Configure LDAP Authentication
To configure LDAP authentication, in your Authoring installation, go to
CRAFTER_HOME/bin/apache-tomcat/shared/classes/crafter/studio/extension and uncomment the
following lines to the studio-config-override.yaml file.
The values for the parameters listed below are just examples. Remember to make any appropriate configuration changes according to your directory service in use.
1# Studio authentication chain configuration 2studio.authentication.chain: 3 # Authentication provider type 4 - provider: LDAP 5 # Authentication via LDAP enabled 6 enabled: true 7 # LDAP Server url 8 ldapUrl: ldap://localhost:389 9 # LDAP bind DN (user) 10 ldapUsername: cn=Manager,dc=my-domain,dc=com 11 # LDAP bind password 12 ldapPassword: secret 13 # LDAP base context (directory root) 14 ldapBaseContext: dc=my-domain,dc=com 15 # LDAP username attribute 16 usernameLdapAttribute: uid 17 # LDAP first name attribute 18 firstNameLdapAttribute: cn 19 # LDAP last name attribute 20 lastNameLdapAttribute: sn 21 # LDAP email attribute 22 emailLdapAttribute: mail 23 # LDAP groups attribute 24 groupNameLdapAttribute: crafterGroup 25 # LDAP groups attribute name regex 26 groupNameLdapAttributeRegex: .* 27 # LDAP groups attribute match index 28 groupNameLdapAttributeMatchIndex: 0
Some notes on the properties above:
enabledenables/disables LDAP authentication, make sure this is set to true for LDAP authentication
serverUrlis just the URL where the LDAP server is listening for requests.
bindPasswordare basically the credentials used to connect initially to the LDAP server.
baseContextis the LDAP tree root where the user entries can be located.
groupNameindicates the groups the user belongs to (can have multiple values). You can specify a regex to extract the group name of a user.
Studio will then do a query against the LDAP server whenever a user attempts to log in and the user is not yet in the DB. If there’s a match in LDAP, the user is created in the database with the imported LDAP attributes, and finally added to the groups specified in LDAP.
Also, please note that Studio needs all the attributes listed in the config to be present in the LDAP user’s attributes, otherwise, Studio is not able to authenticate the user. When an attribute is missing, an error message will be displayed in the login screen:
A system error has occurred. Please wait a few minutes or contact an administrator. Please look at the tomcat log to check which attribute was not found. Here’s an example log:
[WARN] 2017-10-11 12:42:57,487 [http-nio-8080-exec-2] [security.DbWithLdapExtensionSecurityProvider] | No LDAP attribute crafterGroup found for username cbrunato
Here are a few things to take note of when configuring LDAP authentication in Studio:
Make sure that at least one of the groupName attribute of the LDAP user exists in Studio and has Roles and Permission setup. If there is no groupName attribute setup in Studio with Roles and Permissions, please make sure that the system administrator assigns a role to at least one group in Studio so the user can access the site, otherwise, once the user gets into the Sites screen and tries to Preview the site or view the dashboard, the user will get a notification that the site is invalid.
For an example of setting up LDAP, see Setting up an LDAP server for development/testing using Apache Directory Studio