14.1 LDAP Configuration
LDAP_URL
This is a LDAP URL as defined by Internet Standard rfc2255. The purpose of this entry is to define the LDAP Server host name, port number and specify how to locate users. Full details can be found in rfc2255 - see opposite for a brief description.
ServiceOptimizer only uses a subset of the values as detailed below, any values supplied beyond these are ignored, for example:
ldap://rtan/O=servicepower,dc=com/?dn?sub?(&objectclass=inetorgperson)(uid=%s)
Field | Value | Description |
---|---|---|
Scheme | “ldap” use “ldaps” for SSL | Currently LDAPS is not supported. |
Hostport | rtan | the default port for ldap is 389 or 636 for SSL, to define a port append it to the host name as follows: rtan.sbs:123 or rtan:400 |
DN | O=servicepower,dc=com, | identified the base of a search or (in ServiceScheduling only) optionally the base of a user DN. |
Attributes | dn | LDAP attribute types to return, defaults dn in our case |
Scope | sub | how deep to search the directory, defaults to base (as per rfc2255) |
Filter | (&objectclass=inetorgperson)(uid=%s) | how to search the directory. In ServiceScheduling we look for the %s character and replace it with the username/userid. The LDAP libraries will parse the %s string so it needs to be escaped to maintain its meaning, replace %s with %25s (i.e. hex char for % This parameter is the key to configuring ServiceScheduling’s LDAP authentication. A command line utility (described later) allows the user to validate this prior to starting up a ServiceOptimizer system. |
ldapurl = scheme "://" [hostport] ["/" [dn ["?" [attributes] ["?" [scope] ["?" [filter] ["?" extensions]]]]]] scheme = "ldap" / "ldaps" attributes = attrdesc *("," attrdesc) scope = "base" / "one" / "sub" dn = distinguishedName hostport = hostport attrdesc = AttributeDescription filter = filter extensions = extension *("," extension) extension = ["!"] extype ["=" exvalue] extype = token / xtoken exvalue = LDAPString token = oid xtoken = ("X-" / "x-") token
LDAP Version
The current LDAP version is Version 3, some LDAP Servers may only accept connections from specific LDAP clients, e.g. a Version 3 server could be configured to reject connects from a Version 2 client. Our application is Version 3 and can communicate with either a Version 2 or Version 3 server. The default setting is 3. If your LDAP Server is Version 2 then you will need to set this to 2.
LDAP_DN
In order to authenticate against an LDAP Server a user must supply their DN and password. For various reasons it is not practical for users to enter this into a login dialog. ServiceScheduling stores a users ‘user_id’ in sp085_users. Using this information (sp085_users.user_id) we need to be able to construct a users DN. In order to support different Directory schemas and Directory requirements we have devised two methods to map user_ids to DN, the sp083_SYSTEM_PARAMETERS.VALUE field identifies which method to use.
SEARCH | CONCATENATE |
---|---|
This is the default and preferred method. To be able to use this method a Directory Server must allow anonymous binds. The way this works is that the sp085_users.user_id value is substituted for the ‘%s’ string in the search filter and a directory search is performed from specified base DN. The resulting DN is used as the user DN for authentication. For example:
ldap://rtan/O=ServicePower,c=GB???(cn=%25s)
First we take the filter ‘(cn=%25s)’ and substitute the sp085_users.user_id (e.g. Joe) and our search filter is ‘cn=Joe’. Next we do an anonymous bind to the Directory Server and search for object ‘cn=Joe’, starting at ‘O=ServicePower,c=GB’, doing a subtree (default) search and return the DN (default). | If the Directory Server (or Administrator) does not allow anonymous binds and the users in the Directory are in a flat structure then the other mapping from user_id to DN can be used. Here the base DN and filter are concatenated together to form a DN. For example:
ldap://rtan/OU=Support,O=servicepower,c=GB???(CN=%25s)
We substitute the user_id in the filter string as above and get ‘cn=Joe’, we then simply concatenate this RDN to the base DN to get ‘cn=Joe,OU=Support,O=ServicePower,c=GB |