Difference between revisions of "Integration/LDAP"

From TempusServa wiki
Jump to navigation Jump to search
old>Admin
old>Admin
Line 20: Line 20:
# ldapMaintainGroupsOnLogon
# ldapMaintainGroupsOnLogon
# ldapCreateUsers  
# ldapCreateUsers  
== Failover mechanism ==


In case the LDAP is not responding the server can be allowed to use local application credentials:
In case the LDAP is not responding the server can be allowed to use local application credentials:


* ldapAuthenticationFallback  
* ldapAuthenticationFallback


The server will initially try to validate against the LDAP, after which the validation is done against the local user table. In order to allow this operation, an encrypted copy of the user password is stored on every successfull LDAP authentication. Note this behaviour is only active if the fallback authentication is enabled.


== LDAP service account ==
== LDAP service account ==

Revision as of 14:09, 8 March 2013

Basic configuration is the name of the LDAP server and domain that is binded to the application

  • ldapServer
  • ldapDomainDefault

All configuration options are found in: Policy#Active_directory


Synchronization options

Different options for LDAP integration exists

  1. Validate credentials: Check username/password against LDAP
  2. Synchronize groups: Add/remove groups as defined in the LDAP
  3. Create missing users: Create users with correct LDAP credentials

Credential validation (1) is mandatory, while group synchronization (2) and automatic user creation (3) is optional.

  1. ldapAuthentication
  2. ldapMaintainGroupsOnLogon
  3. ldapCreateUsers


Failover mechanism

In case the LDAP is not responding the server can be allowed to use local application credentials:

  • ldapAuthenticationFallback

The server will initially try to validate against the LDAP, after which the validation is done against the local user table. In order to allow this operation, an encrypted copy of the user password is stored on every successfull LDAP authentication. Note this behaviour is only active if the fallback authentication is enabled.

LDAP service account

In order to communicate with the LDAP server, the Tempus Serva application will need its own acount to carry out many of the synchronization operations:

  • ldapUsername
  • ldapPassword

No permissions except lookup rights are required for this role.