LDAP authentication

In LDAP authentication the users log in with their credentials that are stored in an LDAP server. LDAP authentication is enabled by default but requires some configuration to be made.

Configuration

LDAP Access

Property Example Description
TOKEN_​SERVER_​ADMIN_​LDAP_​ENABLED true Flag to enable or disable LDAP authentication. By default it is enabled.
TOKEN_​SERVER_​ADMIN_​LDAP_​SERVER_​URLS ldap://localhost:1389 Comma separated list of LDAP server URLs.
TOKEN_​SERVER_​ADMIN_​LDAP_​BASE_​DN dc=example,dc=com Base DN of the LDAP server. Single value.
TOKEN_​SERVER_​ADMIN_​LDAP_​BIND_​DN cn=Directory Manager The bind user. This user is used to lookup subjects and group memberships in the LDAP. Single value.
TOKEN_​SERVER_​ADMIN_​LDAP_​BIND_​PWD Admin123 Password of the bind user. Single value.

User search configuration

There are two configuration options to lookup the user during login.

The first option can be used when the username is the same as its unique identifier in the LDAP:

Property Default value Description
TOKEN_​SERVER_​ADMIN_​LDAP_​USER_​DNS uid={0},ou=users Semicolon ; separated list of LDAP user search DNs. Relative from base DN. The {0} maps to the username field in the login form.

The second option is necessary when the user can enter a different value for the username than the unique identifier, e.g. their email address. The filter must return a unique result.

Property Default value Example Description
TOKEN_​SERVER_​ADMIN_​LDAP_​USER_​SEARCH_​BASE ou=people The start point for the user search, relative to TOKEN_SERVER_ADMIN_LDAP_BASE_DN. An empty value is valid. Single value.
TOKEN_​SERVER_​ADMIN_​LDAP_​USER_​SEARCH_​SUBTREE true false Boolean to indicate if users can be searched in subtrees of the base. true or false. Default is true. Single value.
TOKEN_​SERVER_​ADMIN_​LDAP_​USER_​SEARCH_​FILTER email={0} LDAP user search filter. LDAP query syntax is supported. Single value
TOKEN_​SERVER_​ADMIN_​LDAP_​USER_​SEARCH_​TIME_​LIMIT_​IN_​MS 0 5000 Timeout for the user search in milliseconds. Default is 0 (no timeout). Single value.

Note: You can leave property TOKEN_SERVER_ADMIN_LDAP_USER_DNS blank when the username in the login form is not the same as the unique identifier.

Group search configuration

Access to (parts of) the management interface is restricted to users with specific roles. These roles can be mapped to the group(s) they are member of in the LDAP. LDAP users that are not a member of the configured groups cannot get access to the management interface. At least one role must be mapped to a group to get access.

The following properties are needed to lookup the groups in the above configured LDAP.

Property Default value Description
TOKEN_​SERVER_​ADMIN_​LDAP_​GROUP_​SEARCH_​SUBTREE true Boolean to indicate if groups can be searched in subtrees of the base. true or false
TOKEN_​SERVER_​ADMIN_​LDAP_​GROUP_​SEARCH_​FILTER uniqueMember={0} LDAP group membership search filter. Single value.
TOKEN_​SERVER_​ADMIN_​LDAP_​GROUP_​SEARCH_​BASE ou=groups LDAP group search DN. Single value, relative from the base DN.
TOKEN_​SERVER_​ADMIN_​LDAP_​GROUP_​SEARCH_​GROUP_​NAME_​ATTRIBUTE cn Name attribute for the group. Single value.

Group mapping

The groups from LDAP should be mapped to roles within the Token Server Admin console. The access rights for the roles are described in the Roles overview page.

The following properties are needed to map the groups to roles:

Property Default value Description
TOKEN_​SERVER_​ADMIN_​LDAP_​GROUPS_​ADMIN_​GROUP_​NAME admin Comma separated list of groups that have Admin rights.
TOKEN_​SERVER_​ADMIN_​LDAP_​GROUPS_​OPERATOR_​GROUP_​NAME operator Comma separated list of groups that have Operator rights.
TOKEN_​SERVER_​ADMIN_​LDAP_​GROUPS_​HELPDESK_​GROUP_​NAME helpdesk Comma separated list of groups that have Helpdesk rights.

Examples

Basic example

  • Users are stored under ou=users,dc=example,dc=com
  • The username in the login form is the same as the uid in LDAP
  - TOKEN_SERVER_ADMIN_LDAP_SERVER_URLS=ldap://localhost:389
  - TOKEN_SERVER_ADMIN_LDAP_BASE_DN=dc=example,dc=com

Active Directory with multiple servers

  • Two servers: ad1 and ad2, both on port 1389
  • Users are stored under ou={department name},ou=Users,dc=example,dc=com
  • Users enter their userPrincipalName (email address) in the login form. The domain name (example.com) is optional in this form.
  • userPrincipalName is not the same as their DN.
  • A time out of 5 seconds is configured for the user lookup
  • Group membership is read from the member attribute
    • admin: Administrators
    • operator: Developers and Testers
    • helpdesk: Support
  - TOKEN_SERVER_ADMIN_LDAP_SERVER_URLS=ldap://ad1:1389,ldap://ad2:1389
  - TOKEN_SERVER_ADMIN_LDAP_BASE_DN=dc=example,dc=com

  - TOKEN_SERVER_ADMIN_LDAP_USER_DNS=
  - TOKEN_SERVER_ADMIN_LDAP_USER_SEARCH_BASE=ou=Users
  - TOKEN_SERVER_ADMIN_LDAP_USER_SEARCH_SUBTREE=true
  - TOKEN_SERVER_ADMIN_LDAP_USER_SEARCH_FILTER=(|(userPrincipalName={0})(userPrincipalName={0}@example.com))
  - TOKEN_SERVER_ADMIN_LDAP_USER_SEARCH_TIME_LIMIT_IN_MS=5000

  - TOKEN_SERVER_ADMIN_LDAP_GROUP_SEARCH_FILTER=member={0}

  - TOKEN_SERVER_ADMIN_LDAP_GROUPS_ADMIN_GROUP_NAME=Administrators
  - TOKEN_SERVER_ADMIN_LDAP_GROUPS_OPERATOR_GROUP_NAME=Developers,Testers
  - TOKEN_SERVER_ADMIN_LDAP_GROUPS_HELPDESK_GROUP_NAME=Support