Purpose of LDAP Module
The LDAP module allows users to be authenticated via LDAP, instead of the conventional user authentication embedded in the XAS. Although the passwords are checked via 'real' LDAP authentication (an actual LDAP 'bind', or login, occurs at the LDAP server) the user information is stored at the Mendix XAS. Note that even if you configure the XAS to use LDAP authentication, the MxAdmin account will never be authenticated via LDAP.
Configuring the LDAP module
The configuration is divided into a couple of different steps. You will need to perform each step in chronological order, although you can change a number of different options later on if you wish.
Importing LDAP information
First of all, we need an LDAP configuration object. You should have a menu option "LDAP" under the "MxAdmin" menu where you can create such objects. (See Importing LDAP into your project for details if your project does not currently contain the menu items)
After we've created an LDAP configuration object, we need to configure it! We have the following fields:
After this, you simply save the object, which will take you back to the previous screen. In this screen, select the LDAP configuration object you have just created and click on "ReadLDAP". This step will take some time, as the complete LDAP directory is being parsed. Note that no actual data about objects is read, only the directory structure. An information box will popup informing you when the parsing is complete.
Selecting users
Now that you have read the directory structure, we can select the directory from where the users will be imported. Open the LDAP configuration object and you should see one child object at the bottom with the same name as the value of the "LDAP root directory" field. Double-click this object and search for the directory where the users are located. (You may have to click through a number of directories until you find it) Ignore the "properties" objects for now.
Mapping ldap groups to user roles
Once you have selected the LDAP directory that contains the users, we can find out which user groups we can map user roles to. Select the LDAP configuration object and click on "Import User Groups". This might take some time. After the user groups have been imported, we can view and map them via the "LdapMapping" menu option (found under the "MxAdmin" menu). Mappings create a link between LDAP user groups (which can be configured in LDAP) and Mendix User Roles (which can be configured in the Mendix XAS). When users are imported, they are automatically assigned User Roles depending on which mappings have been created.
Selecting login field
Before we can import the users we have to perform one last step, which is selecting the login field. This field will also be used for creating users in the XAS. Click through the LDAP directories until you have found the user objects and then select the property field that LDAP uses as authentication. If you use ActiveDirectory, this should be "sAMAccountName".
Importing users
Once we have configured LDAP we can actually start importing users. Go to the LDAP configuration object screen, select the LDAP directory from which you would like to import and click "Import Users". This process should take some time, so relax and have a cup of tea while you're waiting.
The LDAP module currently doesn't support single-sign on, it only supports authentication via LDAP. If you check the "use ldap" property in the project settings the module is enabled. After that, you should be able to start your project and configure it via the MxAdmin panel.
We hope to have some documentation up soon, I'll keep you posted in this thread.
Jonathan,
Thanks for your clear explanation. But...I don't have it working yet.
As LDAP root directory I have put: DC=waterworld,DC=kwik-fit,DC=nl
And as Domain suffix: @waterworld.kwik-fit.nl
When I do the ReadLDAP it thinks for a while and returns first an exception in a microflow and then an 'uncategorized exception'
2009-09-18 09:19:05.160 ERROR - MICROFLOWENGINE: Exception occurred in microflow 'System.ReadLdapFlow' for activity 'Call 'readLdap''', all database changes executed by this microflow were rolled back
org.springframework.ldap.UncategorizedLdapException: Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031006CC, problem 5012 (DIR_ERROR), data 0
Any idea?
Edward