LDAP configuration backend

Presentation

You can choose to store LemonLDAP::NG configuration in an LDAP directory.

image0

Advantages:

  • Easy to share between servers with remote LDAP access

  • Easy to duplicate with LDAP synchronization services (like SyncRepl in OpenLDAP)

  • Security with SSL/TLS

  • Access control possible by creating one user for Manager (write) and another for portal and handlers (read)

  • Easy import/export through LDIF files

The configuration will be store under a specific branch, for example ou=conf,ou=applications,dc=example,dc=com.

Each configuration will be represented as an entry, which structural objectClass is by default applicationProcess. The configuration name is the same that files, so lmConf-1, lmConf-2, etc. This name is used in entry DN, for example cn=lmConf-1,ou=conf,ou=applications,dc=example,dc=com.

Then each parameter is one value of the attribute description, prefixed by its key. For example {ldapPort}389.

The LDIF view of such entry can be:

dn: cn=lmConf-1,ou=conf,ou=applications,dc=example,dc=com
objectClass: top
objectClass: applicationProcess
cn: lmConf-1
description: {globalStorage}'Apache::Session::File'
description: {cookieName}'lemonldap'
description: {whatToTrace}'$uid'
...

Configuration

LDAP server

Configuration objects use standard object class: applicationProcess. This objectClass allow attributes cn and description. If your LDAP server do not manage this objectClass, configure other objectclass and attributes (see below).

We advice to create a specific LDAP account with write access on configuration branch.

Next create the configuration branch where you want. Just remember its DN for LemonLDAP::NG configuration.

LemonLDAP::NG

Configure LDAP configuration backend in lemonldap-ng.ini, section [configuration]:

type = LDAP
ldapServer = ldap://localhost
ldapConfBase = ou=conf,ou=applications,dc=example,dc=com
ldapBindDN = cn=manager,dc=example,dc=com
ldapBindPassword = secret
ldapObjectClass = applicationProcess
ldapAttributeId = cn
ldapAttributeContent = description

Parameters:

  • ldapServer: LDAP URI of the server

  • ldapConfBase: DN of configuration branch

  • ldapBindDN: DN used to bind LDAP

  • ldapBindPassword: password used to bind LDAP

  • ldapObjectClass: structural objectclass of configuration entry (optional)

  • ldapAttributeId: RDN attribute of configuration entry (optional)

  • ldapAttributeContent: attribute used to store configuration values, must be multivalued (optional)

  • ldapVerify: When using a LDAPS or TLS server, whether or not to validate the server certificate. Possible values: require, optional or none.

  • ldapCAFile: This allows you to override the default system-wide certificate authorities by giving a single file containing the CA used by the LDAP server.

  • ldapCAPath: This allows you to override the default system-wide certificate authorities by giving the path of a directory containing your trusted certificates.