LDAP authentication

Users of Onegini UMA can authenticate via an LDAP Identity Provider instead of basic authentication. The application must be started with the Spring profile ldap to replace basic authentication with LDAP. This can be done via the environment variable SPRING_PROFILES_ACTIVE=ldap.

LDAP properties

The following environment variables must be configured:

Property Default Example Description
LDAP_ENABLED false Enables ldap features, this is true by default if you run with ldap spring profile
LDAP_STARTER_URL ldap://ldap.example.com:389 URL of ldap server to connect to
LDAP_​STARTER_​LOGIN_​USER_​DN uid=ldap,ou=Users,dc=example,dc=com userdn that will be used to connect to ldap server
LDAP_​STARTER_​LOGIN_​PASSWORD P@ssword1 Password to be used when connecting to ldap
LDAP_​STARTER_​SEARCH_​BASE @ou=Users,dc=example,dc=com baseDn of users that will authenticate within app
LDAP_​STARTER_​GROUP_​SEARCH_​BASE ou=groups,dc=example,dc=com baseDn of groups that contains users connecting to app
LDAP_​STARTER_​SEARCH_​USER_​FILTER id={0} filter used when searching for users

Authority mapping

Onegini UMA can restrict access to users based on the groups that user is member of in LDAP.

Property Default Example Description
LDAP_​FULL_​ACCESS_​GRANTED false false If true, all authenticated users have full access to Onegini UMA. The properties below will be ignored then.
LDAP_AUTHORITIES_USERS_ALL * (&(cn=support)(uniqueMember={0})) Value of the role that gives access to managing users.
LDAP_AUTHORITIES_AGENTS_READ * (&(cn=administrators)(uniqueMember={0})) Value of the role that gives access to supervise agents.
LDAP_AUTHORITIES_STATISTICS_READ * (&(cn=administrators)(uniqueMember={0})) Value of the role that gives access to see application statistics.

* this is a multivalue property. Separate values with a comma.