Overview
The Active Directory Authentication Provider, the LDAP Authentication Provider, the Active Directory Principal Scanner and the LDAP Principal Scanner are part of the Active Directory Security Module (security-ad). These authentication providers and principal scanners can be configured to use a simple shared configuration bean which contains all configuration required to connect to an Active Directory (AD) server or an LDAP server. By using this shared-configuration approach, you can centralize your AD or LDAP configuration and keep all relevant settings in a single location.
View incoming links.
ActiveDirectoryConfig Bean Properties
The ActiveDirectoryConfig bean can be configured as follows:
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xmlns:util="http://www.springframework.org/schema/util" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <bean name="activeDirectoryConfig" class="com.attivio.securityad.ActiveDirectoryConfig"> <property name="realmId" value="ActiveDirectoryRealm"/> <property name="url" value="ldap://hostname"/> <property name="bindDn" value=""/> <property name="bindPassword" value=""/> <property name="userSearchBase" value="DC=attivio,DC=com"/> <property name="userSearchFilter" value=""/> <property name="groupSearchBase" value="DC=attivio,DC=com"/> <property name="groupSearchFilter" value=""/> </bean> </beans>
Property | Description |
---|---|
realmId | The realm assigned to all principals ingested from this Active Directory server. |
url | URL for the Active Directory server. See JDNI Tutorial for syntax. |
bindDn | The distinguished name of an Active Directory user (who must have search permission). |
bindPassword | Password for the bindDn user. This field can be encrypted using the "aie-exec password" command. |
userSearchBase | Organizational Unit (aka folder) on the Active Directory server that contains all user principal objects. |
userSearchFilter | Only objects passing this LDAP-syntax filter will be fed as user principals. May be left blank. |
groupSearchBase | Organizational Unit (aka folder) on the Active Directory server that contains all group principal objects. |
groupSearchFilter | Only objects passing this LDAP-syntax filter will be fed as group principals. May be left blank. |
schema | (Optional) A reference to a DirectorySchemaInfo bean defining the Active Directory server's schema. |
LdapDirectoryConfig Bean Properties
The LdapDirectoryConfig bean can be configured as follows:
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xmlns:util="http://www.springframework.org/schema/util" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <bean name="ldapDirectoryConfig" class="com.attivio.securityad.LdapDirectoryConfig"> <property name="realmId" value="LdapDirectoryRealm"/> <property name="url" value="ldap://hostname"/> <property name="bindDn" value=""/> <property name="bindPassword" value=""/> <property name="userSearchBase" value="DC=attivio,DC=com"/> <property name="userSearchFilter" value=""/> <property name="groupSearchBase" value="DC=attivio,DC=com"/> <property name="groupSearchFilter" value=""/> </bean> </beans>
Property | Description |
---|---|
realmId | The realm assigned to all principals ingested from this LDAP server. |
url | URL for the LDAP server. See JDNI Tutorial for syntax. |
bindDn | The distinguished name of an LDAP user (who must have search permission). |
bindPassword | Password for the bindDn user. This field can be encrypted using the "aie-exec password" command. |
userSearchBase | Organizational Unit (aka folder) on the LDAP server that contains all user principal objects. |
userSearchFilter | Only objects passing this LDAP-syntax filter will be fed as user principals. May be left blank. |
groupSearchBase | Organizational Unit (aka folder) on the LDAP server that contains all group principal objects. |
groupSearchFilter | Only objects passing this LDAP-syntax filter will be fed as group principals. May be left blank. |
schema | (Optional) A reference to a DirectorySchemaInfo bean defining the LDAP server's schema. |
Examples
Active Directory - Basic Configuration
The following example illustrates a simple configuration which uses distinguished name Administrator
and password password
to bind to the Active Directory server at ldap://corp.example.com
and should return all user and group principals found beneath the DC=example,DC=com
path on that server:
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xmlns:util="http://www.springframework.org/schema/util" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <bean name="activeDirectoryConfig" class="com.attivio.securityad.ActiveDirectoryConfig"> <property name="realmId" value="ActiveDirectoryRealm"/> <property name="url" value="ldap://corp.example.com"/> <property name="bindDn" value="Administrator" /> <property name="bindPassword" value="password" /> <property name="userSearchBase" value="DC=example,DC=com"/> <property name="userSearchFilter" value=""/> <property name="groupSearchBase" value="DC=example,DC=com"/> <property name="groupSearchFilter" value=""/> </bean> </beans>
Active Directory - Fetch Users by Membership
The following example illustrates how to restrict users that are a direct or in-direct member of CN=Administrators,DC=example,DC=com
group.
The memberOf:1.2.840.113556.1.4.1941:
attribute is a Microsoft AD specific feature which resolves all ancestors.
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xmlns:util="http://www.springframework.org/schema/util" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <bean name="activeDirectoryConfig" class="com.attivio.securityad.ActiveDirectoryConfig"> <property name="realmId" value="ActiveDirectoryRealm"/> <property name="url" value="ldap://corp.example.com"/> <property name="bindDn" value="Administrator" /> <property name="bindPassword" value="Administrator" /> <property name="userSearchBase" value="DC=example,DC=com"/> <property name="userSearchFilter" value="memberOf:1.2.840.113556.1.4.1941:=CN=Administrators,DC=example,DC=com"/> <property name="groupSearchBase" value="DC=example,DC=com"/> <property name="groupSearchFilter" value=""/> </bean> </beans>
Active Directory - Custom Schema Configuration
The ActiveDirectoryConfig class uses a DirectorySchemaInfo object to define the names of Active Directory attributes and object classes required for user and group searches. The schema properties, and their values in the default ActiveDirectoryConfig schema, are shown below:
Schema property | Object type | Default value | Usage |
---|---|---|---|
sid | String | "objectSid" | Active Directory user attribute containing user's SID |
username | String | "sAMAccountName" | Active Directory user attribute containing user's username |
objectClass | String | "user" | Active Directory user object class |
groupObjectClass | String | "group" | Active Directory group object class |
groupMembershipAddr | String | "member" | Active Directory group attribute containing group's member information |
groupNameAddr | String | "cn" | Active Directory group attribute containing group's name |
groupDisplayNameAddr | String | "name" | Active Directory group attribute containing group's display name |
To override these default values, you can define a DirectorySchemaInfo bean in your AIE project and then reference that bean using the schema
property in your ActiveDirectoryConfig bean configuration.
For example, if your Active Directory schema assigns a myCustomUser
object class to all user entries (instead of the default user
object class), you can define a custom DirectorySchemaInfo bean in your project's <project-dir>/conf/bean
sub-directory:
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xmlns:util="http://www.springframework.org/schema/util" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <bean name="activeDirectoryCustomDirectorySchema" class="com.attivio.securityad.AbstractDirectoryConfig.DirectorySchemaInfo"> <constructor-arg type="java.lang.String" index="0" value="objectSid"/> <constructor-arg type="java.lang.String" index="1" value="sAMAccountName"/> <constructor-arg type="java.lang.String" index="2" value="myCustomUser"/> <!-- modified from default "user" --> <constructor-arg type="java.lang.String" index="3" value="group"/> <constructor-arg type="java.lang.String" index="4" value="member"/> <constructor-arg type="java.lang.String" index="5" value="cn"/> <constructor-arg type="java.lang.String" index="6" value="name"/> </bean> </beans>
Then reference this DirectorySchemaInfo bean via a schema
property added to your ActiveDirectoryConfig bean:
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xmlns:util="http://www.springframework.org/schema/util" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <bean id="activeDirectoryConfig" class="com.attivio.security.ActiveDirectoryConfig"> <property name="realmId" value="MYREALM"/> <property name="url" value="ldap://foo.example.com:389"/> <property name="bindDn" value="MYREALM\Administrator"/> <property name="bindPassword" value="p@ssw0rd"/> <property name="userSearchBase" value="DC=example,DC=com"/> <property name="userSearchFilter" value=""/> <property name="groupSearchBase" value="DC=example,DC=com"/> <property name="groupSearchFilter" value=""/> <property name="schema" ref="activeDirectoryCustomDirectorySchema"/> </bean> </beans>
This customized schema enables components which use this Active Directory configuration bean to retrieve the value of your custom object-class attribute (instead of that of the user
attribute) when retrieving objects to feed as user or group principals.
LDAP - Custom Schema Configuration
The LdapDirectoryConfig class uses a DirectorySchemaInfo object to define the names of LDAP attributes and object classes required for user and group searches. The schema properties, and their values in the default LdapDirectoryConfig schema, are shown below:
Schema property | Object type | Default value | Usage |
---|---|---|---|
sid | String | "uid" | LDAP user attribute containing user's ID |
username | String | "cn" | LDAP user attribute containing user's username |
objectClass | String | "person" | LDAP user object class |
groupObjectClass | String | "groupOfUniqueNames" | LDAP group object class |
groupMembershipAddr | String | "uniqueMember" | LDAP group attribute containing group's member information |
groupNameAddr | String | "cn" | LDAP group attribute containing group's name |
groupDisplayNameAddr | String | "cn" | LDAP group attribute containing group's display name |
To override these default values, you can define a DirectorySchemaInfo bean in your AIE project and then reference that bean using the schema
property in your LDAPDirectoryConfig bean configuration.
For example, if your LDAP schema stores SIDs (user/group IDs) in an attribute named sid
rather than uid
, you can define a custom DirectorySchemaInfo bean in your project's <project-dir>/conf/bean
sub-directory:
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xmlns:util="http://www.springframework.org/schema/util" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <bean name="ldapCustomDirectorySchema" class="com.attivio.securityad.AbstractDirectoryConfig.DirectorySchemaInfo"> <constructor-arg type="java.lang.String" index="0" value="sid"/> <!-- modified from default "uid" --> <constructor-arg type="java.lang.String" index="1" value="cn"/> <constructor-arg type="java.lang.String" index="2" value="person"/> <constructor-arg type="java.lang.String" index="3" value="groupOfUniqueNames"/> <constructor-arg type="java.lang.String" index="4" value="uniqueMember"/> <constructor-arg type="java.lang.String" index="5" value="cn"/> <constructor-arg type="java.lang.String" index="6" value="cn"/> </bean> </beans>
Then reference this DirectorySchemaInfo bean via a schema
property added to your LdapDirectoryConfig bean:
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xmlns:util="http://www.springframework.org/schema/util" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.1.xsd"> <bean name="ldapDirectoryConfig" class="com.attivio.securityad.LdapDirectoryConfig"> <property name="realmId" value="LDAPRealm"/> <property name="url" value="ldap://ldapserver.example.com:389"/> <property name="bindDn" value="cn=ldapadmin,dc=example,dc=com"/> <property name="bindPassword" value="ldapadminpassword"/> <property name="userSearchBase" value="ou=people,dc=example,dc=com"/> <property name="userSearchFilter" value=""/> <property name="groupSearchBase" value="ou=groups,dc=example,dc=com"/> <property name="groupSearchFilter" value=""/> <property name="schema" ref="ldapCustomDirectorySchema"/> </bean> </beans>
This customized schema enables components which use this LDAP configuration bean to retrieve the value of your custom SID attribute (instead of that of the uid
attribute) when retrieving objects to feed as user or group principals.