accessmanagerldap
This configuration is required when using the plugin AccessManager_Ldap.
-
Documentation
-
YAML Format
-
XML Format
| Fill relevant inputs (blue boxes) and click the blue bars on the left to copy XML configuration snippets. |
AccessManager_Ldap provides the connection of Cadenza to a LDAP server.
Specifies whether the auto-login mechanism is supported. The default value is `false`. The value must be set to `true` for event-driven notification in http://example.com[job scheduling] for the subscription function.
Default: false
Server settings.
LDAP references are ignored.
LDAP references are followed.
An error message is thrown.
Specification for handling LDAP references: With the value `follow` the references are followed, with the value `ignore` they are ignored. The default value is `throw` (error message).
Default: throw
URL (can be an LDAPS URL) to an alternative LDAP server for all further accesses, if accessing the regular LDAP server results in errors due to malfunctions, failures or maintenance work. The alternative URL is used until the next restart. The alternative LDAP server must be analogous to the regular LDAP server: The same credentials and context paths must be valid and, if applicable, the same LDAP references must be configured.
DEPRECATED: No longer supported. Please use the two-step-authentication instead.
Authentication to the LDAP server is performed in two steps. In the first step, the LDAP DN for the user name entered in the GUI is looked up using the specified technical user. In the second step, the login is performed using the DN found and the password entered in the GUI.
Access settings for the technical user of the LDAP server.
LDAP attribute with the e-mail addresses of the users. Its respective value is transferred to Cadenza after authentication and can be retrieved there via the user variable common:email. The email attribute must also be specified if job scheduling is used. Important: The attribute must also be defined in the `<attributes>` block.
Default: mail
LDAP attribute with the real names of the users. Its respective value is transferred to Cadenza after authentication and can be retrieved there via the user variable common:realName. Important: The attribute must also be defined in the `<attributes>` block.
Default: realname
Settings for a fixed rule to assign users to groups. Fixed rules: The user is assigned to the given Cadenza group if a certain condition is met for one of the DN attributes. Dynamic rules: If Cadenza groups and LDAP groups have identical names, the user can be assigned to all groups in Cadenza he also belongs to in LDAP. Multiple rules can be specified, and the user will be assigned to the groups from all rules.
Example: Check whether a particular attribute of the LDAP DN associated with the user meets certain specifications. <rule> <group-name>Example</group-name> <context>${UserDn}</context> <filter>mail=*@example.com</filter> </rule> If the LDAP DN belonging to the user uid=my_username,dc=example,dc=com has an attribute mail ending with @example.com, the user shall be assigned to the Cadenza group Example.
Example: Check whether the LDAP user belongs to an LDAP group. <rule> <group-name>public</group-name> <context>cn=team-a,ou=groups</context> <filter>member=${UserDn}</filter> </rule> If the LDAP object with the LDAP DN cn=team-a,ou=groups,dc=example,dc=com has an attribute member which is assigned with the LDAP DN of the user, this user shall be assigned to the Cadenza group public.
Example: Check whether a particular LDAP object has a particular attribute assigned with the user's login name. <rule> <group-name>water</group-name> <context>ou=people</context> <filter>uid=${LoginName}</filter> </rule> If an LDAP object below the LDAP object with the LDAP DN ou=people,dc=example,dc=com has the attribute uid assigned with the login name of the user, this user shall be assigned to the Cadenza group water.
Attribute-value pair to be checked within the LDAP object that is defined by the search context. Example: mail=*@example.com. Complex filters over multiple attributes can also be entered directly in LDAP notation, except for the & character, which must be specified as &. Examples: AND: &(attribute1=value1)(attribute2=value2) OR: |(attribute1=value1)(attribute2=value2) NEGATION: !(attribute1=value1).
Settings for a dynamic rule to assign groups to users. Fixed rules: The user is assigned to the given Cadenza group if a certain condition is met for one of the DN attributes. Dynamic rules: If Cadenza groups and LDAP groups have identical names, the user can be assigned to all groups in Cadenza he also belongs to in LDAP. Multiple rules can be specified, and the user will be assigned to the groups from all rules.
LDAP attribute whose respective value is to be transferred to Cadenza after authentication so that it can be used there via a user variable. The user variable has the prefix `user` (`user.<ldap-attributname_or_cadenzaName>`, see below).
LDAP attribute to be passed to Cadenza as a user property after authentication, so that it can be used via a user variable (if <propertyMapping> is configured in accessmanager-config.xml and used for this user).
Name of the user variable if it is to differ from the name of the LDAP attribute. The original name cannot then be used. This option can be helpful, for example, when switching between LDAP servers on which the attributes are named differently.
| This is a generated sample file with fake data and all the possible options shown, refer to the Documentation tab for what combinations are valid and what is required or not. |
cadenzaconfig:
settings:
accessmanagerldap:
supportsAutoLogin: true
server:
referral: "text"
url: "text"
fallback-url: "text"
context-base: "text"
one-step-authentication:
login:
username: "text"
password: "text"
userid-pattern-list:
- "text"
- "text"
two-step-authentication:
login:
username: "text"
fullDN: "text"
password: "text"
user-lookup-attribute: "text"
user-mail-attribute: "text"
user-real-name-attribute: "text"
rule:
- group-name: "text"
context: "text"
filter: "text"
- group-name: "text"
context: "text"
filter: "text"
dynamic-group-rule:
- context: "text"
filter: "text"
- context: "text"
filter: "text"
attributes:
- cadenzaName: "text"
value: "text"
- cadenzaName: "text"
value: "text"Filename: accessmanagerldap-config.xml
| This is a generated sample file with fake data and all the possible options shown, refer to the Documentation tab for what combinations are valid and what is required or not. |
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ldap supportsAutoLogin="true">
<server referral="text">
<url>text</url>
<fallback-url>text</fallback-url>
<context-base>text</context-base>
<one-step-authentication>
<login>
<username>text</username>
<password>text</password>
</login>
<userid-pattern-list>
<userid-pattern>text</userid-pattern>
<userid-pattern>text</userid-pattern>
</userid-pattern-list>
</one-step-authentication>
<two-step-authentication>
<login>
<username>text</username>
<fullDN>text</fullDN>
<password>text</password>
</login>
<user-lookup-attribute>text</user-lookup-attribute>
</two-step-authentication>
<user-mail-attribute>text</user-mail-attribute>
<user-real-name-attribute>text</user-real-name-attribute>
<rule>
<group-name>text</group-name>
<context>text</context>
<filter>text</filter>
</rule>
<rule>
<group-name>text</group-name>
<context>text</context>
<filter>text</filter>
</rule>
<dynamic-group-rule>
<context>text</context>
<filter>text</filter>
</dynamic-group-rule>
<dynamic-group-rule>
<context>text</context>
<filter>text</filter>
</dynamic-group-rule>
<attributes>
<attribute cadenzaName="text">text</attribute>
<attribute cadenzaName="text">text</attribute>
</attributes>
</server>
</ldap>