Try OpenEdge Now
skip to main content
OpenEdge Authentication Gateway Guide
Configuring the OpenEdge Authentication Gateway : Configuring domains : Configuring LDAP Connections in a Security Token Service (STS)
 

Configuring LDAP Connections in a Security Token Service (STS)

Configuring an LDAP (Active Directory) service as an OpenEdge domain’s point of user account authentication requires obtaining information about the directory service and then translating that information into a set of STS configuration properties.
It helps if you have some familiarity with directory services, particularly regarding with their organization, the stored object’s attribute names, and how to search for user accounts and other objects. The following provides some of that information and may shorten the time needed to successfully authenticate users to an LDAP service.
There is always a core set of information that you will need to obtain to configure and test user authentication via an LDAP service. Because each LDAP directory service’s hierarchical tree of objects (including user account objects) is customized for each deployment site, you must obtain information from the LDAP service administrator. All of the core information will be applied to properties (sts.ldap.xxxx) used by the STS’s LDAP authentication process. For example:
*The LDAP directory service’s URL, including the hostname, port and base-dn information:
sts.ldap.context.providerUrl=ldap://host[:port][/base-dn]
*The DN (Distinguished Name) of an existing LDAP user account that may be used to search for an locate the user account being authenticated:
sts.ldap.context.userDn=ldap-user-dn
sts.ldap.context.password=ldap-user-password
sts.ldap.context.userDn=ldap-user-dn
sts.ldap.context.password=ldap-user-password
*The information needed to build the LDAP search query used to locate the LDAP account of the user being authenticated. The search query requires the location (DN) of where to begin the search and the LDAP user account attribute name that contains the user-id of the user being authenticated:
sts.ldap.user.searchBase=search-base-dn
sts.ldap.user.searchFilter=(attr-name={0})
Note: Common attr-name values may be uid for UNIX LDAP servers or sAMAccountName for Windows Active Directory. Your LDAP administrator can access the attribute names for user accounts.
*The STS LDAP user authentication requires that the LDAP user account (DN) be a member of at least one LDAP group object. So you must supply the staring location of where to begin an LDAP search, the group object’s attribute name holding the authenticated user’s DN, and the group object’s DN field name holding the group (Role) name:
sts.ldap.group.searchBase=search-base-dn
sts.ldap.group.searchFilter=(group-attr-name={0})
sts.ldap.group.roleAttribute=cn
An example configuration may look like:
sts.ldap.context.providerUrl=ldap://ldap.acme.com:389
sts.ldap.context.userDn=uid=admin,ou=system
sts.ldap.context.password=secret
sts.ldap.user.searchBase=ou=users,o=acme,dc=acme,dc=com
sts.ldap.user.searchFilter=(uid={0})
sts.ldap.user.searchSubtree=true
sts.ldap.group.searchBase=ou=groups,o=acme,dc=acme,dc=com
sts.ldap.group.searchFilter=(uniqueMember={0})
sts.ldap.group.roleAttribute=cn
Debugging an STS LDAP authentication involves enabling logging in the STS’s logging configuration file logging.xml and adding the entry:
<logger name=”org.springframework.security.ldap” level=”TRACE” />