Home | Table of ContentsLDAP authentication
Prev Users and Groups Next

LDAP authentication

Since 3.2 it's possible to configure CloverETL Server to use LDAP server for users authentication. So the credentials of users registered in LDAP may be used for authentication to any CloverETL Server interface (API or GUI).

However authorization (access levels to sandboxes content and privileges for operations) is still handled by Clover security module. Each user, event though logged-in using LDAP authentication, must have his own "user" record (with related groups) in CloverETL security module. So there must be the user with the same username and domain set to "LDAP". If no such user record exists, it's automatically created according to CloverETL configuration.

What does the CloverETL do to authenticate a LDAP user?

  1. User specifies the LDAP credentials i.e. in login form to the web GUI

  2. CloverETL Server connects to the LDAP and checks whether the user exists (it uses specified search to lookup in LDAP)

  3. If the user exists in LDAP, CloverETL Server performs authentication

  4. If succeeded, CloverETL Server searches for LDAP user's groups.

  5. CloverETL Server checks whether the user is assigned in LDAP groups which are allowed to login to Clover.

  6. Clover user record is created/updated according to current LDAP values.

  7. Clover user is assigned to the Clover groups according to his current assignation to the LDAP groups.

  8. User is logged-in

[Note]Note

Switching domains:

  • If a user was created as LDAP and then switched to clover domain, you have to set a password for him in Change password tab.

  • If a user was created as clover and then switched to LDAP domain, he has a password in clover domain, but it is overriden by the LDAP password. After switching back to clover domain, the original password is re-used. It can be reset in the Change password tab if needed (e.g. forgotten).

Configuration

By default CloverETL Server allows only its own internal mechanism for authentication. To enable authentication with LDAP, set config property "security.authentication.allowed_domains" properly. It's list of user domains which are used for authentication.

Currently there are 2 authentication mechanism implemented: "LDAP" and "clover" ("clover" is identifier of CloverETL internal authentication and may be changed by security.default_domain property, but only for white-labelling purposes). To enable LDAP authentication, set value to "LDAP" (only LDAP) or "clover,LDAP". Users from both domain may login. It's recommended to allow both mechanisms together, until the LDAP is properly configured. So the admin user can still login to web GUI although the LDAP connection isn't properly configured.

Basic LDAP connection properties

# Implementation of context factory
security.ldap.ctx_factory=com.sun.jndi.ldap.LdapCtxFactory
# timeout for all queries sent to LDAP server
security.ldap.timeout=5000
# limit for number of records returned from LDAP
security.ldap.records_limit=50

# URL of LDAP server
security.ldap.url=ldap://hostname:port
# Some generic UserDN which allows lookup for the user and groups. 
security.ldap.userDN=
# Password for the user specified above
security.ldap.password=

Configuration of user lookup

Specified values work for this specific LDAP tree:

Following properties are necessary for lookup for the LDAP user by his username. (step [2] in the login process above)

# Base specifies the node of LDAP tree where the search starts
security.ldap.user_search.base=dc=company,dc=eu
# Filter expression for searching the user by his username. 
# Please note, that this search query must return just one record.
# Placeholder ${username} will be replaced by username specified by the logging user.
security.ldap.user_search.filter=(uid=${username})
# Scope specifies type of search in "base". There are three possible values: SUBTREE | ONELEVEL | OBJECT 
# http://download.oracle.com/javase/6/docs/api/javax/naming/directory/SearchControls.html
security.ldap.user_search.scope=SUBTREE

Following properties are names of attributes from the search defined above. They are used for getting basic info about the LDAP user in case the user record has to be created/updated by Clover security module: (step [6] in the login process above)

security.ldap.user_search.attribute.firstname=fn
security.ldap.user_search.attribute.lastname=sn
security.ldap.user_search.attribute.email=mail

Clover user record will be assigned to the clover groups according to the LDAP groups found by following search. (Groups check is pergormed during each login) So the following properties define search for the groups which the user is member of. (step [4] in the login process above) 

security.ldap.groups_search.base=dc=company,dc=com
# Placeholder ${userDN} will be replaced by user DN found by the search above
# If the filter is empty, searching will be skipped.
security.ldap.groups_search.filter=(&(objectClass=groupOfNames)(member=${userDN}))
security.ldap.groups_search.scope=SUBTREE
# Value of the following attribute will be used for lookup for the Clover group by its code.
# So the user will be assigned to the Clover group with the same "code"
security.ldap.groups_search.attribute.group_code=cn

It's also possible to specify LDAP groups which are able to login to Clover. (step [5] in the login process above)

# Semicolon separated list of LDAP group DNs (distinguished names). 
# LDAP user must be assigned to one or more of these groups, otherwise new clover user can't be created.
# Special value "_ANY_" disables this check and basically any LDAP user may login.
# If the LDAP group DNs are configured, also security.ldap.groups_search.* properties must be configured.
# value could be e.g. "cn=developers,dc=company,dc=com;cn=admins,dc=company,dc=com"
security.ldap.allowed_ldap_groups=_ANY_
Prev Up Next
Users and Groups Home | Table of Contents Web GUI section Users