Oak comes with a default implementation of an LDAP identity provider that allows perform external authentication against an existing LDAP in combination with user synchronization.
See section External Login Module and User Synchronization for a general overview of the ExternalLoginModule and how it can be used in combination with custom identity providers and synchronization handlers.
Out of the box Oak comes with the following LDAP integration setup:
The LdapIdentityProvider is a service implementing the ExternalIdentityProvider interface. Since Oak 1.6.1 it also implements the PrincipalNameResolver interface to allow for fast resolution from a given ExternalIdentityRef to a principal name as an optimization for the dynamic membership feature.
In an OSGi-base setup the configuration options required in order to establish connections to the LDAP are obtained form the properties associated with the service.
Otherwise the identity provider must be instantiated with the corresponding LdapProviderConfig object revealing the mandatory config options. The details of the LDAP configuration are listed below in section Configuration.
Currently the only way to combine multiple LDAP sources is to have multiple entries of the ExternalLoginModule configured in the JAAS setup each coming with it’s own identity provider implementation and sync handler.
See OAK-1839 for an improvement request that allows to have multiple identity provider implementations configured with the ExternalLoginModule.
The following steps are required in order to configure LDAP integration with the Oak repository:
The LDAP IPDs are configured through the org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig which is populated either via OSGi or during manual Repository Construction.
Name | Property | Description |
---|---|---|
LDAP Provider Name | provider.name | Name of this LDAP provider configuration. This is used to reference this provider by the login modules. |
Bind DN | bind.dn | DN of the user for authentication. Leave empty for anonymous bind. |
Bind Password | bind.password | Password of the user for authentication. |
LDAP Server Hostname | host.name | Hostname of the LDAP server |
Disable certificate checking | host.noCertCheck | Indicates if server certificate validation should be disabled. |
LDAP Server Port | host.port | Port of the LDAP server |
Use SSL | host.ssl | Indicates if an SSL (LDAPs) connection should be used. |
Use TLS | host.tls | Indicates if TLS should be started on connections. |
Search Timeout | searchTimeout | Time in until a search times out (eg: ‘1s’ or ‘1m 30s’). |
User base DN | user.baseDN | The base DN for user searches. |
User extra filter | user.extraFilter | Extra LDAP filter to use when searching for users. The final filter is formatted like: (&(<idAttr>=<userId>)(objectclass=<objectclass>)<extraFilter>) |
User id attribute | user.idAttribute | Name of the attribute that contains the user id. |
User DN paths | user.makeDnPath | Controls if the DN should be used for calculating a portion of the intermediate path. |
User object classes | user.objectclass | The list of object classes an user entry must contain. |
Group base DN | group.baseDN | The base DN for group searches. |
Group extra filter | group.extraFilter | Extra LDAP filter to use when searching for groups. The final filter is formatted like: (&(<nameAttr>=<groupName>)(objectclass=<objectclass>)<extraFilter>) |
Group DN paths | group.makeDnPath | Controls if the DN should be used for calculating a portion of the intermediate path. |
Group member attribute | group.memberAttribute | Group attribute that contains the member(s) of a group. |
Group name attribute | group.nameAttribute | Name of the attribute that contains the group name. |
Group object classes | group.objectclass | The list of object classes a group entry must contain. |
See External Login Module and User Synchronization for details about the external login module and configuration options for the DefaultSyncHandler.