LDAP authentication
Users of Onegini UMA can authenticate via an LDAP Identity Provider instead of basic authentication. The application must be started with the Spring
profile ldap
to replace basic authentication with LDAP. This can be done via the environment variable SPRING_PROFILES_ACTIVE=ldap
.
LDAP properties
The following environment variables must be configured:
Property | Default | Example | Description |
---|---|---|---|
LDAP_ENABLED | false | Enables ldap features, this is true by default if you run with ldap spring profile |
|
LDAP_STARTER_URL | ldap://ldap.example.com:389 | URL of ldap server to connect to | |
LDAP_STARTER_LOGIN_USER_DN | uid=ldap,ou=Users,dc=example,dc=com | userdn that will be used to connect to ldap server | |
LDAP_STARTER_LOGIN_PASSWORD | P@ssword1 | Password to be used when connecting to ldap | |
LDAP_STARTER_SEARCH_BASE | @ou=Users,dc=example,dc=com | baseDn of users that will authenticate within app | |
LDAP_STARTER_GROUP_SEARCH_BASE | ou=groups,dc=example,dc=com | baseDn of groups that contains users connecting to app | |
LDAP_STARTER_SEARCH_USER_FILTER | id={0} | filter used when searching for users |
Authority mapping
Onegini UMA can restrict access to users based on the groups that user is member of in LDAP.
Property | Default | Example | Description |
---|---|---|---|
LDAP_FULL_ACCESS_GRANTED | false | false | If true , all authenticated users have full access to Onegini UMA. The properties below will be ignored then. |
LDAP_AUTHORITIES_USERS_ALL * | (&(cn=support)(uniqueMember={0})) | Value of the role that gives access to managing users. | |
LDAP_AUTHORITIES_AGENTS_READ * | (&(cn=administrators)(uniqueMember={0})) | Value of the role that gives access to supervise agents. | |
LDAP_AUTHORITIES_STATISTICS_READ * | (&(cn=administrators)(uniqueMember={0})) | Value of the role that gives access to see application statistics. |
* this is a multivalue property. Separate values with a comma.