These configuration values affect the authentication plugin dk.itp.security.ldap.LDAPAuthenticationPlugin (previously dk.itp.security.ldap.LoginHandlerLdapImpl - which is still available for backwards compatibility) and the authorization plugin dk.itp.security.ldap.LdapAuthorizationPlugin – both are plugins to the session controller.

Property	Value
ldap.servers	<ip address or hostname:port> IP address or hostname of the LDAP server, and port number
ldap.ssl	<true or false> Set to true to use SSL connections against the LDAP server Default: false
ldap.acceptedcertissuers	<List of filenames, separated by comma or semicolon> List of Root/CA certificates to trust when validating server certificates. Default: none
ldap.verifysslcert	<true or false> Set to false to disable SSL server certificate validation - use if your ldap server has untrusted certificates installed. Only set this to false if you are 100% certain that is what you want. Default: true
ldap.connectiontimeout	<timeout in minutes> Specifies the maximum time in minutes, after which a connection to LDAP will be closed. A connection that lives for longer that <timeout> minutes will be closed and reopened to avoid problem with longer living connections.
ldap.systemuser	<userid> Userid of "technical" user which is used to bind to LDAP in order to get permissions to query/update ACLs.
ldap.systempassword	<password> Password to use when binding to the LDAP server. The password can optionally be obfuscated or encrypted, by using the command "java dk.itp.security.utils.PasswordUtils" with the original password as parameter.
ldap.basedn	<DN name> The base DN to use when looking up in the LDAP server. This is the postfix used for all paths in the LDAP
ldap.useridName	<attribute name> Name of the attribute used when searching for a user – default is "uid".
ldap.usersRDN	<RDN name> Name of the RDN (LDAP group) where users are stored. Default is "ou=People".
ldap.userattributes	<List of attributes – separated with comma or semicolon> List of LDAP attributes to read when fetching a user from the LDAP server – can be left blank to signify all non-operational attributes. The LDAP RFC states that an LDAP server should only return "normal" attributes unless they are specifically named, so this is a way of querying operational attributes for a user. If you change it from the default, make sure that you do include the default ones in the new configuration property, or they will not be retrieved from LDAP. Default is "cn,uid,sn,initials,userpassword,memberof,ibm-allGroups,mail,userPrincipalName".
ldap.stripdnfromuser	<true \| false> - Default is false If set to true, the full DN will be stripped from the – so instead of the userid being uid=somebody, ou=people, dc=ceptor, c=io It will be converted to just the value of the ldap.useridName attribute, in this case somebody. This option affects both the userid when logging the user in for the authentication plugin, and the members of groups retrieved by the authorization plugin.
ldap.userObjectClass	<Object class name> Name of LDAP object class containing user records. Default is "person"
ldap.groupObjectClass	<Object class name> Name of LDAP object class containing group records. Default is "group"
ldap.groupMemberAttributeName	<Name of member attribute> - default is "member" (Note: requires minimum Ceptor v6.4.1) Allows you to change the member attribute name that is used when looking up group memberships in AD, if the memberOf attribute is not used on the user, of if it does not exist on a user record. In Active Directory, set this value to: "member:1.2.840.113556.1.4.1941:" to read all nested group memberships.
ldap.group.name.is.cn	<true \| false> - Default is false When reading LDAP group names, by default the name stored i the full unique name, the full DN of the group - e.g. CN=Administrators, OU=Groups, OU=organisation, OU=com - if this attribute is set, only the CN is kept and the rest is stripped.
ldap.attrsToStore	<Pattern> Attributes matching this pattern will be stored in the session as state variables. This allows you to read arbitrary attributes from LDAP and store them in the session - that could be a users email address, phone number or any other attribute available in LDAP.

Handling passwords that require changes

If login fails and password needs to be changed, the session will contain the state variable ldap.newpassworrequired with the value true - if that is the case, you can call changePassword() in the agent with the users old and new password and it will be modified in AD.

Note that due to AD's error handling limitations, no matter what fails (wrong old password or new password does not follow complexity rules and/or is present in history) you will get the same error when attempting to update the password - unfortunately that is a limitation in Active Directory when using the LDAP protocol to update the password.

LDAP OTP

Attributes available for the LDAP OTP plugin which handles login and OTP using SMS/TOTP codes below.

This plugin supports multiple different LDAP instances - for each instance there is a separate set of configuration entries.

Each instance

Property	Value
ldap.instances	<List of instance names, separated by semicolon or comma> LDAP Instances to load - each instance has its own configuration (see above - but instead of being name e.g. `ldap.servers` , the configuration name is `ldap.<instancename>.servers` - so if instance name is test, the appropriate configuration property for it is called `ldap.test.servers`
ldap.xxxx.appliesToUsers	<Pattern - xxxx is replaced with instance name> Specify which accounts/userids this LDAP applies to - e.g. `@company.com\|@anothercompany.com` Default: *
ldap.xxxx.pool.maximum.connections	<Number - xxxx is replaced with instance name> Maximum concurrent connections for the pool - defaults to
ldap.xxxx.pool.minimum.connections	<Number - xxxx is replaced with instance name> Minimum connections - defaults to number of servers configured If not specified, but "ldap.xxxx.pool.size" is set - then the value of that property is used as default.
ldap.xxxx.pool.cache.connection.seconds	<Seconds- xxxx is replaced with instance name> Maximum connections - defaults to 50 If not specified, but "ldap.xxxx.pool.size" is set - then the value of that property is used as default.
ldap.xxxx.pool.size	<Number - xxxx is replaced with instance name> No longer used separately, but for backwards compatibility its value is used as default for minimum/maximum connections if not otherwise specified.

Example:

<group name="email" description="Email configuration">
  <property name="mail.debug" value="false" description="Set to true to enable email debug output"/>
  <property name="mail.from" value="noreply@ceptor.io" description="From address"/>
  <property name="mail.replyto" value="" description="Reply-To address, if any"/>
  <property name="mail.smtp.host" value="smtp.domain.com" description="Hostname"/>
  <property name="mail.smtp.password" value="" description="Password, remember to encrypt"/>
  <property name="mail.smtp.port" value="25" description="SMTP port - usually 25 for plaintext and 465 for TLS"/>
  <property name="mail.smtp.protocol" value="smtp" description="Protocol smtp or smtps for TLS"/>
  <property name="mail.smtp.user" value="" description="Userid"/>
  <property name="mail.starttls.enable" value="true" description="Set to true to attempt starttls after connecting"/>
</group>
<group name="ldap.otp" description="LDAP OTP configuration">
  <property name="ldap.attrsToStore" value="cn|name|logoncount|mail" description="Attribute names matching this pattern are stored in the session - must be all lowercase"/>
  <property name="ldap.instances" value="test" description="List of LDAP instances to load (ldap.xxxx.*)"/>
  <property name="ldap.mobile.attribute.name" value="mobile" description="Name of attribute mobile phone number is stored within"/>
  <property name="ldap.otp.retries" value="3" description="How many OTP PIN retries are allowed."/>
  <property name="ldap.sms.text" value="One-Time PIN: %s" description="Text for OTP - %s replaced by OTP value"/>
  <property name="ldap.test.acceptedcertissuers" value="" description="List of certificate files containing accepted CA certificates"/>
  <property name="ldap.test.appliesToUsers" value="*" description="Pattern that userid must match to use this LDAP instance - keep lowercase since userid will be lowercased before checking"/>
  <property name="ldap.test.basedn" value="dc=ceptor,dc=local" description="The base DN to use"/>
  <property name="ldap.test.bindUsers" value="true" description="Bind users to verify their password"/>
  <property name="ldap.test.groupObjectClass" value="group" description="Name of LDAP objectClass containing group records"/>
  <property name="ldap.test.groupRDN" value="cn=Users" description="RDN Name in the subtree that groups are stored under"/>
  <property name="ldap.test.protocolVersion" value="3" description="LDAP Protocol version"/>
  <property name="ldap.test.servers" value="192.168.1.142:636" description="The list of LDAP servers to use"/>
  <property name="ldap.test.ssl" value="true" description="True for SSL/TLS"/>
  <property name="ldap.test.stripdnfromuser" value="false" description="If true, strips DN information from userid, using just the user attribute instead of the full DN"/>
  <property name="ldap.test.systempassword" value="xxx" description="The password for the system user"/>
  <property name="ldap.test.systemuser" value="CN=Administrator,CN=users,dc=ceptor,dc=local" description="The system user to bind to LDAP"/>
  <property name="ldap.test.userObjectClass" value="person" description="Name of LDAP objectClass containing user records"/>
  <property name="ldap.test.userattributes" value="cn,name,mobile,SAMAccountName,memberOf,lastlogon,secretary,logonCount,mail" description="Attributes to read from LDAP"/>
  <property name="ldap.test.useridName" value="sAMAccountName" description="Name of attribute to find user ID within"/>
  <property name="ldap.test.usersRDN" value="cn=Users" description="RDN Name in the subtree that users are stored under"/>
  <property name="ldap.test.verifysslcert" value="false" description="Set to false to disable SSL server certificate validation, accepting any SSL server certificates"/>
  <property name="ldap.totp.attribute.name" value="secretary" description="Name of attribute TOTP code is stored within"/>
  <property name="ldap.totpsecret.encryptionkey" value="" description="File containing AES key (generated from PasswordUtils) used to encrypt TOTP secret"/>
</group>

In addition to these settings, the configuration for the TOTP / SMS plugins also applies - see: SMS / Text OTP and TOTP (Google) Authenticator

This plugin is name dk.itp.security.authentication.ldapotp.LdapOTPAuthenticationPlugin

Property	Value
ldap.totp.attribute.name	<Attribute name> Name of the LDAP attribute containing the encrypted TOTP secret. Default is "secretary" If using Active Directory, the default schema has restrictions on this attribute contents - so you need to select another that is able to hold a regular string value, such as the *carLicense* attribute.
ldap.mobile.attribute.name	<Attribute name> Name of the LDAP attribute containing the users mobile phone number. Default is "mobile"
ldap.otp.retries	<Integer> Number of retries allowed when validating OTP code. Default is 3
ldap.sms.text	<Format String> String containing the text sent to the user when sending a generated OTP value. %s will be replaced with the OTP value, and %n can be used as newline. Default: "PIN:%n%s"
ldap.totpsecret.encryptionkey	<Filename> Filename of a file containing the AES key used to encrypt the users TOTP secret in the LDAP server. Note that this file can be generated by PasswordUtils - see Encrypting or Obfuscating Passwords for more information. Default: none
Email related settings
ldap.otp.email.subject	<String> Specify the subject of the email sent with the OTP {username} is replaced with the users name {userid} is replaced with the users ID {code} is replaced with the generated One-Time-PIN \n is replaced with linefeed Default: Ceptor One-Time-Pin
ldap.otp.email.message	<String> Specify the content of the email message to be sent with the OTP {username} is replaced with the users name {userid} is replaced with the users ID {code} is replaced with the generated One-Time-PIN \n is replaced with linefeed Default: Hello {username}.\n\nYou have requested a one-time-pin code, please use the code {code}.
ldap.email.config.prefix	<String> Configuration prefix for SMTP server settings - if set to "mail", settings start with mail. - e.g. "mail.from", "mail.replyto" etc. Can be used to switch between different email configurations by e.g. changing to "alternatemail" in which case settings for mailserver is read from "alternatemail.from", "alternatemail.replyto" etc. Default: mail
mail.smtp.host	<hostname or IP> - Note that "mail" can be replaced depending on the value of the ldap.email.config.prefix property SMTP hostname
mail.smtp.protocol	<smtp or smtps> - Note that "mail" can be replaced depending on the value of the ldap.email.config.prefix property SMTP protocol to use - either smtp for plaintext or smtps for encrypted
mail.smtp.port	<smtp or smtps> - Note that "mail" can be replaced depending on the value of the ldap.email.config.prefix property TCP port for the SMTP server - usually 25 for unencrypted and 465 for encrypted communication
mail.smtp.user	<string> - Note that "mail" can be replaced depending on the value of the ldap.email.config.prefix property Userid for authentication to the mailserver
mail.smtp.password	<string> - Note that "mail" can be replaced depending on the value of the ldap.email.config.prefix property Password for authentication to the mailserver - see Encrypting or Obfuscating Passwords
mail.from	<string> - Note that "mail" can be replaced depending on the value of the ldap.email.config.prefix property Email address to set as "From" email address
mail.replyto	<string> - Note that "mail" can be replaced depending on the value of the ldap.email.config.prefix property Optional email address for reply-to address
mail.starttls.enable	<Boolean> - Note that "mail" can be replaced depending on the value of the ldap.email.config.prefix property True for enabling STARTTLS Default: true
mail.debug	<Boolean> - Note that "mail" can be replaced depending on the value of the ldap.email.config.prefix property Set to true to enable debugging in which case debug information is written to stdout Default: false