LDAP Properties

Users of Onegini UMA can authenticate via a ldap Identity Provider instead of basic authentication. The application must be started with the Spring profile ldap to replace basic authentication with LDAP. This can be done via the argument -Dspring.profiles.active=ldap.

LDAP properties

The following properties must be configured:

Property Default Example Description
ldap.enabled false false enables ldap features, this is true by default if you run with ldap spring profile
ldap.starter.url ldap://idp-apacheds-1.dev.onegini.me:10389 url of ldap server to connect to
ldap.starter.login-user-dn uid=ldap,ou=Users,dc=example,dc=com userdn that will be used to connect to ldap server
ldap.starter.login-password P@ssword1 Password to be used when connecting to ldap
ldap.starter.search-base @ou=Users,dc=example,dc=com baseDn of users that will authenticate within app
ldap.starter.group-search-base ou=groups,dc=example,dc=com baseDn of groups that contains users connecting to app
ldap.starter.search-user-filter id={0} filter used when searching for users

Authority mapping

Onegini UMA can restrict access to users based on the groups that user is member of in LDAP.

Property Default Example Description
ldap.full-access-granted false false specifies if all authenticated users should get all privileges
ldap.authorities.USERS_ALL[] * (&(cn=support)(uniqueMember={0})) Value of the role that gives access to managing users.
ldap.authorities.AGENTS_READ[] * (&(cn=administrators)(uniqueMember={0})) Value of the role that gives access to supervise agents.
ldap.authorities.STATISTICS_READ[] * (&(cn=administrators)(uniqueMember={0})) Value of the role that gives access to see application statistics.

* this is a multivalue property. Increase the count between the [] for each individual value.