LDAP Based Access Control

This page describes how to configure LDAP bases access control. More information on access control in general can be found here.

LDAP based access control us done using the AccessControllerListLDAPImpl access.controller configuration property. This access controller will retrieve user and group information from an LDAP server and ACL information binding the users and groups to Ceptor administration permissions is found in the access.control.configuration file.

An example of the configuration could be:

		<group name="security" description="security configuration">
			<property name="access.control.configuration" value="${ceptor.home}/config/ceptor-security-ldap.xml" description="access control definitions"/>
			<property name="access.controller" value="dk.itp.security.accesscontrol.AccessControlListLDAPImpl" description="config server access controller implementation"/>
			<property name="remote.servers" value="localhost,192.168.255.255,10.255.255.255" description="allowed remote servers, host:port separated by ,;"/>
		</group>
		<group name="ldap" description="LDAP configuration">
			<property name="ldap.basedn" value="dc=adtest,dc=net" description="The base DN to use"/>
			<property name="ldap.servers" value="adtest.net:389" description="The list of LDAP servers to use"/>
			<property name="ldap.systempassword" value="<password>" description="The password for the system user"/>
			<property name="ldap.systemuser" value="cn=Administrator,cn=Users,dc=adtest,dc=net" description="The system user to bind to LDAP"/>
			<property name="ldap.useridName" value="anr" description="The search criteria for user search"/>
			<property name="ldap.usersRDN" value="cn=Users"/>
			<property name="ldap.usersRDNName" value="cn=Users" description="RDN Name in the subtree that users are stored under"/>
		</group>


Note: If you change the configuration directly on the drive, remember that the old configuration is still active so a login is needed with the XML credentials first to activate it through the UI, or the config server and session controller needs to be restarted with the ".active" files deleted.


As it can be seen the LDAP access controller implementation naturally requires some LDAP configuration. This configuration is the same as described LDAP Authentication Properties. So for details look on that page - the above only services as an example configuration.

The XML configuration file only needs to contain ACL's (it can contain users and groups as well, but these are ignored!).

An example can be found in the default installation directory; <CEPTOR_HOME>/config/ceptor-security-ldap.xml, where <CEPTOR_HOME> is the directory which Ceptor is installed in.

<?xml version="1.0" encoding="ISO-8859-1"?>

<system name="ceptor" version="2.0" copyright="(c) 2017, Ceptor ApS">
	<security-acls>
		<acl name="web.*" description="">
			<permission principal="CN=admin,DC=adtest,DC=net" allow="*" description="Allow administrator everything"/>
			<permission principal="CN=readonly,DC=adtest,DC=net" allow="read" description="Only read access is allowed"/>
		</acl>
		<acl name="web.collected-statistics-management.interval" description="">
			<permission principal="CN=readonly,DC=adtest,DC=net" allow="read,write" description="Only read access is allowed"/>
		</acl>
		<acl name="web.collected-statistics-management.functions" description="">
			<permission principal="CN=readonly,DC=adtest,DC=net" allow="read,write" description="Only read access is allowed"/>
		</acl>
		<acl name="web.collected-statistics-management.servers" description="">
			<permission principal="CN=readonly,DC=adtest,DC=net" allow="read,write" description="Only read access is allowed"/>
		</acl>
		<acl name="telnet.*" description="">
			<permission principal="CN=admin,DC=adtest,DC=net" allow="*" description="Allow administrator everything"/>
		</acl>
		<acl name="ppadmin.*" description="">
			<permission principal="CN=admin,DC=adtest,DC=net" allow="*" description="Allow administrator everything"/>
			<permission principal="CN=readonly,DC=adtest,DC=net" allow="read" description="Only read access is allowed"/>
		</acl>
	</security-acls>
</system>


The permissions on each ACL in the file are bound to a principal which should be an LDAP record (could be a group or a user). Normally a group would be used - as shown in the example above where the LDAP security groups "admin" and "readonly" are bound to appropriate ACLs.

Information on how to create and update rights on an ACLs can be found in the section above on this page.

New in Ceptor v6.5.4

From Ceptor v6.5.4 the default implementation of the LDAP Authentication plugin has switched to used UnboundID LDAP client - if you for any reason still need the old implementation, you can set the following configuration property:

<property name="ldapauthenticationplugin.classname" value="dk.itp.security.ldap.LdapAuthenticationPluginNS" description="Allows overriding the authentication plugin implementation"/>