LDAP Properties
Users of Onegini UMA can authenticate via a ldap Identity Provider instead of basic authentication. The application must be started with the Spring
profile ldap
to replace basic authentication with LDAP. This can be done via the argument -Dspring.profiles.active=ldap
.
LDAP properties
The following properties must be configured:
Property | Default | Example | Description |
---|---|---|---|
ldap.enabled | false | false | enables ldap features, this is true by default if you run with ldap spring profile |
ldap.starter.url | ldap://idp-apacheds-1.dev.onegini.me:10389 | url of ldap server to connect to | |
ldap.starter.login.userdn | uid=ldap,ou=Users,dc=example,dc=com | userdn that will be used to connect to ldap server | |
ldap.starter.login.password | P@ssword1 | Password to be used when connecting to ldap | |
ldap.starter.search.base | @ou=Users,dc=example,dc=com | baseDn of users that will authenticate within app | |
ldap.starter.group.search.base | ou=groups,dc=example,dc=com | baseDn of groups that contains users connecting to app | |
ldap.starter.search.user.filter | id={0} | filter used when searching for users |
Authority mapping
Onegini UMA can restrict access to users based on the groups that user is member of in LDAP.
Property | Default | Example | Description |
---|---|---|---|
ldap.full.access.granted | false | false | specifies if all authenticated users should get all privileges |
ldap.authorities.usersAll[] * | (&(cn=support)(uniqueMember={0})) | Value of the role that gives access to managing users. | |
ldap.authorities.agentsRead[] * | (&(cn=administrators)(uniqueMember={0})) | Value of the role that gives access to supervise agents. | |
ldap.authorities.statisticsRead[] * | (&(cn=administrators)(uniqueMember={0})) | Value of the role that gives access to see application statistics. |
* this is a multivalue property. Increase the count between the [] for each individual value.