiveDirectoryConfig class uses a DirectorySchemaInfo object to define the names of Active Directory attributes and object classes required for user and group searches. The schema properties, and their values in the default ActiveDirectoryConfig schema, are shown below:

Schema propertyObject typeDefault valueUsage
sidString"objectSid"Active Directory user attribute containing user's SID
usernameString"sAMAccountName"Active Directory user attribute containing user's username
objectClassString"user"Active Directory user object class
groupObjectClassString"group"Active Directory group object class
groupMembershipAddrString"member"Active Directory group attribute containing group's member information
groupNameAddrString"cn"Active Directory group attribute containing group's name
groupDisplayNameAddrString"name"Active Directory group attribute containing group's display name

To override these default values, you can define a DirectorySchemaInfo bean in your AIE project and then reference that bean using the schema property in your ActiveDirectoryConfig bean configuration.

For example, if your Active Directory schema assigns a myCustomUser object class to all user entries (instead of the default user object class), you can define a custom DirectorySchemaInfo bean in your project's <project-dir>/conf/bean sub-directory:

<project-dir>/conf/bean/activeDirectoryCustomDirectorySchema.xml
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xmlns:util="http://www.springframework.org/schema/util" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

  <bean name="activeDirectoryCustomDirectorySchema" class="com.attivio.securityad.AbstractDirectoryConfig.DirectorySchemaInfo">
    <constructor-arg type="java.lang.String" index="0" value="objectSid"/>
    <constructor-arg type="java.lang.String" index="1" value="sAMAccountName"/>
    <constructor-arg type="java.lang.String" index="2" value="myCustomUser"/> <!-- modified from default "user" -->
    <constructor-arg type="java.lang.String" index="3" value="group"/>
    <constructor-arg type="java.lang.String" index="4" value="member"/>
    <constructor-arg type="java.lang.String" index="5" value="cn"/>
    <constructor-arg type="java.lang.String" index="6" value="name"/>
  </bean>

</beans>

Then reference this DirectorySchemaInfo bean via a schema property added to your ActiveDirectoryConfig bean:

<project-dir>/conf/bean/activeDirectoryConfig.xml
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xmlns:util="http://www.springframework.org/schema/util" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

  <bean id="activeDirectoryConfig" class="com.attivio.security.ActiveDirectoryConfig">
    <property name="realmId" value="MYREALM"/>
    <property name="url" value="ldap://foo.example.com:389"/>
    <property name="bindDn" value="MYREALM\Administrator"/>
    <property name="bindPassword" value="p@ssw0rd"/>
    <property name="userSearchBase" value="DC=example,DC=com"/>
    <property name="userSearchFilter" value=""/>
    <property name="groupSearchBase" value="DC=example,DC=com"/>
    <property name="groupSearchFilter" value=""/>
    <property name="schema" ref="activeDirectoryCustomDirectorySchema"/>
  </bean>

</beans>

This customized schema enables components which use this Active Directory configuration bean to retrieve the value of your custom object-class attribute (instead of that of the user attribute) when retrieving objects to feed as user or group principals.

LDAP - Custom Schema Configuration

The LdapDirectoryConfig class uses a DirectorySchemaInfo object to define the names of LDAP attributes and object classes required for user and group searches. The schema properties, and their values in the default LdapDirectoryConfig schema, are shown below:

Schema propertyObject typeDefault valueUsage
sidString"uid"LDAP user attribute containing user's ID
usernameString"cn"LDAP user attribute containing user's username
objectClassString"person"LDAP user object class
groupObjectClassString"groupOfUniqueNames"LDAP group object class
groupMembershipAddrString"uniqueMember"LDAP group attribute containing group's member information
groupNameAddrString"cn"LDAP group attribute containing group's name
groupDisplayNameAddrString"cn"LDAP group attribute containing group's display name

To override these default values, you can define a DirectorySchemaInfo bean in your AIE project and then reference that bean using the schema property in your LDAPDirectoryConfig bean configuration.

For example, if your LDAP schema stores SIDs (user/group IDs) in an attribute named sid rather than uid, you can define a custom DirectorySchemaInfo bean in your project's <project-dir>/conf/bean sub-directory:

<project-dir>/conf/bean/ldapCustomDirectorySchema.xml
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xmlns:util="http://www.springframework.org/schema/util" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
  <bean name="ldapCustomDirectorySchema" class="com.attivio.securityad.AbstractDirectoryConfig.DirectorySchemaInfo">
    <constructor-arg type="java.lang.String" index="0" value="sid"/> <!-- modified from default "uid" -->
    <constructor-arg type="java.lang.String" index="1" value="cn"/>
    <constructor-arg type="java.lang.String" index="2" value="person"/>
    <constructor-arg type="java.lang.String" index="3" value="groupOfUniqueNames"/>
    <constructor-arg type="java.lang.String" index="4" value="uniqueMember"/>
    <constructor-arg type="java.lang.String" index="5" value="cn"/>
    <constructor-arg type="java.lang.String" index="6" value="cn"/>
  </bean>
</beans>

Then reference this DirectorySchemaInfo bean via a schema property added to your LdapDirectoryConfig bean:

<project-dir>/conf/bean/ldapDirectoryConfig.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xmlns:util="http://www.springframework.org/schema/util" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.1.xsd">
  <bean name="ldapDirectoryConfig" class="com.attivio.securityad.LdapDirectoryConfig">
    <property name="realmId" value="LDAPRealm"/>
    <property name="url" value="ldap://ldapserver.example.com:389"/>
    <property name="bindDn" value="cn=ldapadmin,dc=example,dc=com"/>
    <property name="bindPassword" value="ldapadminpassword"/>
    <property name="userSearchBase" value="ou=people,dc=example,dc=com"/>
    <property name="userSearchFilter" value=""/>
    <property name="groupSearchBase" value="ou=groups,dc=example,dc=com"/>
    <property name="groupSearchFilter" value=""/>
    <property name="schema" ref="ldapCustomDirectorySchema"/>
  </bean>
</beans>

This customized schema enables components which use this LDAP configuration bean to retrieve the value of your custom SID attribute (instead of that of the uid attribute) when retrieving objects to feed as user or group principals.

See Also

  • No labels