You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by dk...@apache.org on 2020/02/09 01:48:14 UTC
[sling-org-apache-sling-app-cms] branch master updated: Adding
missed documentation page
This is an automated email from the ASF dual-hosted git repository.
dklco pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-app-cms.git
The following commit(s) were added to refs/heads/master by this push:
new e2e6f9c Adding missed documentation page
e2e6f9c is described below
commit e2e6f9c28fe1804c49b7337a8e49e937597790ba
Author: Dan Klco <dk...@apache.org>
AuthorDate: Sat Feb 8 20:48:00 2020 -0500
Adding missed documentation page
---
docs/ldap.md | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 86 insertions(+)
diff --git a/docs/ldap.md b/docs/ldap.md
new file mode 100644
index 0000000..02e4098
--- /dev/null
+++ b/docs/ldap.md
@@ -0,0 +1,86 @@
+<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor
+ license agreements. See the NOTICE file distributed with this work for additional
+ information regarding copyright ownership. The ASF licenses this file to
+ you under the Apache License, Version 2.0 (the "License"); you may not use
+ this file except in compliance with the License. You may obtain a copy of
+ the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required
+ by applicable law or agreed to in writing, software distributed under the
+ License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS
+ OF ANY KIND, either express or implied. See the License for the specific
+ language governing permissions and limitations under the License. -->
+[Apache Sling](https://sling.apache.org) > [Sling CMS](https://github.com/apache/sling-org-apache-sling-app-cms) > [Administration](administration.md) > LDAP Authentication
+
+# LDAP Authentication
+
+LDAP Authentication is provided via the [Apache Jackrabbit Oak LDAP Integration](https://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html). There are three steps to configure the integration:
+
+1. Create an [Apache Jackrabbit Oak LDAP Identity Provider configuration](https://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html#LDAP_Configuration)
+2. Create a [Default Sync Handler](https://jackrabbit.apache.org/oak/docs/security/authentication/external/defaultusersync.html)
+3. Create an [External Login Module](https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html#Configuration_Parameters)
+
+## Large Numbers of Groups and users
+
+For implementations with large numbers of users and groups, [Dynamic Group Membership](https://jackrabbit.apache.org/oak/docs/security/authentication/external/dynamic.html) can help ensure performance by essentially inverting the authentication paradigm to store the user's group membership on a protected property `rep:externalPrincipalNames`.
+
+## Example Configuration
+
+The following example configuration shows how to setup LDAP Authentication.
+
+1. Setup the Docker image [rroemhild/test-openldap](https://github.com/rroemhild/docker-test-openldap)
+2. Create the following configurations:
+
+org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.[id].config
+
+ userPool.maxActive=L"8"
+ searchTimeout="60s"
+ host.name="localhost"
+ customattributes=[""]
+ adminPool.maxActive=L"8"
+ group.makeDnPath=B"false"
+ user.baseDN="dc\=planetexpress,dc\=com"
+ group.objectclass=["Group"]
+ user.objectclass=["person"]
+ userPool.lookupOnValidate=B"true"
+ host.noCertCheck=B"false"
+ user.makeDnPath=B"false"
+ bind.dn="cn\=admin,dc\=planetexpress,dc\=com"
+ group.baseDN="dc\=planetexpress,dc\=com"
+ group.extraFilter=""
+ user.extraFilter=""
+ host.port=I"389"
+ bind.password="GoodNewsEveryone"
+ adminPool.lookupOnValidate=B"true"
+ useUidForExtId=B"false"
+ group.nameAttribute="cn"
+ provider.name="ldap"
+ host.ssl=B"false"
+ host.tls=B"false"
+ user.idAttribute="uid"
+ group.memberAttribute="uniquemember"
+
+org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DefaultSyncHandler.[id].config
+
+ group.pathPrefix=""
+ user.dynamicMembership=B"false"
+ group.expirationTime="1d"
+ user.membershipExpTime="1h"
+ user.pathPrefix=""
+ user.propertyMapping=["rep:fullname\=cn"]
+ handler.name="default"
+ enableRFC7613UsercaseMappedProfile=B"false"
+ user.autoMembership=["administrators"]
+ user.expirationTime="1h"
+ group.propertyMapping=[""]
+ group.autoMembership=[""]
+ user.disableMissing=B"false"
+ user.membershipNestingDepth=I"1"
+
+org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModuleFactory.[id].config
+
+ jaas.controlFlag="SUFFICIENT"
+ jaas.ranking=I"99999"
+ sync.handlerName="default"
+ jaas.realmName=""
+ idp.name="ldap"
+
+3. You should now be able to login with the credentials: professor/professor