This module provides LDAP provider implementations for user and user groups. From version 6.5 up Jahia supports multiple LDAP providers to be used simultaneously to achieve better flexibility and data aggregation.
The following steps show how to enable and configure the user and user group LDAP providers declaring them in a custom Jahia module.
META-INF
| + spring
| | - users-ldap.xml
| | - groups-ldap.xml
| - MANIFEST.MF... depends: Jahia LDAP connector package-name: My Custom LDAP Provider root-folder: my-custom-ldap-provider ...
depends attribute defines a dependency to the Jahia LDAP connector module (this module).
package-name specifies your module ID
root-folder contains the name of the folder, the content of the module will be extracted into (a sub-folder of the /modules folder).
All other attributes in MANIFEST.MF file are optional.
The file contains a Spring bean definition for the user provider as follows:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
<bean parent="JahiaUserManagerLDAPProvider">
<property name="ldapProperties">
<map>
<entry key="url" value="ldap://127.0.0.1:389/"/>
<entry key="public.bind.dn" value=""/>
<entry key="public.bind.password" value=""/>
<entry key="uid.search.name" value="dc=jahia"/>
</map>
</property>
</bean>
</beans>The bean has JahiaUserManagerLDAPProvider as its parent and should override at least the ldapProperties property to properly configure connector and LDAP attribute mapping. Default LDAP parameter values are defined in parent and can be overridden in the ldapProperties map. See property reference for more details.
In case multiple LDAP user providers are used, additionally two properties need to be provided to specify a unique provider key and a priority (lookup sequence):
...
<bean parent="JahiaUserManagerLDAPProvider">
<property name="key" value="myldap"/>
<property name="priority" value="2"/>
...
</bean>
...The users-ldap.xml file name is arbitrary and the file itself can be omitted, if no LDAP user provider is needed.
The file contains a Spring bean definition for the user group provider as follows:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
<bean parent="JahiaGroupManagerLDAPProvider">
<property name="ldapProperties">
<map>
<entry key="url" value="ldap://127.0.0.1:389/"/>
<entry key="public.bind.dn" value=""/>
<entry key="public.bind.password" value=""/>
<entry key="search.name" value="dc=jahia"/>
</map>
</property>
</bean>
</beans>The bean has JahiaGroupManagerLDAPProvider as its parent and should override at least the ldapProperties property to properly configure connector and LDAP attribute mapping. Default LDAP parameter values are defined in parent and can be overridden in the ldapProperties map. See property reference for more details.
In case multiple LDAP user group providers are used, additionally two properties need to be provided to specify a unique provider key and a priority (lookup sequence):
...
<bean parent="JahiaGroupManagerLDAPProvider">
<property name="key" value="myldap"/>
<property name="priority" value="2"/>
...
</bean>
...The groups-ldap.xml file name is arbitrary and the file itself can be omitted, if no LDAP user provider is needed.
The following LDAP properties can be specified in the ldapProperties map to customize the user provider configuration:
| Key | Default value | Description |
| url | <none> | The LDAP connection URL, e.g. ldap://127.0.0.1:389/ |
| public.bind.dn | <none> | This is the user on the LDAP server permitted to search the LDAP directory within the defined search base. |
| public.bind.password | <none> | The password, used to authenticate searches in LDAP directory |
| authentification.mode | simple | LDAP directory authentication type |
| context.factory | com.sun.jndi.ldap.LdapCtxFactory | The implementation class for context factory to use |
| ldap.connect.pool | true | Enables/disables connection pooling |
| ldap.connect.timeout | 5000 | When connection pooling has been enabled and no pooled connection is available, the client application will block, waiting for an available connection. Setting this timeout value will specify how long to wait for a pooled connection (in milliseconds). If you omit this property, the application will wait indefinitely. See connection pooling for details. |
| search.countlimit | 100 | The number of entries to limit search results to. If the LDAP user search returns more matching entries than specified with this parameter, the first search.countlimit will be returned only. |
| Key | Default value | Description |
| uid.search.name | <none> | The search base that defines which part of the LDAP directory tree to search, e.g. dc=jahia,dc=com |
| uid.search.attribute | cn | The name of the attribute that will be used as a user key. |
| search.objectclass | person | The objectClass value for a user object |
| search.wildcards.attributes | ou, cn, o, c, mail, uid, uniqueIdentifier, givenName, sn, dn | A list of attributes to use for wildcard searches such as *=*test* |
| Key | Default value | Description |
| j:firstName.attribute.map | givenName | First name |
| j:lastName.attribute.map | sn | Second name |
| j:email.attribute.map | User's e-mail address | |
| j:organization.attribute.map | ou | The name of the organization |
Additional attribute mappings can be specified, using the following pattern for the entry key: "<jahia-user-property-name>.attribute.map" and the name of the corresponding LDAP object attribute as the value.
The following LDAP properties can be specified in the ldapProperties map to customize the group provider configuration:
| Key | Default value | Description |
| url | <none> | The LDAP connection URL, e.g. ldap://127.0.0.1:389/ |
| public.bind.dn | <none> | This is the user on the LDAP server permitted to search the LDAP directory within the defined search base. |
| public.bind.password | <none> | The password, used to authenticate searches in LDAP directory |
| authentification.mode | simple | LDAP directory authentication type |
| context.factory | com.sun.jndi.ldap.LdapCtxFactory | The implementation class for context factory to use |
| ldap.connect.pool | true | Enables/disables connection pooling |
| ldap.connect.timeout | 5000 | When connection pooling has been enabled and no pooled connection is available, the client application will block, waiting for an available connection. Setting this timeout value will specify how long to wait for a pooled connection (in milliseconds). If you omit this property, the application will wait indefinitely. See connection pooling for details. |
| Key | Default value | Description |
| preload | false | If set to true forces the reading of all group members when a group is retrieved. Otherwise group members will be read when a first request for user membership will be made |
| search.countlimit | 100 | The number of entries to limit search results to. If the LDAP user search returns more matching entries than specified with this parameter, the first search.countlimit will be returned only. |
| refferal | ignore | Specifies how referrals encountered by the service provider are to be processed. P�ossible values are follow - follow referrals automatically, ignore - ignore referrals, throw - throw ReferralException when a referral is encountered |
| ad.range.step | 0 | Handle Active Directory range searches when retrieving group members. If set to 0 all members are retrieved with a single search. If set e.g. to 100, searches like range=0-100, range=101-200, range=201-300 etc. are used to retrieve all members iteratively. |
| search.name | <none> | The search base that defines which part of the LDAP directory tree to search, e.g. dc=jahia,dc=com |
| search.attribute | cn | The name of the attribute that will be used as a user key. |
| search.objectclass | groupOfUniqueNames | The objectClass value for a group object |
| search.wildcards.attributes | cn,description,uniqueMember | A list of attributes to use for wildcard searches such as *=*test* |
| members.attribute | uniqueMember | The name of the LDAP group object attribute to retrieve membership from |
| dynamic.search.objectclass | groupOfURLs | The name of the LDAP group object attribute to retrieve dynamic membership from |
| dynamic.members.attribute | memberurl | The name of the LDAP group object attribute to retrieve dynamic membership from |
| Key | Default value | Description |
| groupname.attribute.map | cn | Group name |
| description.attribute.map | description | Description |
Additional attribute mappings can be specified, using the following pattern for the entry key: "<jahia-group-property-name>.attribute.map" and the name of the corresponding LDAP object attribute as the value.