B3. LDAP/AD Authentication

Configuration File

Settings are stored in the auth-ldap-rfc4515.conf configuration file.

Configuration files with typical settings are also provided:

auth-ldap-rfc4515-check-group.conf—configuration file template for administrators external authorization via LDAP using the simplified scheme with verification of belonging to an Active Directory group.

auth-ldap-rfc4515-check-group-novar.conf—configuration file template for administrators external authorization via LDAP using the simplified scheme with verification of belonging to an Active Directory group and using variables.

auth-ldap-rfc4515-simple-login.conf—configuration file template for administrators external authorization via LDAP using the simplified scheme.

General tags of the auth-ldap-rfc4515.conf configuration file:

<server />—LDAP server definition.

Attribute

Description

Default value

base-dn

DN of an object entry relative to which the search is to be performed.

The rootDomainNamingContext attribute value of the Root DSE object

cacertfile

Root certificates files (UNIX only).

host

LDAP server address.

Domain controller for the server under Windows OS.

127.0.0.1 for the server under Unix-like OS.

Multiple <server /> tags with different LDAP server addresses can be added. The address of the main server that is supposed to take the main load should be specified first.
If the server is unavailable, an attempt to authenticate on the next server will be made, and then in the specified sequence. If the server is available, the account search will be performed only on this server. Regardless of the authentication result in this case, the connection to the following servers will not be made.

scope

Search scope. Allowed values:

sub-tree—whole sub-tree below the base DN

one-level—direct descendants of the base DN

base—base DN.

sub-tree

tls

Establish TLS on the connection to LDAP.

no

ssl

Use the LDAPS protocol at connect to LDAP.

no

<set />—variables set by LDAP search.

Attribute

Description

Default value

attribute

Attribute name the value of which is assigned to a variable. Cannot be absent.

filter

RFC4515 search filter in LDAP.

scope

Search scope. Allowed values:

sub-tree—whole sub-tree below the base DN

one-level—direct descendants of the base DN

base—base DN.

sub-tree

search

DN of an object entry relative to which the search is to be performed.

If absent, the base-dn of the <server /> tag is used.

variable

Variable name. Must starts with the letter and contains letters and digits only. Cannot be absent.

info

For correct authentication, all groups for which user membership in groups is configured in the Control Center (Administration → Authentication → LDAP/AD authentication settings → User membership), i.e. for which there are corresponding entries in the <set /> tag, must be actually present in the Active Directory domain.

Variables can be used in values of the add attributes of the <mask /> and <expr /> tags, in value of the value attribute of the <filter /> tag as the \varname, and also in value of the search attribute of the <set /> tag. Allowed recursion level in variables is 16.

If the search returns several found objects, only the first one is used.

<mask />—user name templates.

Attribute

Description

add

String added to a search filter using the AND operation with substitution elements.

user

User name mask using the DOS-like meta symbols * and #. Cannot be absent.

For example:

<mask user="*@#"  add="sAMAccountName=\1" />

<mask user="*\*"  add="sAMAccountName=\2" />

\1 and \2 are the links on matching masks in the user attribute.

<expr />—user name templates using regular expressions (attributes are the same as in the <mask />).

For example:

<expr user="^(.*)@([^.,=@\s\\]+)$"  add="sAMAccountName=\1" />

<expr user="^(.*)\\(.*)"            add="sAMAccountName=\2" />

Correspondence between masks and regular expressions:

Mask

Regular expression

*

.*

#

[^.,=@\s\\]+

<filter />—LDAP search filter.

Attribute

Description

value

String added to a search filter using the AND operation with substitution elements.

<user-dn/> defines the rules of name translation to the DN (Distinguished Name) using DOS-like masks.

In the <user-dn/> tag, the following wildcard characters are allowed:

* replaces a sequence of any characters except . , = @ \ and spaces;

# replaces a sequence of any characters.

<user-dn-expr/> defines the rules of name translation to the DN using regular expressions.

Here is an example of the same name translated to the DN in two ways:

<user-dn user="*@example.com" dn="CN=\1,DC=example,DC=com"/>
<user-dn-expr user="(.*)@example.com" dn="CN=\1,DC=example,DC=com"/>

\1 .. \9 define the place where *, # or an expression in brackets is substituted for its value in the template.

Accordingly, if the username is specified as login@example.com, you will get the following DN after translation: "CN=login,DC=example,DC=com".

<user-dn-extension-enabled/> allows the ldap_user_dn_translate.ds Lua script (Translating user names to LDAP DN user hook) to be executed to translate usernames to DNs. This script runs after an attempt to apply the user-dn, user-dn-expr rules if no appropriate rule is found. The script has one parameter: the username. The script returns a string that contains the DN or nothing. If an appropriate rule is not found and the script is disabled or returns nothing, the specified username is used as it is.

<bind dn/> specifies the DN of the user that is used to connect to the LDAP server, and <bind password/> specifies the password of the user that is used to connect to the LDAP server (empty DN and password are possible for anonymous connections).

For example:

<bind dn="CN=some dn,OU=some name,DC=example,DC=com" password="***" />

info

If a separate account for Bind DN search (including anonymous) and DN login translation rules are set at the same time, then priority is given to the prior, while the latter is ignored.

Filters concatenation

<set variable="admingrp" filter="&amp;(objectclass=group)(cn=ESuite Admin)" attribute="dn" />
<mask user="*\*" add="sAMAccountName=\2" />
<filter value="&amp;(objectClass=user)(memberOf=\admingrp)" />

If the admingrp get the "CN=ESuite Admins,OU=some name,DC=example,DC=com" value after the search, and the user input was domain\user, when the result filter is

"(&(sAMAccountName=user)(&(objectClass=user)(memberOf=CN=ESuite Admins,OU=some name,DC=example,DC=com)))"

Example of Configuring LDAP/AD Authentication

Here is an example of typical settings for authentication using LDAP. Settings are configured in the Control Center, in the Administration → Authentication → LDAP/AD-authentication section (for the Advanced settings).

Initial parameters of administrators who must be authenticated:

domain: dc.test.local

Active Directory group: DrWeb_Admins

Control Center settings:

Setting name

Value

Server type

Microsoft Active Directory

Server address

dc.test.local

Login templates of users to be authenticated

Account mask

test\* or *@test.local

Login

\1

Membership of users to be authenticated

Name

DrWeb_Admins

Type

group