[
https://issues.apache.org/jira/browse/OPENMEETINGS-964?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14032229#comment-14032229
]
Thibault Le Meur commented on OPENMEETINGS-964:
-----------------------------------------------
I would design the LDAP conenctor this way:
1- Have the params for the LDAP directory
- URL of the directory (host and ports)
- LDAP version
- optionnal LDAP encryption (SSL [for ldaps:// url], or TLS for ldap:// +
TLS)
- base DN for searching users
- let the OM admin give a mapping between LDAP attributes and openmeetings
attributes (mail => email, ou => organization)
* implement "SIMPLE authentication" ONLY for now as it should cover most
cases (if not all, because there might be failback to simple auth in SASL
directories).
2- have a parameter to switch between SIMPLEBIND and SEARCHANDBIND
3- SIMPLEBIND case:
- let the OM admin give a userDN format string such as
"uid=<LOGINFIELD>,ou=people,dc=myorg,dc=org"
- (optionnally give an LDAP filter such as
"(&(accountStatus=Enabled)(objectclass=XXX))" that could be used to refine
access to the application)
4- SEARCHANDBIND case:
- a user DN filter format string than can contain any extra filter
expressions such as "(&(uid=<LOGINFIELD>)(accountStatus=Enabled))"
- "application account DN" and password params. If they are empty, then use
anonymous bind for the userDN search
> LDAP login should be refactored
> -------------------------------
>
> Key: OPENMEETINGS-964
> URL: https://issues.apache.org/jira/browse/OPENMEETINGS-964
> Project: Openmeetings
> Issue Type: Task
> Components: LDAP
> Affects Versions: 3.0.0
> Reporter: Maxim Solodovnik
> Assignee: Maxim Solodovnik
> Fix For: 3.1.0
>
>
> Detailed description is here OPENMEETINGS-943
> The correct way to handle this:
> First:
> if bind_dn and bind_pwd are set, first conect to the LDAP directory with
> these credentials
> if empty, then just use an nonymous bind to the directory
> Then
> if OM is set to AuthLDAP=NONE, just use the connection to retrieve
> informations from the directory
> -if OM is set to AuthLDAP=OPENLDAP (should be SEARCHANDBIND actually), search
> for the userDN and then perform a bind to the directory with userDN/provided
> PWD
> if OM is set to AuthLDAP=SIMPLEBIND, construct the userDN from the username,
> the user attribute (for instance cn or uid), and the userBase, and then
> perform a bind with userDN and provided PWD
> if OM is set to AuthLDAP=SIMPLE (to be backward compliant), let's try a bind
> with the provided user/password
--
This message was sent by Atlassian JIRA
(v6.2#6252)
