Configuring LDAP authentication

Procedure

  1. Choose LDAP from the Authentication Type drop-down menu.
  2. In the LDAP Server Configuration section, configure the following:
    • JNDI driver – We recommend that you use the default setting. If you choose to use a different driver you must make sure that the library for the driver is included in the CLASSPATH for the environment in which WorldServer runs.
    • URL – specify the URL of the LDAP server. Typically this consists of 3 elements:
      • The protocol (ldap://)
      • The server (localhost)
      • The port (389)
    • Here is a typical setting if the LDAP server is running on the same server as WorldServer: 
      ldap_url=ldap://localhost:389
      If you want to configure LDAP for failover, please refer to your LDAP server documentation. Some vendors support failover by separating the LDAP servers with spaces: 
      ldap://primary.ldapserver.com:389 secondary.ldapserver.com:389
      Others separate them with commas (typical with clustered servers): 
      ldap://primary.ldapserver.com:389,secondary.ldapserver.com:389
    • Note: WorldServer supports LDAP over the Secure Socket Layer (SSL). To use LDAP over SSL, specify ldaps:// protocol in the LDAP URL and the correct port (assuming your server supports LDAP over SSL as well).
    • Bind username and password – Based on your security policy you may choose to force applications to bind to a directory context before they can authenticate users. If WorldServer needs to bind prior to authenticating users, you must set the Bind username and Bind password. The Bind username is the distinguished name (dn) of the bind user and Bind password is the password for that user. To bind anonymously, leave the Bind username and Bind password blank.
  3. For WorldServer to find a user in the directory tree, you must configure a base directory for the search to begin, the name of the LDAP username attribute, and, optionally, an attribute filter to narrow the search. In the LDAP Search Criteria section, configure the following:
    • Base - When WorldServer authenticates a user, it searches recursively for that user in the directory tree beginning at the base that you specify. The base is therefore the highest level in the tree that all WorldServer users have in common.
    • Username - This is not a username per se , but the name of an attribute with which to identify a user, for example uid.
    • Additional Filter - You can refine your search for users by adding an attribute filter.
      The filter is defined in a form of attribute=value pairs. You can add as many pairs as you want, as long as combined length of the filter is under 128 characters. When a user is looked up, the filter value is appended to the base filter (base filter is formed from the defined user attribute and the user name) in the format (attr1=val1)(attr2=val2). For example, if you have defined uid as your Username attribute and WorldServer=true as an additional filter, the search string sent to the LDAP server for user jsmith will look like this: 
      (uid=jsmith)(WorldServer=true)
  4. The first time a new user logs in into WorldServer and successfully authenticates against LDAP, a new WorldServer user is created inside WorldServer instance. Each time after this that user logs in, the user's profile is updated based on the attribute settings. In the LDAP Attribute Configuration section, configure the following:
    • First Name – User's LDAP first name, which WorldServer will retrieve.
    • Last Name – User's LDAP last name, which WorldServer will retrieve.
    • Email address – User's LDAP email address.
    • User Type – User's LDAP user type.

      First name, last name, and email is maintained in LDAP and copied over on each login. The remaining of WorldServer-specific information (groups, locales, and so on) must be edited in the WorldServer user Management tab. The User Type can be configured either way. If you select Managed By: WorldServer, the user type needs to be configured inside WorldServer. Each new user will be created with default user type Translator. If you configure this to be Managed By: LDAP, the user type will be copied from the specified attribute. In this case, the LDAP administrator must make sure that this attribute value in LDAP is a valid name for the existing WorldServer user type. If it is not a valid WorldServer user type name, WorldServer defaults the new user type to Translator.

  5. Click Save.

    • What to do next

      f you use LDAP authentication, you can add and modify users in the WorldServer user database. However, these users are not added to the LDAP server. You cannot modify the password or user type settings for the user. Any configuration that you specify for the user's first name, last name, email address, or user type will be overwritten with the information stored in LDAP when that user next logs on.

      If you use LDAP authentication, you can delete users in WorldServer. However, a user whose profile still exists on the LDAP server will be re-added to WorldServer at the next login. Therefore, to delete a user, delete the profile from the LDAP server as well as from WorldServer. You cannot delete the default administrator.

Parent topic: LDAP Authentication