-
Notifications
You must be signed in to change notification settings - Fork 3
LDAP Setting
Kustvakt full version needs a file containing all necessary information to access the LDAP system and to authenticate and authorize users (see example LDAP config below).
ldap.config = path-to-ldap-config-file
To find, authenticate and authorize users, the ldap filter expression specified in searchFilter
is used. Within this expression all occurrences of the placeholders ${login}
and ${password}
are replaced with the name and password the user has entered for logging in.
If searchFilter
does not contain any occurrence of ${password}
the user DN found via the filter expression will be authenticated via a regular LDAP bind operation, using the entered password. In this case, depending on the LDAP server, also hashed passwords are supported.
Optionally, the two filters authFilter
and userNotBlockedFilter
can be specified, in addition. The first should be used to check whether a known user has also signed the necessary EULA, for example, and the second to check that the known user is not blocked. This will be reflected in the error messages for failed logins.
host=ldap.example.org
# use LDAP over SSL (LDAPS) if the server supports it
useSSL=true
port=636
# to trust all certs, leave trustStore empty
trustStore=truststore.jks
# add ssl cipher suites if required as csv, e.g. TLS_RSA_WITH_AES_256_GCM_SHA384
additionalCipherSuites=
searchBase=dc=example,dc=org
# DN of a user with full read access
sLoginDN=cn=admin,dc=example,dc=org
pwd=adminpassword
# search for user with uid or email matching login, and signed EULA
searchFilter=(&(|(uid=${login})(mail=${login}))(signedeula=TRUE))
Instead of you own LDAP server, you can also use Kustvakt-full's embedded in-memory LDAP server which uses UnboundID LDAP SDK for this purpose. In order to do so, the following additional settings are required in your ldap.conf
:
useEmbeddedServer=true
ldifFile=path-to-users-directory.ldif
# port=1234
Note that currently the embedded server ignores the host
and useSSL
settings, and only listens on the localhost
interface. The port
setting, on the other hand, is used.
The embedded server currently supports the following password encodings: clear passwords (prefix {CLEAR}
or empty), {HEX}
, {BASE64}
, {SHA}
, {SHA256}
.
Note that none of these are safe against brute force attacks.
You can try Kustvakt-full with embedded LDAP server using the example configuration provided in embedded-ldap-example.conf and users defined in example-users.ldif like this:
$ cp src/main/resources/kustvakt.conf .
$ java -jar target/Kustvakt-full-*.jar
The example-users.ldif defines the following login:password combinations: user:password, user1:password1, …, user4:password4, with differently encoded passwords.
To try it out together with KorAP's web user interface Kalamar, add "Auth"
to the loaded plugins in kalamar.conf
:
plugins => ["Auth"],
- Importing Kustvakt to Eclipse
- Installing Lombok
- Setting annotation processors
- Setting a test environment
- HTTP Basic Authentication
- OAuth2 authorization scopes
- OAuth2 authorization request
- OAuth2 token request
- OAuth2 token revocation
- OAuth2 client registration
- OAuth2 client info
- OAuth2 client deregistration
- OAuth2 client secret reset
- Plugin registration
- Plugin list (marketplace)
- Plugin installation
- Plugin uninstallation
- Installed plugin list
- VC creation and update
- VC deletion
- VC list
- VC info
- VC KoralQuery
- VC statistics
- VC statistics with KoralQuery