Two AD or LDAP servers are supported. The primary server is checked first and if the user is found, authentication is attempted. If authentication fails, access is denied.
If the user is not found in the primary LDAP/AD server, authentication against the secondary LDAP/AD server is attempted.
It is possible to configure whether UIB can write or if the LDAP/AD server is read-only.
This is the standard setup. AD integration is similar to LDAP, but the default schema in AD has no UID field. It is possible to add an extension (todo reference here) to AD to get UID and other LDAP fields, but otherwise UID is constructed from existing AD fields. I.e. Default AD configuration will work without any modifications.
NotApplicable / NotSupported, as it can't support a huge amount of Whydah functionality.
- Functionality requiring write permissions to AD/LDAP
- New users are added to master, but not to secondary
- Master is used first, secondary thereafter
- Write UserIdentity updates to both
- Use AD for auth
- Fallback on LDAP for auth
- Writes UserIdentity to LDAP
- User may have two passwords if they use Whydah to change passowrd
- Support usage during AD downtime/mainternance
Works as standalone LDAP, with the following exception(s)
TODO: What rules defines the tranformation from an AD user to a Whydah user?
- Import all
- Whydah user = AD user
- First access
- Manual process?
Those decisions needs to be implemented to keep the UserDataIntex in Lucene "up-to-date"
- Default AD LDAP schema does not have an uid field. Extensions are possible to add this. If no uid can be found, UIB use the userprincipalname field as uid. Example: firstname.lastname@example.org.
- Import functionality is used to add applications, organizations and mapping between roles and users. It is possible to add mapping to roles without actually importing any users by referencing the uid expected to be found when looking up the user in AD.
- Login as usual with username without domain. E.g. erikd, not DOMAIN\erikd.
- Authentication and authorization of users thus not rely on any changes to LDAP/AD servers, only the role database is changed.
- NOTE! The lucene index is currently not updated on import. See todo in RoleMappingImporter. The UserAdminWebapp can thus not find the users, but they can login.
Mapping is performed in LdapUserIdentityDao.
|UserIdentity field||LDAP field||LDAP schema||AD field|
|username||initials, non-standard use||core.schema||sAMAccountName|
|userpassword, case error, should be userPassword?||userPassword||core.schema||userPassword|
See Table 8.3: Commonly Used Syntaxes for readable syntax descriptions.
Default AD LDAP schema does not have an uid field. Extensions (Microsoft’s Services for UNIX?) are possible to add this. If no uid can be found, UIB use the userprincipalname field as uid. Example: email@example.com.