Table of Contents
If you are operating on a corporate network or want to have your users in a centralized database, you can enable LDAP authentication for Rudder users.
Take care of the following limitation of the current process: only authentication is delegated to LDAP, NOT authorizations. So you still have to declare user’s authorizations in the Rudder user file (rudder-users.xml).
A user whose authentication is accepted by LDAP but not declared in the rudder-users.xml file is considered to have no rights at all (and so will only see a reduced version of Rudder homepage, with no action nor tabs available).
The credentials of a user are defined in the XML file
/opt/rudder/etc/rudder-users.xml
. It expects the same format as regular file-based
user login, but in this case "name" will be the login used to connect to LDAP and the
password field will be ignored and should be set to "LDAP" to make it clear that
this Rudder installation uses LDAP to log users in.
Every modification of this file should be followed by a restart of the Rudder web application to be taken into account:
service rudder-jetty restart
LDAP authentication is enabled by setting the property rudder.auth.ldap.enable
to true
in file /opt/rudder/etc/rudder-web.properties
The LDAP authentication process is a bind/search/rebind in which an application connection (bind) is used to search (search) for a user entry given some base and filter parameters, and then, a bind (rebind) is tried on that entry with the credential provided by the user.
So next, you have to set-up the connection parameters to the LDAP directory to use. There are five properties to change:
- rudder.auth.ldap.connection.url
- rudder.auth.ldap.connection.bind.dn
- rudder.auth.ldap.connection.bind.password
- rudder.auth.ldap.searchbase
- rudder.auth.ldap.filter
The search base and filter are used to find the user. The search base may be left empty, and
Here are some usage examples,
on standard LDAP:
rudder.auth.ldap.searchbase=ou=People rudder.auth.ldap.filter=(&(uid={0})(objectclass=person))
on Active Directory:
rudder.auth.ldap.searchbase= rudder.auth.ldap.filter=(&(sAMAccountName={0})(objectclass=user))