Entando plugin: LDAP Connector
Installation and configuration of the plugin jpldap
The purpose of this guide is to provide a complete description of the Entando LDAP Connector plugin whose code is jpldap for the Entando platform.
This guide is intended for both administrators and developers who wish to explore the capabilities of the Entando Plugin LDAP Connector and are considering a possible integration into a running production environment or in a Development Environment.
In order to take maximum advantage from the present guide, it is necessary to have basic knowledge of the Java platform, the servlet engine Apache Tomcat, PostgreSQL (or MySQL) DBMS and the Entando platform.
Moreover, it's necessary to have read the Plugin Pattern for the installation procedure and an explanation of the standard directory layout.
The plugin lets Entando to authenticate users from LDAP server and increase the base of system users. These remote users are handled in the same way local users are; moreover, the plugin may leave the authentication process to the LDAP server without altering the way authorizations are handled: both local and remote users are managed through the standard users management interface.
For the purpose of the current guide, a few Maven commands are shown: your IDE has probably the ability to execute those command for you in background.
The jpldap plugin is classified as Modification because it modifies the user management engine to let Entando authenticate users in a LDAP server. The definition and the associations of the authorizations are not modified, but they can be applied to either local and remote (LDAP) users through the usual administration management interfaces.
The plugin modifies the core user manager engine, namely the UserManager. The UserManager bean of the core is overwritten so to enable complete support for the LDAP services. It is possible to load, search and modify users in the LDAP directory from the administration interface.
jpldap directories are organized following the Maven Standard Directory Layout as shown in the Plugin Pattern.
It is worth noting that the plugin installation is greatly changed from the previous releases (thank you, Maven!).
As always when it comes down to install new things, stop your servlet container before moving on.
Open the pom.xml of your project: locate the <dependencies> tag toward the end of the file, after the <build> tag; if the tag dependencies doesn't exist just create a new one just after the closure of the build tag.
Add the following snippet inside the dependencies:
<dependency>
<groupId>org.entando.entando.plugins</groupId>
<artifactId>entando-plugin-jpldap</artifactId>
<version>${entando.version}</version><!-- version. Don't remove this comment. -->
<type>war</type>
</dependency>You are done!
From now we will use the name myportal when referring to your deployed Entando application or, in other words, to the artifact ID of the deployed portal.
All Entando plugins can be downloaded from the Maven Central repository, just filter by code and by version.
To install jpldap in a production environment the file entando-plugin-jpldap-3.2.0.war is needed; we will refer to this file as WAR package.
The WAR package might contain the dependencies of other plugins; when performing copy operations you may accidentally overwrite your previous customizations of the JSP files, so you are warmly recommended to create a backup of your installation.
The integration activity must be performed after the servlet container has been stopped.
-
copy the content of WEB-INF/lib directory of the WAR package, to myportal/WEB-INF/lib/ directory
-
create the directory myportal/WEB-INF/plugins/ if it does not exist. Copy the content of *WEB-INF/plugins/*directory of the WAR package, to myportal/WEB-INF/plugins/.
Now the servlet container can be restarted.
Though this plugin has no item in the plugin list, you can verify the correct installation from the left menu → Settings (under the Tools group): the new LDAP configuration settings added should now appear in a dedicated section of the Settings page
Not all of the parameters above are mandatory:
- Provider URL
The url of the LDAP server to connect to. This setting is mandatory.
Example of a Provider Url Parameter
ldap://192.168.4.11:389/dc=mydomain,dc=com
- Security Principal
This is the username to use to connect the LDAP server. Leave it blank to make an anonymous connection; please note that Microsoft Active Directory does not allow anonymous connections. This parameters corresponds to the Distinguished Name: it is formed by the entry name itself (named Relative Distinguished Name, usually usually derived from some attribute of the entry) followed by the name of the parent entries separated by a comma.
Example of a possible Security Principal Parameter
cn=admin,dc=mydomain,dc=com
- Security Credentials
The password associated to the username for the connection to the server. It may be left blank for an anonymous connection (not allowed by a Microsoft Active Directory).
- User Object Class Name
Name of the objectClass entry used to map users. The specification of this parameter is mandatory, and it usually assumes two values: user for the Active Directory domains and posixAccount for the OpenLDAP domains. Different LDAP server implementations may require different values.
- User Id Attribute Name
Name of the attribute entry that specifies the unique id of the LDAP user. The specification of this parameter is mandatory. This parameter usually assumes two values: sAMAccountName for the Active Directory domains and uid for the OpenLDAP domains. Different LDAP server implementations may require different values.
- Filter Group
Definition of the name of the LDAP group to which users belong to. If you don't want to filter the users just leave this field blank.
- Group Attribute Name
Name of the entry attribute that indicates the belonging to a LDAP group. If you don't want to filter the users just leave this field blank.
- Search Result – Max Size
If the LDAP Connector plugin is not properly configured the answer from the server may be so huge to result in an excessive slowdown of the system eventually leading to a general failure.
This optional parameter is used to limit the results returned by the LDAP manager so to estimate the performance degradation during the fine-tuning of the system.
-
Active user Editing
this checkbox lets the plugin write and update entries in the directory
-
User Base DN
distinguished name for users. Example
```
ou=Users
```
-
User object classes
classes used by new entries. The default value, used when the field is left empty, is
topplus the value inserted in the user object class field; for example, a valid value would be:top, posixAccount -
OU object classes
OU classes used by new entries. The default value, used when the field is left empty, is:
top, organizationalUnit -
User Real attribute
Default value
cn -
User password Attribute name
Name of the attribute used for the password. The default value is
userPassword -
User password Algorithm
this is used to select the desired encryption type. The default value is
plain text.