What is LDAP Mapping?
LDAP mapping refers to the process of configuring the mapping between LDAP (Lightweight Directory Access Protocol) attributes and the corresponding attributes in a system or application. It involves defining how LDAP attributes, such as usernames, email addresses, and display names, are mapped to the attributes used within the target system.
How can I configure LDAP mapping?
To configure LDAP mapping, you need to provide the necessary settings and parameters in the LDAP configuration file. The configuration file includes properties such as the LDAP server URL, authentication details, base Domain Name (DN), filters, and unique identifiers. These settings define how LDAP attributes are mapped to the attributes used in your BOC product.
What are some important LDAP mapping properties?
Some important LDAP mapping properties include:
Attributes | Description |
---|---|
provider_url | Specifies the URL for the LDAP directory server. |
principal | The login name of the principal user used to look up other users. |
login_base_dn | The base domain specification where the user objects are located. |
login_filter | A filter option including a username placeholder to retrieve the required user object. |
unique_identifier | One or multiple properties that serve as a unique identifier for internal use. |
sync_base_dn | An optional parameter specifying the base domain for synchronization jobs. |
sync_filter | An optional filter to narrow down the search result set for synchronization. |
ignore_missing_objectSid | Specifies whether to ignore missing objectSid for LDAP users. |
referral | Specifies the referral handling behavior. |
What is the purpose of LDAP synchronization?
LDAP synchronization involves periodically synchronizing user data from the LDAP directory server to your system. It ensures that user information, such as usernames, email addresses, and group memberships, stays up to date in your system. Synchronization can be scheduled to run at specified intervals and helps keep user data consistent between LDAP and your application.
How can I schedule LDAP synchronization jobs?
LDAP synchronization jobs can be scheduled by specifying the synchronization details in the LDAP configuration file. Each synchronization job includes properties such as name, filter (optional), start node (optional), and schedule type (e.g., daily, weekly, monthly). By defining multiple synchronization jobs, you can schedule different synchronization tasks according to your requirements.
Example:
"synchronization": {
"schedules": [
{
"name": "LDAP_Sync",
"scheduleCronData": {
"h": 1,
"m": 0,
"w": [2, 3, 4, 5, 6]
},
"scheduleType": 4
}
]
}
What is the significance of LDAP mapping in user authentication?
LDAP mapping plays a crucial role in user authentication. When a user attempts to authenticate, the LDAP mapping configuration helps retrieve the user's credentials from the LDAP directory server, such as the username and password. The mapping ensures that the correct attributes are used for authentication, allowing users to log in to the system securely.
Are there any security considerations for LDAP mapping?
Yes, there are security considerations for LDAP mapping. It is important to ensure that the LDAP connection is secure, such as using SSL/TLS protocols when communicating with the LDAP server. Additionally, proper access controls should be in place to restrict LDAP access to authorized users only. Storing sensitive information, such as LDAP passwords, should be done securely using encryption techniques.
You can find a example config attached.
Important: Please note that the provided information is based on a generic understanding of LDAP mapping and may vary depending on your specific LDAP server and application requirements.
LDAP Mapping example
"ldap": {
"allow_client_action": false,
"authentication_mode": "simple",
"context_factory": "com.sun.jndi.ldap.LdapCtxFactory",
"default_domain": "Domain1",
"domains": [
{
"connection_timeout": "5000",
"defaultConnector": "Standard Login",
"ignore_missing_objectSid": false,
"index": 0,
"login_base_dn": "dc=BOC,dc=com",
"login_filter": "(&(objectClass=user)(sAMAccountName=%username%))",
"login_scope": "subtree",
"name": "Domain1",
"page_size": 1000,
"paged_result_control_oid": "1.2.840.113556.1.4.319",
"password": null,
"principal": null,
"principal_domain": "company.eu",
"principal_format": "%principal%@%principaldomain%",
"provider_url": "ldap://company.com:389",
"referral": null,
"security_protocol": null,
"ssl_certificate": null,
"sync_base_dn": "dc=company,dc=com",
"sync_filter": "(objectClass=user)",
"unique_identifier": [
"distinguishedName"
],
"user-mapping": {
"autoCreateUser": true,
"auto_sync_user": {
"auto_sync_attributes": true,
"auto_sync_groups": true,
"auto_sync_nameduse": true,
"auto_sync_repos": true,
"auto_sync_roles": true,
"enabled": true
},
"default_groups": [],
"default_roles": [],
"groups": [
{
"additionalConfig": {},
"mapexistingusers": false,
"match": "BOC_Group",
"name": "memberOf",
"targetName": "BOC_Group",
"targetType": "group",
"type": "contains"
}
],
"mapped_user_handling": {
"default_mapping": "Reader",
"mappings": []
},
"nameduse": [
{
"match": "BOC_nameduse",
"name": "memberOf",
"targetName": "{ID}",
"targetType": "nameduse",
"type": "contains"
}
],
"properties": [
{
"attr": "NAME",
"name": "sAMAccountName"
},
{
"attr": "FORENAME",
"name": "givenName"
},
{
"attr": "SURNAME",
"name": "sn"
},
{
"attr": "EMAIL",
"name": "mail"
},
{
"attr": "DESCRIPTION",
"name": "displayName"
}
],
"repositories": [
{
"additionalConfig": {
"objectgroup": "{ID}"
},
"mapexistingusers": false,
"targetName": "{ID}",
"targetType": "repository",
"type": "contains"
}
],
"roles": [],
"user_deletion_handling": {
"deleteNotFoundUsers": true,
"moveUndeletableUsersToGroup": true,
"userGroupForUndeletableUsers": "to_be_deleted"
}
}
}
],
"enabled": true,
"environment": {},
"properties": [
{
"name": "mail",
"recursiveNodeLookup": false
},
{
"name": "sAMAccountName",
"recursiveNodeLookup": false
},
{
"name": "displayName",
"recursiveNodeLookup": false
},
{
"name": "givenName",
"recursiveNodeLookup": false
},
{
"name": "distinguishedName",
"recursiveNodeLookup": false
},
{
"name": "cn",
"recursiveNodeLookup": false
},
{
"name": "memberOf",
"recursiveNodeLookup": false
},
{
"name": "sn",
"recursiveNodeLookup": false
},
{
"name": "department",
"recursiveNodeLookup": false
}
],
"synchronization": {
"schedules": [
{
"name": "LDAP_Sync",
"scheduleCronData": {
"h": 1,
"m": 0,
"w": [2, 3, 4, 5, 6]
},
"scheduleType": 4
}
]
},
"url_pkg_prefixes": "com.sun.jndi.url"
}