LDAP/Active Directory
The Identity Provider specifies the pool of users to send requests to the API. These default Identity Providers are used when creating the Authentication Policy.
It can be accessed and managed by roles with the "Manage Authentication Services" authority, such as "Project Owner".
The picture below shows the user authentication connection settings with LDAP:
The fields used for user authentication connection settings with LDAP are shown in the table below.
Field | Description |
---|---|
Name | The LDAP/Active Directory Identity Provider name for the created Identity Provider. |
Description | A description can be written to facilitate the management of the created LDAP/Active Directory Identity Provider. |
LDAP Connection Pool Definition | The pool from which the LDAP connection will be obtained is selected or created. |
LDAP Authentication Type | When creating an Identity Provider with LDAP/Active Directory, one of two methods can be used: 1-Simple Authentication: The username/password pair is sent to the LDAP server, it is checked whether there is such a user. 2-Advanced Authentication: By using the username/password pair, the user's memberships and privileges are used. |
User Configuration Expression | Username Phrase is entered when Authentication Type is selected as Simple Authentication. The username in the request message is validated by replacing {{username}} in the following expression. Accordingly, you should enter the following expression in the request message to create the LDAP search criteria according to the structure of the username. As an example, a user using the name user1 has the DN value oid={{username}},ou=People,dc=example,dc=com on the LDAP server. Example-1: If the user name is "user1" in the request message, the expression should be written as: oid={{username}},ou=People,dc=example,dc=com. Example-2: If the user name is "oid=user1" in the request message, the expression should be written as: {{username}},ou=People,dc=example,dc=com. Example-3: If "oid=user1,ou=People,dc=example,dc=com" value comes in the request message, the expression should be written as: {{username}} |
User Object Class Definition | User Class Definitions are created when Authentication Type is selected as Advanced Authentication. |
Group Object Class Definition | Group Class Definition(s) are created when Authentication Type is selected as Advanced Authentication. |
The picture below shows the advanced user authentication connection settings with LDAP by defining User Class Definition:
The fields used for User Class Definition from advanced settings in user authentication connection settings with LDAP are shown in the table below.
Field | Description |
---|---|
User Object Class Definition | The class name to be used to filter users is entered. Default value: inetOrgPerson. |
Full Name Attribute | Enter the name of the attribute that will be used to find the full name of the user. Default value: cn. |
Login Name Attribute | The login name of the attribute to be used for the user's login to the system is entered. Default value: uid. |
Password Attribute | Password attribute's name is entered. Default value: userPassword. |
First Name Attribute | The name of the attribute that specifies the name of the user is entered. Default value: givenName. |
Last Name Attribute | The name of the attribute that specifies the surname of the user is entered. Default value: sn. |
E-mail Attribute | The name of the attribute that specifies the user's e-mail address is entered. Default value: mail. |
Certificate Attribute | The name of the attribute holding the user's X.509 certificate is entered. Ex: userCertificate;binary |
Kerberos Principal Attribute | The name of the attribute that specifies the user's standard ID name is entered. Ex: sAMAccountName |
Kerberos Enterprise Principal Attribute | The name of the attribute that specifies the corporate identity name of the user is entered. Ex: userPrincipalName |
Membership Attribute | The name of the attribute that specifies the group memberships of the user is entered. Its default value is isMemberOf. |
The picture below shows the Group Class Definition settings:
The fields used for Group Class Definition from advanced settings in user authentication connection settings with LDAP are shown in the table below.
Field | Description |
---|---|
Group Object Class Name | The class name to be used to filter the groups is entered. Default value: groupOfUniqueNames. |
Group Name Attribute | The name of the attribute holding the group name is entered. Default value: cn. |
Member Attribute | Enter the name of the attribute holding the group members. Default value: uniqueMember. |
Member Strategy | The method to be used to determine the group members is selected. Default value: USER DN. Values it can take:
|