Table of Contents |
---|
...
LDAP can be configured using UI(v6.1 onwards) or API. One can configure one or more LDAPs at the same time. Once configured, the LDAPs will appear on the login and sign up page as a dropdown.
...
Configure the LDAP via UI
Super admins can configure LDAP via UI (v6.1 onwards) by going to Extras from the home page.
...
Once created, the list of all LDAPs registered are displayed and can be updated if required.
Via REST API
openspecimen/rest/ng/auth-domains
Use the register authentication domain resource for registering LDAP authentication domains in OpenSpecimen application. Use the HTTP POST method to call this API by passing the below details in JSON format.
Code Block |
---|
{
"name": "krishagni-ldap",
"implClass": "com.krishagni.catissueplus.core.auth.services.impl.LdapAuthenticationServiceImpl",
"authType": "ldap",
"authProviderProps": {
"url": "ldap://ldap.forumsys.com:389/",
"userDn": "cn=read-only-admin,ou=users,dc=example,dc=com",
"password": "passwd",
"userSearchFilter": "uid= {0}",
"userSearchBase": "dc=example,dc=com"
}
} |
...
Response
Code Block |
---|
{
"id": 3,
"name": "krishagni-ldap",
"implClass": "com.krishagni.catissueplus.core.auth.services.impl.LdapAuthenticationServiceImpl",
"authType": "ldap",
"authProviderProps": {
"url": "ldap://ldap.forumsys.com:389/",
"userDn": "cn=read-only-admin,ou=users,dc=example,dc=com",
"password": "passwd",
"userSearchFilter": "uid= {0}",
"userSearchBase": "dc=example,dc=com"
}
} |
This section describes the response cases for register authentication API
...
...
...
...
A unique user-friendly name that end-user wants to give his/her domain. E.g., Hopkins_LDAP, KUMC_LDAP, etc.
Unique name for the LDAP. E.g., UNIV_LDAP, HOSP_LDAP.
Should be "com.krishagni.catissueplus.core.auth.services.impl.LdapAuthenticationServiceImpl"
If you are going to customize the LDAP implementation for some reason, replace the string with your custom class name.
This parameter is mandatory.
There are two authentication strategies:
- Bind Authentication: Authenticate directly to the LDAP server. Needs URL and userDnPatterns.
- Password comparison: The password supplied by the user is compared with the one stored in the repository. Needs url, userDn, password, userSearchFilter and userSearchBase.
The parameter that comes under the authProviderProps parameter is described below.
url -
LDAP URLs have the following syntax:
ldapItem | Description |
---|---|
Host URL | LDAP URLs have this syntax: ldap[s]://<hostname>:<port> |
|
|
|
|
|
userDnPatterns - User Dn pattern. Eg. "uid={0}" or in case of active directory "sAMAccountName={0}".
OpenSpecimen creates full Dn using userDnPattern and baseDn and tries to authenticate by provided username and password.
Eg.
Code Block |
---|
userName - "jonDoe",
password - "passwd"
url - ldap://ldap.forumsys.com:389/dc=example,dc=com
userDnPatterns - "uid={0}" or "sAMAccountName={0}"
Full Dn - "uid=jonDoe,dc=example,dc=com" or "sAMAccountName=jonDoe,dc=example,dc=com"
OR
url - ldap://ldap.forumsys.com:389/dc=example,dc=com
userDnPatterns - "uid={0}, ou=users" or "sAMAccountName={0},ou=users"
Full Dn - "uid=jonDoe, ou=users, dc=example, dc=com" or "sAMAccountName=jonDoe, ou=users, dc=example, dc=com" |
Bind DN | This is required for authenticating to the directory. Eg. "cn=read-only-admin,ou=users,dc=example,dc=com" |
Password | Password of the Bind DN user. | ||
Search Base | User search base, from where the search will be started. It might be an empty string like "" or "ou=People". If Oracle DBMS is used, then an empty string is treated as null, which will fail LDAP authentication. Therefore it is advised to specify the base node from which the search needs to be carried. Eg.
|
|
|
|
|
|
http[s]:<host>:<port>/openspecimen/rest/ng/auth-domains
Use this URL to register the authentication domain in the OpenSpecimen application.
Result:
The response of this request will contain the details of the registered authentication domain.
Below is the example of the register authentication domain:
- Ldap Domain Registration :
...
POST: Use to register new domain
PUT : Use to update existing domain
...
Search Filter | Search user using an attribute. Eg. "(uid={0})" or in case of active directory "(sAMAccountName={0})" |
Run the below command on command prompt/terminal and fill the same details as configured on OpenSpecimen UI. This command will give you an error if there is an issue with configuration, and if it works fine, then the same configuration will work in OpenSpecimen.
...
Here 'test' is the user account created in LDAP, and the same user needs to be created into OpenSpecimen. Here is a wiki page to setup LDAP users. (refer to via UI section)