• Document Up to Date

Configure LDAP Authentication

To configure LDAP authentication, in your Authoring installation, go to CRAFTER_HOME/bin/apache-tomcat/shared/classes/crafter/studio/extension and uncomment the following lines to the studio-config-override.yaml file.

Note

The values for the parameters listed below are just examples. Remember to make any appropriate configuration changes according to your directory service in use.

CRAFTER_HOME/bin/apache-tomcat/shared/classes/crafter/studio/extension/studio-config-override.yaml
 1# Studio authentication chain configuration
 2studio.authentication.chain:
 3  # Authentication provider type
 4  - provider: LDAP
 5    # Authentication via LDAP enabled
 6    enabled: true
 7    # LDAP Server url
 8    ldapUrl: ldap://localhost:389
 9    # LDAP bind DN (user)
10    ldapUsername: cn=Manager,dc=my-domain,dc=com
11    # LDAP bind password
12    ldapPassword: secret
13    # LDAP base context (directory root)
14    ldapBaseContext: dc=my-domain,dc=com
15    # LDAP username attribute
16    usernameLdapAttribute: uid
17    # LDAP first name attribute
18    firstNameLdapAttribute: cn
19    # LDAP last name attribute
20    lastNameLdapAttribute: sn
21    # LDAP email attribute
22    emailLdapAttribute: mail
23    # LDAP groups attribute
24    groupNameLdapAttribute: crafterGroup
25    # LDAP groups attribute name regex
26    groupNameLdapAttributeRegex: .*
27    # LDAP groups attribute match index
28    groupNameLdapAttributeMatchIndex: 0

Some notes on the properties above:

  • enabled enables/disables LDAP authentication, make sure this is set to true for LDAP authentication

  • serverUrl is just the URL where the LDAP server is listening for requests.

  • bindDN and bindPassword are basically the credentials used to connect initially to the LDAP server.

  • baseContext is the LDAP tree root where the user entries can be located.

  • username, firstName, lastName and email are basic user attributes.

  • groupName indicates the groups the user belongs to (can have multiple values). You can specify a regex to extract the group name of a user.

Studio will then do a query against the LDAP server whenever a user attempts to log in and the user is not yet in the DB. If there’s a match in LDAP, the user is created in the database with the imported LDAP attributes, and finally added to the groups specified in LDAP.

Also, please note that Studio needs all the attributes listed in the config to be present in the LDAP user’s attributes, otherwise, Studio is not able to authenticate the user. When an attribute is missing, an error message will be displayed in the login screen: A system error has occurred.  Please wait a few minutes or contact an administrator. Please look at the tomcat log to check which attribute was not found. Here’s an example log:

[WARN] 2017-10-11 12:42:57,487 [http-nio-8080-exec-2] [security.DbWithLdapExtensionSecurityProvider] | No LDAP attribute crafterGroup found for username cbrunato

Here are a few things to take note of when configuring LDAP authentication in Studio:

Make sure that at least one of the groupName attribute of the LDAP user exists in Studio and has Roles and Permission setup. If there is no groupName attribute setup in Studio with Roles and Permissions, please make sure that the system administrator assigns a role to at least one group in Studio so the user can access the site, otherwise, once the user gets into the Sites screen and tries to Preview the site or view the dashboard, the user will get a notification that the site is invalid.

System Admin LDAP Config - LDAP user group attribute not assigned to a role

To assign a role to a group, please follow the guide Role Mappings. To assign permissions to a role, please see Permission Mappings

For an example of setting up LDAP, see Setting up an LDAP server for development/testing using Apache Directory Studio