LDAP authentication

In LDAP authentication the users log in with their credentials that are stored in an LDAP server. LDAP authentication is always turned on and requires some configuration to be made.


LDAP Access

Property Example Description
TOKEN_​SERVER_​ADMIN_​LDAP_​ENABLED true Flag to enable or disable LDAP authentication. By default it is enabled.
TOKEN_​SERVER_​ADMIN_​LDAP_​SERVER_​URLS ldap://localhost:1389 Space separated list of LDAP connect URLs.
TOKEN_​SERVER_​ADMIN_​LDAP_​BASE_​DN dc=example,dc=com Base DN of the LDAP server. Single value.
TOKEN_​SERVER_​ADMIN_​LDAP_​BIND_​DN cn=Directory Manager The bind user. This user is used to lookup subjects and group memberships in the LDAP. Single value.
TOKEN_​SERVER_​ADMIN_​LDAP_​BIND_​PWD Admin123 Password of the bind user. Single value.

User search configuration

The following properties are needed to perform the user lookup in the above configured LDAP.

Property Example Description
TOKEN_​SERVER_​ADMIN_​LDAP_​USER_​DNS uid={0},ou=people Semicolon separated list of LDAP user search DNs. Relative from base DN. The {0} maps to the username field in the login form.

Group search configuration

Access to (parts of) the management interface is restricted to users with specific roles. These roles can be mapped to the group(s) they are member of in the LDAP. LDAP users that are not a member of the configured groups cannot get access to the management interface. At least one role must be mapped to a group to get access.

The following properties are needed to lookup the groups in the above configured LDAP.

Property Default value Description
TOKEN_​SERVER_​ADMIN_​LDAP_​GROUP_​SEARCH_​SUBTREE true Boolean to indicate if groups can be searched in subtrees of the base. true or false
TOKEN_​SERVER_​ADMIN_​LDAP_​GROUP_​SEARCH_​FILTER uniqueMember={0} LDAP group membership search filter. Single value.
TOKEN_​SERVER_​ADMIN_​LDAP_​GROUP_​SEARCH_​BASE ou=groups LDAP group search DN. Single value, relative from the base DN.
TOKEN_​SERVER_​ADMIN_​LDAP_​GROUP_​SEARCH_​GROUP_​NAME_​ATTRIBUTE cn Name attribute for the group. Single value.

Group mapping

The groups from LDAP should be mapped to roles within the Token Server Admin console. The access rights for the roles are described in the Roles overview page.

The following properties are needed to map the groups to roles:

Property Example value Description
TOKEN_​SERVER_​ADMIN_​LDAP_​GROUPS_​ADMIN_​GROUP_​NAME admin Comma separated list of groups that have Admin rights.
TOKEN_​SERVER_​ADMIN_​LDAP_​GROUPS_​OPERATOR_​GROUP_​NAME operator Comma separated list of groups that have Operator rights.
TOKEN_​SERVER_​ADMIN_​LDAP_​GROUPS_​HELPDESK_​GROUP_​NAME helpdesk Comma separated list of groups that have Helpdesk rights.