Skip to end of metadata
Comment: Migrated to Confluence 4.0
Go to start of metadata

LDAP authentication allows you to LDAP as the primary authentication repository instead of the default OpenIAM repository. LDAP authentication is also channelled through the OpenIAM Authentication service and provides the following benefits in comparison to using LDAP directly:

  1. Use of a centralized authentication service for the enterprise
  2. Provides consistency across the authentication process.Regardless of the repository that is used, the same set of policies will be enforced.

Authentication Process

The following process is used when authenticating a user against LDAP:

  1. User enter login credentials into the login interface
  2. Authentication service passes the request to the LDAPLoginModule
  3. Login module looks up the login value
  4. If the login value is not found then the service returns INVALID_LOGIN
  5. If the login value is found then we obtain the DN for the user.
  6. Then we do an authenticate against ldap using the dn and password supplied
    1. Failure - Return INVALID_PASSWORD. Increment the auth-fail-count counter. Ultimately, we will lock the account
    2. Success - Look up the DN in the IDM repository to see if this is valid identity for the repository
    3. Next, check the status of the user - if the user is locked or not active, then we return INVALID_STATUS

Configure the Authentication Repository

If authentication needs to be configured to use a directory other then the OpenIAM repository, then an authentication repository needs to be defined. This is done through the admin console using the steps described below

  • Log nto the admin console
  • Select Resource from the Access Control menu.
  • Select Authentication Repository from the Resource Type list shown below.
  • To update an existing configuration, click on the resource name from the search results. Click on New Resource to start a new configuration.

On the screen shown below, we can define the various parameters related to the repository.

Field

Description

HOST_LOGIN_ID

Admin account that will be used to connect to the repository

COMMUNICATION_PROTOCOL

SSL or CLEAR. Determines if communication with the repository will be over SSL or if it will be sent in clear text

PASSWORD

Password corresponding to the Admin account

SEARCH_ATTRIBUTE

LDAP attribute against which authentication will occur

MANAGED_SYS_ID

System ID in OpenIAM that corresponds to this repository

OBJECT_CLASS

LDAP Object class

HOST_URL

URL for the directory. eg. ldap://localhost:1389/

BASE_DN

Part of the LDAP tree to search in.

Configure the Authentication Policy

Once the repository has been configured, it needs to be applied to the authentication policy. This is done through the following parameters:

Field

Description

DEFAULT_LOGIN_MOD

Select LDAP Login Module

AUTH_REPOSITORY

Select the repository that you created above

Labels:
None
Edit Labels