C3. LDAP/AD Authentication

Configuration File

Settings are stored in the auth-ldap-rfc4515.conf configuration file.

Configuration files with typical settings are also provided:

auth-ldap-rfc4515-check-group.conf—configuration file template for administrators external authorization via LDAP using the simplified scheme with verification of belonging to an Active Directory group.

auth-ldap-rfc4515-check-group-novar.conf—configuration file template for administrators external authorization via LDAP using the simplified scheme with verification of belonging to an Active Directory group and using variables.

auth-ldap-rfc4515-simple-login.conf—configuration file template for administrators external authorization via LDAP using the simplified scheme.

General tags of the auth-ldap-rfc4515.conf configuration file:

<server />—LDAP server definition.

Attribute

Description

Default value

base-dn

DN of an object entry relative to which the search is to be performed.

The rootDomainNamingContext attribute value of the Root DSE object

cacertfile

Root certificates files (UNIX only).

host

LDAP server address.

Domain controller for the server under Windows OS.

127.0.0.1 for the server under UNIX system-based OS.

Multiple <server /> tags with different LDAP server addresses can be added. A main server that is assumed to take the major load should come first. If authentication fails, it will be retried on the next server and so on, following the specified order.

scope

Search scope. Allowed values:

sub-tree—whole sub-tree below the base DN

one-level—direct descendants of the base DN

base—base DN.

sub-tree

tls

Establish TLS on the connection to LDAP.

no

ssl

Use the LDAPS protocol at connect to LDAP.

no

<set />—variables set by LDAP search.

Attribute

Description

Default value

attribute

Attribute name the value of which is assigned to a variable. Cannot be absent.

filter

RFC4515 search filter in LDAP.

scope

Search scope. Allowed values:

sub-tree—whole sub-tree below the base DN

one-level—direct descendants of the base DN

base—base DN.

sub-tree

search

DN of an object entry relative to which the search is to be performed.

If absent, the base-dn of the <server /> tag is used.

variable

Variable name. Must starts with the letter and contains letters and digits only. Cannot be absent.

Variables can be used in values of the add attributes of the <mask /> and <expr /> tags, in value of the value attribute of the <filter /> tag as the \varname, and also in value of the search attribute of the <set /> tag. Allowed recursion level in variables is 16.

If the search returns several found objects, only the first one is used.

<mask />—user name templates.

Attribute

Description

add

String added to a search filter using the AND operation with substitution elements.

user

User name mask using the DOS-like meta symbols * and #. Cannot be absent.

For example:

<mask user="*@#"  add="sAMAccountName=\1" />

<mask user="*\*"  add="sAMAccountName=\2" />

\1 and \2 are the links on matching masks in the user attribute.

<expr />—user name templates using regular expressions (attributes are the same as in the <mask />).

For example:

<expr user="^(.*)@([^.,=@\s\\]+)$"  add="sAMAccountName=\1" />

<expr user="^(.*)\\(.*)"            add="sAMAccountName=\2" />

Correspondence between masks and regular expressions:

Mask

Regular expression

*

.*

#

[^.,=@\s\\]+

<filter />—LDAP search filter.

Attribute

Description

value

String added to a search filter using the AND operation with substitution elements.

Filters concatenation

<set variable="admingrp" filter="&amp;(objectclass=group)(cn=ESuite Admin)" attribute="dn" />
<mask user="*\*" add="sAMAccountName=\2" />
<filter value="&amp;(objectClass=user)(memberOf=\admingrp)" />

If the admingrp get the "CN=ESuite Admins,OU=some name,DC=example,DC=com" value after the search, and the user input was domain\user, when the result filter is

"(&(sAMAccountName=user)(&(objectClass=user)(memberOf=CN=ESuite Admins,OU=some name,DC=example,DC=com)))"

Example of Configuring LDAP/AD Authentication

Here is an example of typical settings for authentication using LDAP. Settings are configured in the Control Center, in the Administration → Authentication → LDAP/AD-authentication section (for the Advanced settings).

Initial parameters of administrators who must be authenticated:

domain: dc.test.local

Active Directory group: DrWeb_Admins

Control Center settings:

Setting name

Value

Server type

Microsoft Active Directory

Server address

dc.test.local

Login templates of users to be authenticated

Account mask

test\* or *@test.local

Login

\1

Membership of users to be authenticated

Name

DrWeb_Admins

Type

group