ComponentIndividual Documentation Coverage
The LDAPDirectoryFactory component provides implementation of the
Directory API using an external LDAP server as storage backend,
typically to fetch users and groups data check password based
authentication.
Version: missing
Location: nuxeo-services/nuxeo-platform-directory-ldap/src/main/resources/OSGI-INF/LDAPDirectoryFactory.xml
The servers extension point is used to register network connection
parameters to a pool of LDAP servers.
Examples:
<server name="default">
<ldapUrl>ldap://localhost:389</ldapUrl>
<ldapUrl>ldap://server2:389</ldapUrl>
<ldapUrl>ldaps://server3:389</ldapUrl>
<bindDn>cn=nuxeo5,ou=applications,dc=example,dc=com</bindDn>
<bindPassword>changeme</bindPassword>
</server>
The ldapUrl tags point to server (IP address or DNS name) and
ports. If more than one is provided, the Nuxeo EP will use a pool
of load balanced connections to each server. They are assumed to
be replicated versions of a master server that should belong to
the list.
The bindDn and bindPassword credentials are used by Nuxeo EP to
access the content of the LDAP servers. It should have the read
permission to any entry that is to be used by Nuxeo EP and write
right to branches were Nuxeo EP is supposed to create or edit
entries.
For instance, in OpenLDAP you should have ACLs such as:
access to attrs="userPassword"
by dn="cn=ldapadmin,dc=example,dc=com" write
by dn="cn=nuxeo5,ou=applications,dc=example,dc=com" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
# nuxeo5 can manage the ou=people branch
access to dn.subtree="ou=people,dc=example,dc=com"
by dn="cn=nuxeo5,ou=applications,dc=example,dc=com" write
by users read
by self write
by * none
access to dn.subtree="ou=groups,dc=example,dc=com"
by dn="cn=nuxeo5,ou=applications,dc=example,dc=com" write
by users read
by self write
by * none
# The admin dn has full write access
# other
access to *
by dn="cn=ldapadmin,dc=example,dc=com" write
by users read
by * none
User authentication is done using a bind method against the user
provided login and password from the login form and not the bindDn
/ bindPassword credentials.
The directories extension point is used to register LDAP filtering
parameters to identify which part of the LDAP branches are actually
used by Nuxeo EP to fetch its entries.
Examples:
<directory name="userDirectory">
<server>default</server>
<schema>user</schema>
<idField>username</idField>
<passwordField>password</passwordField>
<searchBaseDn>ou=people,dc=example,dc=com</searchBaseDn>
<searchClass>person</searchClass>
<searchFilter>(&(sn=toto*)(myCustomAttribute=somevalue))</searchFilter>
<searchScope>onelevel</searchScope>
<readOnly>false</readOnly>
<cacheTimeout>3600</cacheTimeout>
<cacheMaxSize>1000</cacheMaxSize>
<creationBaseDn>ou=people,dc=example,dc=com</creationBaseDn>
<creationClass>top</creationClass>
<creationClass>person</creationClass>
<creationClass>organizationalPerson</creationClass>
<creationClass>inetOrgPerson</creationClass>
<rdnAttribute>uid</rdnAttribute>
<querySizeLimit>200</querySizeLimit>
<queryTimeLimit>0</queryTimeLimit>
<fieldMapping name="username">uid</fieldMapping>
<fieldMapping name="password">userPassword</fieldMapping>
<fieldMapping name="firstName">givenName</fieldMapping>
<fieldMapping name="lastName">sn</fieldMapping>
<fieldMapping name="company">o</fieldMapping>
<fieldMapping name="email">mail</fieldMapping>
<references>
<inverseReference directory="groupDirectory" dualReferenceField="members" field="groups" />
</references>
</directory>
<directory name="groupDirectory">
<server>default</server>
<schema>group</schema>
<idField>groupname</idField>
<searchBaseDn>ou=groups,dc=example,dc=com</searchBaseDn>
<searchFilter>(|(objectClass=groupOfUniqueNames)(objectClass=groupOfURLs))</searchFilter>
<searchScope>subtree</searchScope>
<readOnly>false</readOnly>
<cacheTimeout>3600</cacheTimeout>
<cacheMaxSize>1000</cacheMaxSize>
<creationBaseDn>ou=groups,dc=example,dc=com</creationBaseDn>
<creationClass>top</creationClass>
<creationClass>groupOfUniqueNames</creationClass>
<rdnAttribute>cn</rdnAttribute>
<querySizeLimit>200</querySizeLimit>
<queryTimeLimit>0</queryTimeLimit>
<fieldMapping name="groupname">cn</fieldMapping>
<references>
<ldapReference directory="userDirectory" dynamicAttributeId="memberURL" field="members" forceDnConsistencyCheck="false" staticAttributeId="uniqueMember" />
<ldapReference directory="groupDirectory" dynamicAttributeId="memberURL" field="subGroups" forceDnConsistencyCheck="false" staticAttributeId="uniqueMember" />
<inverseReference directory="groupDirectory" dualReferenceField="subGroups" field="parentGroups" />
<ldapTreeReference directory="groupDirectory" field="children" scope="onelevel" />
<inverseReference directory="groupDirectory" dualReferenceField="children" field="parents" />
</references>
</directory>
In the previous examples we configured two directories one for the
users and one for the groups of users. Each directory uses a
single schema which is to be registered as any core document
schema and that will be used to build a DocumentModel for each
matching entry of the directory.
The references tags are used to dynamically build nxs:stringList
fields of that schema that are to compute membership relationships
between users and groups or between parent groups and sub groups.
It can also resole children and parents following the ldap tree
structure.
Nuxeo EP provides group resolution for statically dn-referenced
entries (in read and write mode) and for dynamically ldapUrl
matched entries (readonly).
When using dynamic references, caching is advised since dynamic
group resolution can be expensive.
Last generation: 18:21:25 CEST 11/07/2009