Help Center/ OneAccess/ Best Practices/ Authentication Provider Integration/ Standard Protocol Authentication Providers/ LDAP Authentication/ Configuring an LDAP Authentication Provider
Updated on 2024-12-30 GMT+08:00
View PDF
Share

Configuring an LDAP Authentication Provider

Introduction

Lightweight Directory Access Protocol (LDAP) is a lightweight directory access protocol.

LDAP can be considered a tree-like database that stores user and organization information. One of the main application scenarios of LDAP is SSO where users are automatically logged in to internal networks of their company after logging in on a PC for once.

Table 1 Terms

Term

Description

ou

Organization unit (ou), which is a container object.

dc

Domain component (dc), which is a part of a domain name. A domain name is divided into several parts.

sn

Short for surname.

cn

Short for common name.

dn

Short for distinguished name. A dn must be unique.

uid

Short for user ID.

rdn

Relative distinguished name (RDN) is similar to the relative path in a file system.

To facilitate enterprise user authentication, OneAccess uses LDAP to direct authentication to LDAP. After LDAP authentication succeeds, OneAccess matches the user attributes returned by LDAP with the associated attributes of IDaaS users. If the authentication is successful, the user can log in to OneAccess.

This section describes how to configure an LDAP authentication provider.

Prerequisite

You have permissions to access the administrator portal.

Setting Up an LDAP Server

  1. Download the Directory Services installation package at the ForgeRock official website.
  2. Deploy the LDAP service. For details, see the documentation of the ForgeRock platform.

Configuring LDAP Connection

  1. Download and install ApacheDirectoryStudio, an LDAP client.
  2. Choose LDAP > New Connection and set the connection parameters.

    Figure 1 Creating a connection

  3. Add an account in LDAP.

    Figure 2 Viewing users

Adding an LDAP Authentication Provider

LDAP has three authentication modes: DN authentication, query authentication, and DN and query authentication.

  • DN authentication: Select this authentication mode if you know the user DN rules. For example, uid=**, ou=people, dc=example, dc=com. In this mode, you only need to configure the user DN mode.
    Figure 3 DN authentication mode
  • Query authentication: When selecting this mode, configure the LDAP administrator account and password and set the query conditions. During authentication, the LDAP administrator account is used to query a user based on the configured conditions and entered username. After a matched user is found, the DN of the user is obtained, and the DN and password of the user are verified in LDAP.
    Figure 4 Query authentication mode
  • DN and query authentication: In this authentication mode, DN takes precedence over the query conditions.
    Figure 5 DN and query authentication

The following is the procedure for configuring DN and query authentication of LDAP.

  1. Log in to the administrator portal.
  2. On the top navigation bar, choose Authentication > Authentication Providers.
  3. Choose Enterprise Authentication Providers > LDAP.
  4. On the LDAP Authentication Providers page, click Add Authentication Provider in the upper right corner and set the parameters required.

    Table 2 Configuration parameters

    Parameter

    Mandatory

    Description

    Display Name

    Yes

    Custom display name of the authentication provider, for example, LDAP.

    LDAP Address

    Yes

    Connection address of LDAP in the format "ldap://{hostname}:{port}/", where {hostname} indicates the LDAP server address and {port} indicates the port number. The default port is 389. For details, see Setting Up an LDAP Server.

    Base DN

    Yes

    Root node of the LDAP directory used to authenticate users. The format of the value is "dc=,dc=". For details, see Setting Up an LDAP Server.

    Administrator DN

    No

    Identifier of the administrator. The default value is cn=Directory Manager.

    Administrator Password

    No

    Password of the LDAP administrator.

    User Query Base

    No

    Base DN of users. The default value is ou=People.

    User Query Conditions

    No

    Filter conditions for matching system users in LDAP. The default value is (&(objectClass=user)(uid={0})). For details, see LDAP Filters. Condition-based search has lower priority than DN-based query.

    User DN Mode

    No

    Search path of LDAP users. The default value is uid={0},ou=people. DN authentication takes precedence over other authentication modes.

    Source Attribute

    Yes

    LDAP username attribute. The default value is uid. You can obtain the attribute in 3.

    Related User Attribute

    Yes

    User attribute mapped by LDAP in the system. The user attribute must be a unique text. You can select one from the drop-down list.

    No User Associated

    Yes

    Operation that will be performed if a user logs in successfully but fails to be associated with a system user.

    To map other attributes, such as username, set No User Associated to Automatically create users, and add the desired mappings. For details, see Table 3.

    Table 3 Mapping parameters

    Parameter

    Description

    User Attribute

    Attribute in OneAccess that maps to LDAP.

    Mapping Type

    Mode of user attribute mapping between OneAccess and LDAP.

    NOTE:
    • If Mapping Type is set to Authentication Provider Attribute, Source Attribute is required.
    • If Mapping Type is set to Fixed Attribute Value, Fixed Attribute Value is required.
    • If Mapping Type is set to Script-based, Script is required.

Parent topic: LDAP Authentication