C2. LDAP Authentication

Settings are stored in the auth-ldap.conf configuration file.

General tags of the configuration file:

<enabled/> and <order/>—similar to the Active Directory.

<server/> specifies the LDAP server address. Multiple <server/> tags with different LDAP server addresses can be added, which would make a list of servers to use for authentication. A main server that is assumed to take the major load should come first, while the remaining addresses of any backup servers should come after. When administrator connects, the first available LDAP server is used. If authentication fails, it will be retried on the next server and so on, following the order in which LDAP server addresses are listed in the configuration file.

<user-dn/> defines rules for translation of name to the DN (Distinguished Name) using DOS-like masks.

In the <user-dn/> tag, the following wildcard characters are allowed:

* replaces sequence of any characters, except . , = @ \ and spaces;

# replaces sequence of any characters.

<user-dn-expr/> defines rules for translation of name to the DN using regular expressions.

For example, the same rule in different variants:

<user-dn user="*@example.com" dn="CN=\1,DC=example,DC=com"/>
<user-dn-expr user="(.*)@example.com" dn="CN=\1,DC=example,DC=com"/>

\1 .. \9 defined the substitution place for values of the *, # or expression in brackets at the template.

According to this principle, if the user name is specified as login@example.com, after translation you will get DN: "CN=login,DC=example,DC=com".

<user-dn-extension-enabled/> allows the ldap-user-dn-translate.ds (from the extensions folder) Lua script execution for translation usernames to DN. This script runs after attempts of using the user-dn, user-dn-expr rules, if appropriate rule is not found. Script has one parameter—specified username. Script returns the string that contains DN or nothing. If appropriate rule is not found and script is disabled or returns nothing, specified username is used as it is.

Attributes of LDAP object for DN determined as a result of translation and their possible values can be defined by tags (default values are presented):

<!-- DrWebAdmin attribute equivalent (OID 1.3.6.1.4.1.29690.1.3.1) -->
<admin-attribute-name value="DrWebAdmin" true-value="^TRUE$" false-value="^FALSE$"/>

As a values of true-value/false-value parameters, regular expressions are specified.

If undefined values of administrators attributes are present, and the <group-reference-attribute-name value="memberOf"/> tag is set in the configuration file, the value of the memberOf attribute is considered as the list of DN groups, to which this administrator is included, and the search of needed attributes is performed in this groups as for the Active Directory.