All calls are made via Java's JNDI API.
Requires a user with query privileges on the subtree that contains the users in order to validate that a user exists with the given username and query attributes of the user. The username and password of this privileged user is specified via the
The name of the attribute that contains the username must be specified via the
LDAP-SSO providers are invoked by a call to the
Provider Linking
Linking to and from this provider type is always disabled. Providers of this type are almost always used to grant access to a corporate network. Linking an LDAP provider to a social provider could grant undue access to a user who logs in with their social account. By disabling linking potential problems with mirrored groups are also avoided.
ldapsso_basic
A second version of this provider type exists called
Parameters
As well as the parameters described in Base Provider Parameters, the following must be set in the params object.
| Name | Type | Description |
|---|---|---|
| Rquired | ||
| baseDN | String | The base DN(s), e.g. DC=forrest,DC=gump,DC=alabama |
| excludeMirroredLDAPGroups | Array<String> | If includeMirroredLDAPGroups has not been provided then all groups will be created, excluding those in this list. Group names are case insensitive. By default this list contains the following: ["BUILTIN","NT AUTHORITY"] |
| includeMirroredLDAPGroups | Array<String> | If defined, only LDAP groups in this list of group names will be mirrored. Group names are case insensitive. Default: null |
| ldapServer | String | The LDAP server host, with optional port. e.g. devdc1.lan.gossinteractive.com:3268 |
| mirrorLDAPGroups | Boolean | Default: false. If true, creates an iCM Site User group membership structure identical to that in LDAP. For example, assuming a provider prefix of
|
| queryUserUsername | String | The username of the user used to query user details. |
| queryUserPassword | String | The password of the user used to query user details. |
| referral | String | One of the following, defaults to "ignore": "ignore": Ignore referrals "follow": Automatically follow any referrals "throw": Throw a ReferralException for each referral This property may have to be changed if querying an LDAP forest. For more information see here. |
| usernameAttribute | String | Name of the LDAP attribute that contains usernames. The value of the username argument provided to AuthenticateViaLDAPSSO is matched against values in this attribute 'column'. |
| userProfileAttributeMapping | Map | Maps LDAP attributes as returned by the LDAP server (left) to the Auth worker's UserProfile class fields (right). Only the UNIQUEID field is required. Case insensitive. |
| Optional | ||
| useLDAPS | Boolean | If true calls will be made using LDAPS |
| userObjectClass | String | Default "user". The user object class. Update this based on the implementation you are connecting to. For example, AD = "user" whereas OpenLDAPO="person" |
User Profile Data
Requested attributes: All with a value.
| Provider Name | Mapped To |
|---|---|
| LDAP server dependent. A few of the most useful are documented below. | |
| SAMACCOUNTNAME | UNIQUEID |
| GIVENNAME | FORNAMES |
| SN | SURNAME |
See the Linking Providers, Account and Profile Management article for information about how profiles and email addresses are updated.
Example
{
"providerName": "ldapserver",
"providerDisplayName": "LDAP Server",
"type": "ldapsso",
"userPrefix": "LD_",
"params": {
"ldapServer": "10.10.45.11:3268",
"baseDN": "DC=forrest,DC=gump,DC=alabama",
"useLDAPS": true,
"userObjectClass": "person",
"usernameAttribute": "sAMAccountName",
"queryUserUsername": "username",
"queryUserPassword": "password",
"mirrorLDAPGroups": true,
"excludeMirroredLDAPGroups": ["ADMINISTRATORS", "DEVELOPERS"]
"userProfileAttributeMapping": {
"mapping": {
"SAMACCOUNTNAME": {"mappings": ["UNIQUEID"]},
"GIVENNAME": {"mappings": ["PREFERREDNAME","FORENAMES"]},
"SN": {"mappings": ["SURNAME"]},
"WHENCREATED": {"mappings": ["BIRTHDAY"]}
}
}
}
}
Share this page
