Introduction
This KB describe:
1) LDAP Settings available in SPN9
3) How to retrieve LDAP informations
1) LDAP Settings available in SPN9
LDAP settings are available from administration > Authentication settings > LDAP settings
You will find there general settings:
Setting | Description | Examples |
---|---|---|
LDAP URL* | Base URL to connect to your LDAP server |
ldap://server:389 ldaps://server:636 |
LDAP search base* | Base object of your search | ou=people,dc=example,dc=com |
LDAP search filter* | Criteria to use to select account. Token {{username}} will be replace by login. |
(uid={{username}}) (sAMAccountName={{username}}) (userPrincipalName={{username}}) (&(mail={{username}})) |
Search attributes* | List of all attributes retrieved |
mail, givenName, sn, uid userPrincipalName, givenName, familyName, email |
adminDN | Service account used to connect to LDAP | uid=systran-ldap-acccount,dc=example,dc=com |
Password for adminDN | Password | |
TLS Options for LDAP server | Additional TLS options |
LDAP Mapping settings:
Setting | Description | Examples |
---|---|---|
Mapping of identifier* | Attribute used as identifier. In most cases, this is login |
uid userPrincipalName |
Mapping of email* | Email attribute | |
Mapping of given name* | First name attribute | givenName |
Mapping of family name* | Last name attribute |
familyName sn |
Mapping of groups | Multi value attribute containing the list of groups attached to user | memberOf |
Note that all mapped attributes should be present in the "Search attributes" list.
Groups filter
Setting | Description | Examples |
---|---|---|
Groups blacklist | Regular expression matching groups to exclude | |
Groups whitelist | Regular expression matching groups to keep and create |
SYSTRAN |
* Mandatory fields
More details about LDAP Group Mapping can be found here.
Note: if custom CA is required, you will have to update: /lib/systemd/system/systran-ses-console.service
Environment="NODE_EXTRA_CA_CERTS=[your CA certificate file path]"
PassEnvironment=NODE_EXTRA_CA_CERTS
And reload systemd deamons.
2) How to activate LDAP
To activate LDAP, add it in the "Enabled authentication modes" list. LDAP logon screen will be available from https://server/auth/ldap
To set LDAP default authentication mechanism (when you connect to https://server), set "Default Authentication mode" to LDAP.
To activate or update setttings, restart console service.
3) How to retrieve LDAP informations
To connect or identify LDAP settings, it could be useful:
3.1) For Windows server, to use dsquery command line tool
To find users:
dsquery user -name "John"
This will list all users who's name is John
To find details of a user and identify attributes names:
dsquery * "OU=John_Doe,DC=your,DC=domain,DC=com" -attr *
3.2) For Linux servers (including the SPNS 9 server) to install and use ldapsearch
Install ldapsearch
yum install openldap-clients
Then you can search:
ldapsearch -H ldap://server:389 -x -W -D "uid=systran-ldap-acccount,dc=example,dc=com" \
-b "ou=people,dc=example,dc=com" "(uid=John)"