If you have determined that the generic LDAP authentication manager plug-in meets your ABL application's requirements, configure the required and optional plug-in properties as explained in this topic.

Required properties

Property Description
ad.ldap.url

The fully-qualified URL of the LDAP connection to the Active Directory host using the following syntax:

{ldap|ldaps}://host-name[:port]

Use the ldaps URL scheme if your organization requires the Active Directory connection to use a secure TLS connection. (Use ldap only if the Active Directory host does not support TLS connections.)

To facilitate fail-over high availability, you may specify multiple LDAP URLs as space-delimited values in a single string.
ad.ldap.rootdn

The rootDN of the Active Directory service that contains the user accounts and group information that will be used for authentication.
ldap.manager-dn

A valid Active Directory account ID that is used to bind to Active Directory and search for the corresponding LDAP user account object DN of the user being authenticated.

Note: The Active Directory account ID is a userPrincipalName object. For example, safe-user@acme.com.
ldap.manager-password

The password for the user that corresponds to the ldap.manager-dn property, described in the preceding row.

For production environments, Progress strongly recommends that you specify this password as an encrypted value that you have obtained using the DLC/bin/stspwdutil utility. For details, see Strong Password Encryption Utility (stspwdutil) in the OpenEdge Authentication Gateway Guide.
ad.user.domain

The userPrincipalName domain value that is automatically appended to the client's login user ID, if the client does not provide one. For example, if the supplied user ID is jsmith, the userPrincipalName value might be @acme.com.

The default value is "", which corresponds to the blank domain. However, if you specify this property, but enter no corresponding value for it, then no userPrincipalName domain is appended to the input user ID and the client is forced to specify a fully-qualified domain. For example, jsmith@acme.com.

Optional properties

Property Description
ldap.usersearch.base

The LDAP object DN where the search for LDAP user account objects is initiated.

If you specify a blank value, all searches are initiated from the RootDN object. Otherwise, you must specify a valid LDAP Server object DN where the search starts.
ldap.usersearch.filter

LDAP search specification for locating the LDAP user account object that corresponds to the client’s login user ID.

The default value is ( | (userPrincipalName={0}) (sAMAccountName={0}) (mail={0}) (cn={0})).

The portion of the filter specification that designates the client's user ID must consist of the string {0}.
ldap.search.subtree

Boolean value that specifies whether to search the LDAP object hierarchy, starting at the user object search base DN, for an LDAP user account object that corresponds to the login user ID.

The default value is true.
ldap.groupsearch.base

The LDAP object DN where the search for LDAP group objects is initiated.

A blank value initiates all searches from the RootDN object. Otherwise, this must be a valid LDAP Server object DN.

The default value is "".
ldap.groupsearch.filter

LDAP search specification to find the LDAP group objects that correspond to the LDAP user account’s granted roles.

The default value is (&(objectclass=group) (member={0})).

The portion of the filter specification that designates the client's user ID must consist of the string {0}.
ldap.grouprole.attribute

The LDAP group object attribute name from which to derive the role name used in Spring and in OpenEdge security.

The value may not be empty. Refer to the Active Directory schema definition for alternates to the usual cn attribute name

.
ldap.authpopulator.searchSubtree

Boolean value to specify whether to search the LDAP object hierarchy, starting at the ldap.groupsearch.base, when finding LDAP group objects.

The default value is true.
ldap.authpopulator.ignorePartialResultException

Boolean value to specify whether to ignore Active Directory notifications if not all the results of an LDAP search are available.

The default value is true.
ldap.authpopulator.convertToUpperCase

Boolean value to specify whether to follow LDAP Server object referrals.

The default value is true.
ldap.contextSrc.referral

Specifies whether to ignore LDAP referrals; that is, soft-link to LDAP object subtree storage in other Active Directory servers.

The default value is ignore.
ldap.contextSrc.timeout

The number of milliseconds to wait for an Active Directory connection or read operations to complete.

The value specified must be a valid positive integer.

The default value is 5000.

OEClientPrincipalFilter.loadAccntAttrList

OEClientPrincipalFilter.domainRoleFilter

OEClientPrincipalFilter.validateClientDomain

 See Set up CLIENT-PRINCIPAL token generation.

Example

The following shows an example of the configuration of the generic LDAP authentication manager plug-in:


http.all.authmanager=ldap
ldap.url=ldap://vm-pasoeldap:10389
ldap.manager-dn=uid=admin,ou=system
ldap.manager-password=secret
ldap.root.dn=anytown,dc=acme,dc=com
ldap.grouprole.attribute=cn
ldap.groupsearch.filter=(uniqueMember={0})
ldap.usersearch.filter=(uid={0})

In this example, note the property descriptions in the preceding configuration:

Property Description
http.all.authmanager Specifies the generic LDAP authentication manager plug-in, ldap.
ldap.url Specifies the fully-qualified URL of the LDAP connection to the Active Directory host, including the port number: ldap://vm-pasoeldap:10389.
ldap.manager-dn Specifies the Active Directory account ID that is used for searching for the LDAP user account object DN of the client user being authenticated. In this example, the user account ID is admin, which is in the organizational unit system.
ldap.manager-password Specifies the password for the user account ID that corresponds to the ldap.manager-dn property.
ldap.root.dn Specifies the rootDN of the Active Directory service where user account information is defined: dc=anytown,dc=acme,dc=com.
ldap.grouprole.attribute Specifies the LDAP group object attribute, cn, that is used to derive the role name to be used in the Spring and CLIENT-PRINCIPAL tokens that are generated.
ldap.groupsearch.filter Specifies the LDAP search string for locating the LDAP group objects that correspond to the LDAP user account’s granted roles. In this example, (uniqueMember={0}) indicates that
ldap.usersearch.filter Specifies the LDAP search string for locating the LDAP user account object that corresponds to the client’s login user ID. In this example, (uid={0}) results in

The effect of this configuration is for this authentication manager plug-in to do the following when a client provides a user ID:

  1. Bind to the Active Directory service using the admin account DN and password, and set the rootDN to operate in.
  2. Starting at the rootDN, apply the LDAP user search filter to locate the user account being authenticated.

    If the user is not found, generate an error and unbind from the Active Directory service.

  3. Obtain user account object’s DN, and unbind.
  4. Bind to the Active Directory service using the user account DN that is being authenticated, including password.

    If a bind error occurs, return an authentication error and unbind

  5. Load the user account object’s attributes, and filter by the specified property list.
  6. Starting at the rootDN, search the object tree to locate all group objects that have the user account’s DN as a member.
  7. From the group object attribute name, extract the root role name that will be appended to the configured role prefix (ROLE_).
  8. If an OpenEdge security domain is configured, extract the domain name for the user, if the user has not supplied one on login.
  9. Unbind.
  10. Generate a CLIENT-PRINCIPAL token from user account information and role names.