LDAP Security Manager

1. Overview

The LDAP Security Manager provides the ability to pull users and groups from LDAP. By default, eXist stores passwords internally. If this feature is enabled, the users and groups are pulled from an LDAP directory server.

This implementation currently only supports reading users and groups. Creation or modification is not supported.

2. Configuration

The LDAP Security Manager provides the ability to pull users and groups from LDAP. By default, eXist stores passwords internally. If this feature is enabled, the users and groups are pulled from an LDAP directory server.

2.1. Enabling LDAP in conf.xml

Just place the following security element as a child of db-connection:

Example: Example security Element

<security class="org.exist.security.LDAPSecurityManager"/>

2.2. Configure Your LDAP Server

For the LDAP security manager you need to distinguished names (DN)--one for the users and one for the groups. Each user must be represented by a single entry under the user DN as an RFC 2307 posixAccount entry.

Each group is represented by a single entry under the groupDN as a union of RFC 2307 posixGroup and RFC 2256 groupOfUniqueNames.

2.3. Set the Java Properties for LDAP

When eXist is started, you must specify the follow java properties:

security.ldap.connection.url

The connection URL of the LDAP server.

security.ldap.dn.user

The user list DN.

security.ldap.dn.group

The group list DN.

If you choose not to use the recommended entries under the user list DN, you can control each facet location by the following properties:

security.ldap.userClass

The class name on which to query the user list DN.

security.ldap.attr.uid

The username.

security.ldap.attr.uidNumber

The user id number.

security.ldap.attr.gidNumber

The primary group associated with the user.

security.ldap.attr.userPassword

The encoded password of the user.

security.ldap.attr.userDigestPassword

The encoded digest password of the user (for WebDAV).

If you choose not to use the recommended entries under the group list DN, you can control each facet location by the following properties:

security.ldap.groupClass

The class name on which to query the group list DN.

security.ldap.attr.groupName

The group name.

security.ldap.attr.gidNumber

The group id. This must be the same in the user and group.

security.ldap.attr.groupMemberName

The name of the member entry which contains the user's DN.

Finally, you can control the LDAP implementation by:

security.ldap.contextFactory

The class name of the JNDI context factory for LDAP.

3. Example LDAP Entries

In this example exist would use the following DN values:

ou=Users,dc=exist,dc=example, dc=com, dc=authority

The user list DN

ou=Groups,dc=exist,dc=example, dc=com, dc=authority

The group list DN

Example: LDAP Entries in LDIF Format

dn: dc=com, dc=authority
dc: com
ou: com
objectClass: dcObject
objectClass: organizationalUnit

dn: dc=example, dc=com, dc=authority
dc: example
objectClass: dcObject
objectClass: organization
o: example

dn: dc=exist,dc=example, dc=com, dc=authority
dc: exist
objectClass: dcObject
objectClass: organization
o: exist

dn: ou=Users,dc=exist,dc=example, dc=com, dc=authority
ou: Users
objectClass: organizationalUnit

dn: uid=jane,ou=Users,dc=exist,dc=example, dc=com, dc=authority
sn: Doe
userPassword:: e01adflsdflsdfasfdsdfasdf=
uidNumber: 100
gidNumber: 100
mail: jane@example.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
uid: jane
cn: Jane
homeDirectory: /jane

dn: uid=admin,ou=Users,dc=exist,dc=example, dc=com, dc=authority
sn: Administrator
userPassword:: asdfasdfasdfasdfasdf=
uidNumber: 1
gidNumber: 1
mail: admin@example.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
uid: admin
cn: admin
homeDirectory: /


dn: uid=guest,ou=Users,dc=exist,dc=example, dc=com, dc=authority
sn: guest
userPassword:: e01ENXlsdffsdfllllsdfasdfasdfZ=
uidNumber: 2
gidNumber: 300
mail: exist-guest@example.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
uid: guest
cn: guest
homeDirectory: /guest

dn: ou=Groups,dc=exist,dc=example, dc=com, dc=authority
ou: Groups
objectClass: organizationalUnit

dn: cn=dba,ou=Groups,dc=exist,dc=example, dc=com, dc=authority
gidNumber: 1
objectClass: groupOfUniqueNames
objectClass: posixGroup
uniqueMember: uid=admin,ou=Users,dc=exist,dc=example,dc=com,dc=authority
cn: dba

dn: cn=guest,ou=Groups,dc=exist,dc=example, dc=com, dc=authority
gidNumber: 300
objectClass: groupOfUniqueNames
objectClass: posixGroup
uniqueMember: uid=admin,ou=Users,dc=exist,dc=example,dc=com,dc=authority
uniqueMember: uid=guest,ou=Users,dc=exist,dc=example,dc=com,dc=authority
cn: guest

dn: cn=exist.users,ou=Groups,dc=exist,dc=example, dc=com, dc=authority
gidNumber: 2001
objectClass: groupOfUniqueNames
objectClass: posixGroup
uniqueMember: uid=jane,ou=Users,dc=exist,dc=example,dc=com,dc=authority
uniqueMember: uid=guest,ou=Users,dc=exist,dc=example,dc=com,dc=authority
uniqueMember: uid=admin,ou=Users,dc=exist,dc=example,dc=com,dc=authority
cn: exist.users

dn: cn=exist.admin,ou=Groups,dc=exist,dc=example, dc=com, dc=authority
gidNumber: 2000
objectClass: groupOfUniqueNames
objectClass: posixGroup
uniqueMember: uid=admin,ou=Users,dc=exist,dc=example,dc=com,dc=authority
cn: exist.admin