The plugin supports the following auth types for users of the system:
LDAP (Active Directory).
Make sure the plugin is enabled and append to the configuration:
For enabling LDAP auth for each of requested servers add configuration:
auth:ldap.{@inc:cnt}.url=<URL>
auth:ldap.{@cnt}.login.expression=<LOGIN_EXPRESSION>
auth:ldap.{@cnt}.search.base=<SEARCH_BASE>
auth:ldap.{@cnt}.search.expression=<SEARCH_EXPRESSION>
# optional
auth:ldap.{@cnt}.search.attributes=<ATTRIBUTES>
auth:ldap.{@cnt}.group.ids.expression=<GROUP_IDS_EXPRESSION>
auth:ldap.{@cnt}.title.expression=<TITLE_EXPRESSION>
auth:ldap.{@cnt}.update.expression=<UPDATE_EXPRESSION>
Where:
<URL> - the LDAP server URL;
<LOGIN_EXPRESSION> - JEXL expression for getting LDAP login out of user login;
<SEARCH_BASE> - LDAP search base;
<SEARCH_EXPRESSION> - JEXL expression for getting LDAP search query out of user login;
<ATTRIBUTES> - optional comma-separated list of searched attributes;
<GROUP_IDS_EXPRESSION> - JEXL expression for getting user group IDs out of attrs object, instance of org.bgerp.plugin.sec.auth.config.LDAPAttributes;
<TITLE_EXPRESSION> - JEXL expression for getting user title out of attrs object, instance of org.bgerp.plugin.sec.auth.config.LDAPAttributes;
<UPDATE_EXPRESSION> - JEXL expression for copying user parameters out of attrs object, instance of org.bgerp.plugin.sec.auth.config.LDAPAttributes; using up object, instance of org.bgerp.dao.expression.UserParamExpressionObject.
During auth process the enabled plugin tries to bind to each of configured servers using login from <LOGIN_EXPRESSION>. After successful bind performed a search in <SEARCH_BASE> with <SEARCH_EXPRESSION>. Found attributes converted to user title and IDs. The user has created in the app DB as EXTERNAL, that means it can’t be updated within the app, doesn’t store password and always updated out of external source.
Example of LDAP configuration:
auth:ldap.{@inc:cnt}.url=ldap://172.16.0.45
auth:ldap.{@cnt}.login.expression=login + "@ozna"
auth:ldap.{@cnt}.search.base=dc=ozna,dc=corp
auth:ldap.{@cnt}.search.expression="sAMAccountName="+ login
auth:ldap.{@cnt}.group.ids.expression=<<END
result = {};
for (memberOf : attrs.values("memberOf")) {
memberOfLc = memberOf.toLowerCase();
if (memberOfLc.startsWith("cn=vpn koronavirus ozna,ou=rdp-limit")) {
result.add(2);
} else if (memberOfLc.startsWith("cn=пользователи vpn-озна,ou=rdp-limit")) {
result.add(3);
}
}
return result;
END
auth:ldap.{@cnt}.title.expression=<<END
name = attrs.value("name");
if (name != null) {
return name;
}
return "???";
END
USER_MAIL_PARAM_ID=...
USER_MOBILE_PARAM_ID=...
auth:ldap.{@cnt}.update.expression=<<END
mail = attrs.value("mail");
if (mail != null)
up.sval({@USER_MAIL_PARAM_ID}, mail);
phone = attrs.value("mobile");
if (phone != null) {
if (phone.startsWith("+"))
phone = phone.substring(1);
up.sval({@USER_MOBILE_PARAM_ID}, phone);
}
END
Recommended logger configuration.
log4j.logger.org.bgerp.plugin.sec.auth=DEBUG, filea log4j.additivity.org.bgerp.plugin.sec.auth=false