About

The plugin supports the following auth types for users of the system:

  • LDAP (Active Directory).

Setup

Make sure the plugin is enabled in configuration. Preferably as a separated config.

LDAP

For enabling LDAP auth for each of requested servers add configuration:

auth:ldap.<id>.url=<url>
auth:ldap.<id>.login.expression=<loginExpression>
auth:ldap.<id>.search.base=<searchBase>
auth:ldap.<id>.search.expression=<searchExpression>
# optional
#auth:ldap.<id>.search.attributes=<attributes>
auth:ldap.<id>.group.ids.expression=<groupIdsExpression>
auth:ldap.<id>.title.expression=<titleExpression>

Where:

  • <id> - sequential server’s number ordering requests;

  • <loginExpression> - JEXL expression for getting LDAP login out of user login;

  • <searchBase> - LDAP search base;

  • <searchExpression> - JEXL expression for getting LDAP search query out of user login;

  • <attributes> - optional comma separated list of searched attributes;

  • <groupIdsExpression> - JEXL expression for getting user group IDs out of attrs object, instance of org.bgerp.plugin.sec.auth.config.LDAPAttributes;

  • <titleExpression>- - JEXL expression for getting user title out of attrs object, instance of org.bgerp.plugin.sec.auth.config.LDAPAttributes.

During auth process the enabled plugin tries to bind to each of configured servers using login from <loginExpression>. After successful bind performed a search in <searchBase> with <searchExpression>. Found attributes converted to user title and IDs. The user has created in the app DB as EXTERNAL, that means it can’t be updated within the app, doesn’t store password and always updated out of external source.

Example of LDAP configuration:

auth:ldap.1.url=ldap://172.16.0.45
auth:ldap.1.login.expression=login + "@ozna"
auth:ldap.1.search.base=dc=ozna,dc=corp
auth:ldap.1.search.expression="sAMAccountName="+ login
auth:ldap.1.group.ids.expression=<<END
    result = {};
    for (memberOf : attrs.values("memberOf")) {
        memberOfLc = memberOf.toLowerCase();
        if (memberOfLc.startsWith("cn=vpn koronavirus ozna,ou=rdp-limit")) {
            result.add(2);
        } else if (memberOfLc.startsWith("cn=пользователи vpn-озна,ou=rdp-limit")) {
            result.add(3);
        }
    }
    return result;
END
auth:ldap.1.title.expression=<<END
    name = attrs.value("name");
    if (name != null) {
        return name;
    }
    return "???";
END

Debug

Recommended logger configuration.

log4j.logger.org.bgerp.plugin.sec.auth=DEBUG, filea
log4j.additivity.org.bgerp.plugin.sec.auth=false