LDAP Realm provides authentication using the Lightweight Directory Access Protocol (LDAP) server. This enables the management of Users, Groups and ACLs from one location, the LDAP directory. LDAP realms allow storage or usage of ACL/user information on any external LDAP server. When the LDAP security realm is used, the LDAP server authenticates Users and Groups.
In the case of SSL protocol (with FioranoMQ Server), the LDAP Security Realm retrieves a common name of the User from its digital certificate and searches the LDAP directory for that name. The LDAP Security Realm does not verify the digital certificate. This verification is performed by the SSL protocol. The LDAP Security Realm currently supports Netscape Directory Server, Microsoft Site Server, OpenLDAP, and Novell NDS.
Configuring the LDAP Security Realm
Configuring the LDAP Security realm involves defining the fields that enable the LDAP Security realm, within the FioranoMQ Server, to communicate with the LDAP server. Additionally, it involves defining the fields that describe how Users and Groups are stored in the LDAP directory. These fields are described in the Table.
Directory | Description |
LdapProviderURL | Location of URL server. Change the URL to the name of the computer on which the LDAP server is running and to the port number at which it is listening. If the FioranoMQ server needs to connect to the LDAP server using the SSL protocol, the LDAP server's SSL port in the URL should be used. |
Principal | The distinguished name (DN) of the LDAP User is used by the FioranoMQ server to connect to the LDAP server. The User must be able to list the LDAP Users and Group. |
Credential | The password that authenticates the LDAP User, as defined in the principal field. |
LdapsecurityAuthentication | Determines the method for authenticating Users. |
LdapUserPasswordAttribute | Password of the LDAP User. |
LdapUserDN | A list of attributes which combined with attributes in the username attribute field uniquely identify a LDAP user. |
LdapUserNameAttribute | The loginname of the LDAP User. The value of this field can be the common name of an LDAP user, but usually it is an abbreviated string, such as User ID. |
LdapGroupDN | A list of attributes which combined with the Group name attribute field uniquely identifies a Group in the LDAP directory. |
LdapGroupNameAttribute | The name of a Group in the LDAP directory. It is usually a common name. |
LdapGroupUsernameAttribute | Name of the LDAP attribute that contains a Group member in a Group entry. |
Miscellaneous Features
If caching is enabled, the Caching Realm internally caches Users and Groups to avoid frequent lookups to the LDAP directory. Each object in the Users and Groups cache has a TTL field (TimeToLive), which is set while configuring the Caching realm. If changes are made in the LDAP directory, those changes are not reflected in the LDAP Security realm until the cached object expires or is flushed from the cache.
The default TTL is 60 seconds for unsuccessful lookups and 10 seconds for successful visits. Changes in the LDAP directory should be reflected in the LDAP Security realm within 60 seconds, unless the TTL fields for User Groups and caches have been changed.
If server-side code has performed a lookup of the LDAP Security realm, such as a getUser() call on the LDAP Security realm, the object returned by the realm cannot be released until it is released by the code. Therefore, Users authenticated by FioranoMQ Server remain valid as long as the connection persists, whether or not the User is deleted from the LDAP directory.
Schema checking is turned on by default in the directory server, and Netscape recommends running the directory server with schema checking turned on. The schema checking is turned off for realmLDAP.