h2. Introduction
Two LDAP Features are currently supported.
# Authentication and Authorization of users (pre-requisite for any other LDAP functionality)
# User to group mapping (optional)
At this time, LDAP and built-in (API-based) user authentication are mutually exclusive - if LDAP is enabled, API-based authentication is not, and vice versa.
{note:title=Self-signed Certificates}
At this time, LucidWorks Enterprise LDAP functionality is not compatible with self-signed certificates.
{note}
h2. LDAP Setup
The main configuration file for configuring LDAP is to {{conf/ldap-config.yml}}. To use LDAP, the setting {{:enabled: false}} should be changed to {{:enabled: true}} and the other settings must be modified as needed for LWE to connect to the LDAP server and query the database for user authentication.
{code}
production:
:enabled: false
:host: # default = 'localhost'
:port: # defaults to standard LDAP port
:ssl: # defaults to false
:ssl_port: # defaults to standard LDAP SSL port
:bind_id: 'cn=Manager,dc=widget,dc=net'
:bind_pwd: 'secret'
:search_base: 'dc=widget,dc=net'
:user_filter: 'uid=$USER'
:group_attr_for_user: # default = 'cn'; attribute of group used in LWE roles definitions
:group_attr_for_role: # default = 'cn'; attribute of group used in LWE roles definitions :group_attr_for_role: # default = 'cn'; attribute of group used in LWE roles definitions
# User to group mapping methods:
# Speicifying group membership by adding users as attributes to group directory entries
:group_filter: '(&(objectclass=groupOfUniqueNames)(uniqueMember=$USER))'
:user_attr_for_group: # default = 'dn'; attribute of user specified as value of a group membership attribute
# Speicifying group membership by adding groups as attributes to user directory entries
:group_attr_for_user: 'memberOf' # default = nil; attribute of user specifying group membership
{code}
{warning:title=Create a Valid LDAP User-Role Mapping Before Enabling LDAP}Because LucidWorks Enterprise's built-in authentication is disabled when LDAP authentication is enabled, it would not be possible to map a user or group to the ROLE_ADMIN after LDAP is enabled. If no one has ROLE_ADMIN access, no one will be able to access the Administrative UI. So, before enabling LDAP, go to the Roles page and map an LDAP username or a group to ROLE_ADMIN by adding it to the Group or User section of the ROLE_ADMIN definition. For more information about Group or User mappings to Roles, see the page on [Roles Configuration].{warning}
h3. User to Group Mappings
LWE supports two different methods of mapping users to groups:
* Listing users as attributes in group directory entries
* Listing groups as attributes in user directory entries
You should only use one of these methods at a time. Your configuration should contain only one of the two blocks of LDAP user/group mapping settings.
h2. Manual User Management
Instead of using LDAP to authenticate users, LucidWorks Enterprise includes a REST API that allows creation of [users|Users]. Using this API and the [Perl Examples|Example Perl Clients] provided with the application, users can be created, passwords reset, or deleted.
Two LDAP Features are currently supported.
# Authentication and Authorization of users (pre-requisite for any other LDAP functionality)
# User to group mapping (optional)
At this time, LDAP and built-in (API-based) user authentication are mutually exclusive - if LDAP is enabled, API-based authentication is not, and vice versa.
{note:title=Self-signed Certificates}
At this time, LucidWorks Enterprise LDAP functionality is not compatible with self-signed certificates.
{note}
h2. LDAP Setup
The main configuration file for configuring LDAP is to {{conf/ldap-config.yml}}. To use LDAP, the setting {{:enabled: false}} should be changed to {{:enabled: true}} and the other settings must be modified as needed for LWE to connect to the LDAP server and query the database for user authentication.
{code}
production:
:enabled: false
:host: # default = 'localhost'
:port: # defaults to standard LDAP port
:ssl: # defaults to false
:ssl_port: # defaults to standard LDAP SSL port
:bind_id: 'cn=Manager,dc=widget,dc=net'
:bind_pwd: 'secret'
:search_base: 'dc=widget,dc=net'
:user_filter: 'uid=$USER'
:group_attr_for_user: # default = 'cn'; attribute of group used in LWE roles definitions
:group_attr_for_role: # default = 'cn'; attribute of group used in LWE roles definitions :group_attr_for_role: # default = 'cn'; attribute of group used in LWE roles definitions
# User to group mapping methods:
# Speicifying group membership by adding users as attributes to group directory entries
:group_filter: '(&(objectclass=groupOfUniqueNames)(uniqueMember=$USER))'
:user_attr_for_group: # default = 'dn'; attribute of user specified as value of a group membership attribute
# Speicifying group membership by adding groups as attributes to user directory entries
:group_attr_for_user: 'memberOf' # default = nil; attribute of user specifying group membership
{code}
{warning:title=Create a Valid LDAP User-Role Mapping Before Enabling LDAP}Because LucidWorks Enterprise's built-in authentication is disabled when LDAP authentication is enabled, it would not be possible to map a user or group to the ROLE_ADMIN after LDAP is enabled. If no one has ROLE_ADMIN access, no one will be able to access the Administrative UI. So, before enabling LDAP, go to the Roles page and map an LDAP username or a group to ROLE_ADMIN by adding it to the Group or User section of the ROLE_ADMIN definition. For more information about Group or User mappings to Roles, see the page on [Roles Configuration].{warning}
h3. User to Group Mappings
LWE supports two different methods of mapping users to groups:
* Listing users as attributes in group directory entries
* Listing groups as attributes in user directory entries
You should only use one of these methods at a time. Your configuration should contain only one of the two blocks of LDAP user/group mapping settings.
h2. Manual User Management
Instead of using LDAP to authenticate users, LucidWorks Enterprise includes a REST API that allows creation of [users|Users]. Using this API and the [Perl Examples|Example Perl Clients] provided with the application, users can be created, passwords reset, or deleted.