LDAP authentication in VisionProject
Enabling LDAP Authentication in your server
See article : Configure LDAP authentication
About LDAP in VisionProject
Since version 3.1, VisionProject is able to authenticate users against an LDAP server. To do this we use the JAAS authentication method to authenticate the username/password pair.
The principle is to create the user on the fly in case the user does not exist yet. Relevant data (full name and email address) are copied from the LDAP server. In the case we cannot authenticate against the LDAP server the normal database based authentication takes place. This means that users who have no LDAP account can be manually created in the traditonal way. This is very useful for occasional or temporary workers who need access to the VisionProject but are notmployees of the company.
An LDAP service provides a generic directory service. It can be used to store information of all sorts, from information about entities on the network, such as users, printers, and computers, to locations of file systems, to application configuration information. All LDAP servers have some system in place for controlling who can read and update the information in the directory.
To access the LDAP service, the LDAP client first must authenticate itself to the service. That is, it must tell the LDAP server who is going to be accessing the data so that the server can decide what the client is allowed to see and do. Use the VisionProject.properties using the ldap.security.principal and ldap.security.credential properties to specify the values used to connect to the LDAP store.
Another security aspect of the LDAP service is the way in which requests and responses are communicated between the client and the server. Many LDAP servers support the use of secure channels to communicate with clients. LDAP servers use SSL for this purpose. You can use SSL by specifying the protocol ldaps in the ldap.base.provider.url property, note however that your server must support SSL for this to work. LDAP names as they are used in the protocol are always fully qualified "Distinguished Names" (DN) that identify entries that start from the root of the LDAP namespace (as defined by the server). Following are some examples of fully qualified LDAP names:
- cn=John Smith, ou=Marketing, o=Some Corporation, c=gb
- cn=Vinnie Ryan, ou=People, o=JNDITutorial
How is LDAP Authentication handled in VisionProject?
- An LDAP directory stores information in the form of a tree of nodes.
- VisionProject's LDAP module is flexible in allowing users to reside anywhere in an LDAP directory. LDAP uses the
concept of a distinguished name (DN) to identify the particular nodes in an LDAP tree. Each node has a unique DN
which contains its complete hierarchical information (see above for examples).
- Every node can have any number of attributes associated with it (many of these are standardized).
- The dc attribute stands for "domain component". A root node in an LDAP directory is normally represented as a
- LDAP allows the use of many attributes to create a DN, but the normally use the following four:
- dc (domain component, denotes domains, such as org)
- o (organization (names))
- ou (organizational unit (within the organization))
- uid (user ID)
- LDAP groups together related attribute types in the form of object classes
- Object classes use inheritance, which means LDAP defines base classes to hold commonly used attributes.
- A single node in an LDAP directory can use a number of object classes.
- In real-world applications, you normally host a lot of information about your system's users in an LDAP directory. For
example, you store the username, password, job title, contact information, and payroll information for every user. Only
a few of these attributes are imported into VisionProjec, these are specified in the ldap.user.mappings property.
What if users with the same username as in LDAP already exist in the local database?
There can only be one user with the same username. If you are using LDAP the system assumes that the user comes from there and will first try to authenticate users there.
If users are imported from LDAP all data (that you want) will be imported and the local data for the user with that username in VisionProject will be overwitten.