Purpose of LDAP Module

The LDAP module allows users to be authenticated via LDAP, instead of the conventional user authentication embedded in the XAS. Although the passwords are checked via 'real' LDAP authentication (an actual LDAP 'bind', or login, occurs at the LDAP server) the user information is stored at the Mendix XAS. Note that even if you configure the XAS to use LDAP authentication, the MxAdmin account will never be authenticated via LDAP.

Configuring the LDAP module

The configuration is divided into a couple of different steps. You will need to perform each step in chronological order, although you can change a number of different options later on if you wish.

Importing LDAP information

First of all, we need an LDAP configuration object. You should have a menu option "LDAP" under the "MxAdmin" menu where you can create such objects. (See Importing LDAP into your project for details if your project does not currently contain the menu items)

After we've created an LDAP configuration object, we need to configure it! We have the following fields:

• Server Address - This is the address at which the LDAP server is located. Either an IP address or hostname may be used. Please note that the address must begin with "ldap://".
• Username - This is the username that we will use to read the LDAP server information. You can/should use your own login for this. After LDAP configuration is complete, you can remove these details. Note that some LDAP servers support anonymous read, in this case you don't have to fill in these details.
• Password - The password matching the username specified in the previous field.
• Location (from which to import users) - You can leave this blank for now.
• LDAP root directory - This is the root of the LDAP directory from which we will read. This usually takes on the form "DC=<organization>DOMAIN,DC=<location>" where <organization> is the LDAP/ActiveDirectory domain name and <location> is something like "local" or "org". At Mendix, it is "DC=MENDIXDOMAIN,DC=local".
• User/Pass needed - If this checkbox is on, the username and password specified in the other fields will not be used to read the LDAP directory. Note that this does not have any effect on the actual login of users to the Mendix XAS.
• Use this LDAP server for authentication - Turns on LDAP authentication and tells the XAS it can use this configuration file (you may specify multiple LDAP servers which will be checked for authentication recursively)
• Is this an ActiveDirectory - Turn this on if you are authenticating against a Microsoft ActiveDirectory (which is an implementation of LDAP)
• Domain suffix (ie "@yourdomain.local") - This should be the same as the LDAP root directory fields, only concatenated. At Mendix, this results in "@mendixdomain.local"

After this, you simply save the object, which will take you back to the previous screen. In this screen, select the LDAP configuration object you have just created and click on "ReadLDAP". This step will take some time, as the complete LDAP directory is being parsed. Note that no actual data about objects is read, only the directory structure. An information box will popup informing you when the parsing is complete.

Selecting users

Now that you have read the directory structure, we can select the directory from where the users will be imported. Open the LDAP configuration object and you should see one child object at the bottom with the same name as the value of the "LDAP root directory" field. Double-click this object and search for the directory where the users are located. (You may have to click through a number of directories until you find it) Ignore the "properties" objects for now.

Mapping ldap groups to user roles

Once you have selected the LDAP directory that contains the users, we can find out which user groups we can map user roles to. Select the LDAP configuration object and click on "Import User Groups". This might take some time. After the user groups have been imported, we can view and map them via the "LdapMapping" menu option (found under the "MxAdmin" menu). Mappings create a link between LDAP user groups (which can be configured in LDAP) and Mendix User Roles (which can be configured in the Mendix XAS). When users are imported, they are automatically assigned User Roles depending on which mappings have been created.

Selecting login field

Before we can import the users we have to perform one last step, which is selecting the login field. This field will also be used for creating users in the XAS. Click through the LDAP directories until you have found the user objects and then select the property field that LDAP uses as authentication. If you use ActiveDirectory, this should be "sAMAccountName".

Importing users

Once we have configured LDAP we can actually start importing users. Go to the LDAP configuration object screen, select the LDAP directory from which you would like to import and click "Import Users". This process should take some time, so relax and have a cup of tea while you're waiting.

The LDAP module currently doesn't support single-sign on, it only supports authentication via LDAP. If you check the "use ldap" property in the project settings the module is enabled. After that, you should be able to start your project and configure it via the MxAdmin panel.

We hope to have some documentation up soon, I'll keep you posted in this thread.

Jonathan,

Thanks for your clear explanation. But...I don't have it working yet.
As LDAP root directory I have put: DC=waterworld,DC=kwik-fit,DC=nl And as Domain suffix: @waterworld.kwik-fit.nl

When I do the ReadLDAP it thinks for a while and returns first an exception in a microflow and then an 'uncategorized exception'

2009-09-18 09:19:05.160 ERROR - MICROFLOWENGINE: Exception occurred in microflow 'System.ReadLdapFlow' for activity 'Call 'readLdap''', all database changes executed by this microflow were rolled back

org.springframework.ldap.UncategorizedLdapException: Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031006CC, problem 5012 (DIR_ERROR), data 0

Any idea?

Edward