LDAP user database
Sometimes Roxen Challenger needs to access data about the users. The
main reason for this is user authentication, but Roxen can also do
other things with the data from the user database, for example, displaying
them on a web page.
The LDAP User Database module enables Roxen Challenger to keep such
user data in a LDAP directory. The data is stored in objects with the
attributes (as defined in RFC2307) uid, userpassword,
uidnumber, gidnumber, gecos, homedirectory
and loginshell. These columns
correspond to the fields in a UNIX password file, and are the fields
that Challenger Authentication modules use. The directory object must
contain the uid and userpassword attributes, whereas theother attributes
can be replaced by default values. It is also possible to add extra
columns when needed.
- Access mode
-
This switch sets the authentification mode of the module.
The mode can be user or guest.
With mode is changing several variables will be folded/unfolded.
- guest
-
This mode is used for first-time users of LDAP based
authentication. The connection to the LDAP server is done by user
definitions in the configuration interface within the LDAP server sub menu.
This mode is not recommended for real using! The user defined for
connection to the LDAP server must to have read permission to the
whole subtree. This is, of course a security risk.
After connection the LDAP server an object corresponding to the
search filter (see bellow) is searched and if user is founded his
attribute userpassword is checked.
- user
-
The connection to the LDAP server is done as real user his DN is
constructed by the following formula:
[LDAP server->bind template] + [LDAP server->Base name]
for example (bind template='uid=%u%' and base name='o=UniBASE Ltd.,c=CZ'):
if user='hop' than
DN='uid=hop,o=UniBASE Ltd.,c=CZ'
If the connection is successful, then if is required existence of some
attribute and/or her value, this is checked.
If some attributes aren't retrieved then is used defaults one.
- Access type
-
The type of LDAP operation used for checking password (Guest mode only)
and required attribute (User mode only.
Only 'search' type is implemented.
- Cache entries
-
This flag defines whether the module
will cache the user entries or not. Makes accesses faster, but
changes in the directory will not show immediately.
- Close the directory if not used
-
Guest mode only
Setting this will save resources when the module is not used.
- Defaults...
-
- Gecos
-
Default gecos.
- Gecos map
-
The name of LDAP attribute mapped to gecos field.
- Group ID
-
Default in case there is no Group ID attribute.
- Group ID map
-
The name of LDAP attribute mapped to Group ID field.
- Home Directory
-
Default in case there is no Home Directory attribute.
- Home Directory map
-
The name of LDAP attribute mapped to Home Directory field.
- Login Shell
-
Default in case there is no Login Shell attribute.
- Login Shell map
-
The name of LDAP attribute mapped to Login Shell field.
- User ID
-
Default in case there is no User ID attribute.
- User ID map
-
The name of LDAP attribute mapped to User ID field.
- Username add
-
Setting this will add user name to path to default directory. Mostly
used in environment where all home directories have the same parent
directory.
- Search template ID
-
The template used by LDAP search operation as filter for retrieving
user object. %u% will be replaced by user name.
- Directory connection close timer
-
Guest mode only
How many seconds of inactivity it should take before the directory
connection is closed.
- LDAP query depth
-
Guest mode only
Scope used by LDAP search.
- LDAP server...
-
- Base name
-
The distinguished name to use as a base for queries. The value is
also used for user DN creating (User mode only).
Typically, this would be an 'o' or 'ou' entry local to the DSA
which contains the user entries.
- Bind template
-
User mode only
The template for creating user DN. The Base name will
be added as suffix.
- Directory search username
-
Guest mode only
This user name will be used to authenticate when connecting
to the LDAP server.
- Directory user's password
-
Guest mode only
The password used to authenticate connection to directory.
- Location
-
Name of host running the LDAP server with the authentication information.
- Required attribute
-
User mode only
The attribute name which must be present for successfully
authentication. Can be empty.
- Required value
-
User mode only
The value of required attribute which must be present for
successfully authentication. Can be empty.
|