| Panel |
|---|
On This Page:
Related Pages: |
LDAP_URL
This is a LDAP URL as defined by Internet Standard rfc2255. The purpose of this entry is to define the LDAP Server host name, port number and specify how to locate users. Full details can be found in rfc2255 - see opposite for a brief description.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
ldapurl = scheme "://" [hostport] ["/" [dn ["?" [attributes] ["?" [scope] ["?" [filter] ["?" extensions]]]]]]
scheme = "ldap" / "ldaps"
attributes = attrdesc *("," attrdesc)
scope = "base" / "one" / "sub"
dn = distinguishedName
hostport = hostport
attrdesc = AttributeDescription
filter = filter
extensions = extension *("," extension)
extension = ["!"] extype ["=" exvalue]
extype = token / xtoken
exvalue = LDAPString
token = oid
xtoken = ("X-" / "x-") token |
LDAP Version
The current LDAP version is Version 3, some LDAP Servers may only accept connections from specific LDAP clients, e.g. a Version 3 server could be configured to reject connects from a Version 2 client. Our application is Version 3 and can communicate with either a Version 2 or Version 3 server. The default setting is 3. If your LDAP Server is Version 2 then you will need to set this to 2.
LDAP_DN
In order to authenticate against an LDAP Server a user must supply their DN and password. For various reasons it is not practical for users to enter this into a login dialog. ServiceScheduling stores a users ‘user_id’ in sp085_users. Using this information (sp085_users.user_id) we need to be able to construct a users DN. In order to support different Directory schemas and Directory requirements we have devised two methods to map user_ids to DN, the sp083_SYSTEM_PARAMETERS.VALUE field identifies which method to use.
SEARCH | CONCATENATE |
|---|---|
This is the default and preferred method. To be able to use this method a Directory Server must allow anonymous binds. The way this works is that the sp085_users.user_id value is substituted for the ‘%s’ string in the search filter and a directory search is performed from specified base DN. The resulting DN is used as the user DN for authentication. For example:
ldap://rtan/O=ServicePower,c=GB???(cn=%25s)
First we take the filter ‘(cn=%25s)’ and substitute the sp085_users.user_id (e.g. Joe) and our search filter is ‘cn=Joe’. Next we do an anonymous bind to the Directory Server and search for object ‘cn=Joe’, starting at ‘O=ServicePower,c=GB’, doing a subtree (default) search and return the DN (default). | If the Directory Server (or Administrator) does not allow anonymous binds and the users in the Directory are in a flat structure then the other mapping from user_id to DN can be used. Here the base DN and filter are concatenated together to form a DN. For example:
ldap://rtan/OU=Support,O=servicepower,c=GB???(CN=%25s)
We substitute the user_id in the filter string as above and get ‘cn=Joe’, we then simply concatenate this RDN to the base DN to get ‘cn=Joe,OU=Support,O=ServicePower,c=GB |
...