Introduction
This KB describe:
1) LDAP Settings available in SPN9
3) How to retrieve LDAP informations
1) LDAP Settings available in SPN9
LDAP settings are available from administration > Authentication settings > LDAP settings
You will find there general settings:
Setting | Description | Examples |
---|---|---|
LDAP URL* | Base URL to connect to your LDAP server |
ldap://server:389 ldaps://server:636 |
LDAP search base* | Base object of your search | ou=people,dc=example,dc=com |
LDAP search filter* | Criteria to use to select account. Token {{username}} will be replace by login. |
(uid={{username}}) (sAMAccountName={{username}}) (userPrincipalName={{username}}) |
Search attributes* | List of all attributes retrieved |
mail, givenName, sn, uid userPrincipalName, givenName, familyName, email |
adminDN | Service account used to connect to LDAP | uid=systran-ldap-acccount,dc=example,dc=com |
Password for adminDN | Password | |
TLS Options for LDAP server | Additional TLS options |
LDAP Mapping settings:
Setting | Description | Examples |
---|---|---|
Mapping of identifier* | Attribute used as identifier. In most cases, this is login |
uid userPrincipalName |
Mapping of email* | Email attribute | |
Mapping of given name* | First name attribute | givenName |
Mapping of family name* | Last name attribute |
familyName sn |
Mapping of groups | Multi value attribute containing the list of groups attached to user | memberOf |
Note that all mapped attributes should be present in the "Search attributes" list.
Groups filter
Setting | Description | Examples |
---|---|---|
Groups blacklist | Regular expression matching groups to exclude | |
Groups whitelist | Regular expression matching groups to keep and create |
SYSTRAN |
* Mandatory fields
More details about LDAP Group Mapping can be found here.
2) How to activate LDAP
To activate LDAP, add it in the "Enabled authentication modes" list. LDAP logon screen will be available from https://server/auth/ldap
To set LDAP default authentication mechanism (when you connect to https://server), set "Default Authentication mode" to LDAP.
To activate or update setttings, restart console service.
3) How to retrieve LDAP informations
To connect or identify LDAP settings, it could be useful:
3.1) For Windows server, to use dsquery command line tool
To find users:
dsquery user -name "John"
This will list all users who's name is John
To find details of a user and identify attributes names:
dsquery * "OU=John_Doe,DC=your,DC=domain,DC=com" -attr *
3.2) For Linux servers (including the SPNS 9 server) to install and use ldapsearch
Install ldapsearch
yum install openldap-clients
Then you can search:
ldapsearch -H ldap://server:389 -x -W -D "uid=systran-ldap-acccount,dc=example,dc=com" \
-b "ou=people,dc=example,dc=com" "(uid=John)"