How to start a local LDAP server and connect a CUBA application to it

Community Guides
#1

Hi,

I would like to start using LDAP,
but have 0 idea.
I also tried to understand what you wrote and also searching a bit in www.
But I dont get smarter of it :frowning:

Does anybody have an idea, where to start?
Or what I shall do? Is there a “algorithmus”, what have to be done to do it?
login and password are input in the login form of the application
platform is authenticated in LDAP using credentials defined in cuba.web.ldap.user / cuba.web.ldap.password
application does LDAP-search in cuba.web.ldap.base: it searches an entry with sn = login
if the entry is found, the application tries to authenticate in LDAP by the found FQN and the provided password.
if successful, the user gets access to the application

Or is this deprecated?

#2

Hi,

I would recommend you to use Apache Directory Studio for learning. There you can create and start your own LDAP server and setup it.

Here is the step-by step guide of how to setup LDAP and connect your CUBA application to it.

  1. Download Apache Directory Studio from the web-site: Welcome to Apache Directory Studio — Apache Directory. Install or just unpack it somewhere (depending on the distribution type)

  2. Start ApacheDirectoryStudio.exe

  3. Create a new temporary LDAP server using Studio.
    image

Leave default settings
image

  1. On the Connections tab create a new connection to the just created server.
    image

  2. The created by Studio Server is accessible by the 10389 port
    image

Select No authentication. On a new server, anonymous access is enabled.
image

6.Create a new entry in dc=example,dc=com
image

Create from scratch
image

Add inetOrgPerson. Other needed classes are added “by dependencies”.

image

Then specify RDN = cn, and the user login
image

Specify the same sn
image

  1. Then add userPassword to the just created entry. Specify some secure password (" 11Passwd11" for instance) as ApacheDS has some bugs when the password is simple.
    image
    image

  2. Then you can test the created user and credentials. Create a new LDAP connection(see the 5th step) to localhost:10389 and specify the credentials: FQN(cn=pupkine,dc=example,dc=com) and password.
    image

  3. Then you can disallow anonymous access to the server and use the user. Doubleclick to serverin the list
    image

  4. Setup your application. Open web-app.properties and put there (do not forget to specify
    cuba.web.ldap.userLoginField = cn, as sAMAccountName is used by default):

    cuba.web.requirePasswordForNewUsers = false

    cuba.web.ldap.enabled = true

    cuba.web.ldap.urls = ldap://localhost:10389
    cuba.web.ldap.base = dc=example,dc=com

    cuba.web.ldap.user = cn=pupkine,dc=example,dc=com
    cuba.web.ldap.password = 11Passwd11

    cuba.web.standardAuthenticationUsers = admin

    cuba.web.ldap.userLoginField = cn

  5. Restart the application, log in as Admin

  6. create the user “pupkine” without password.

  7. Then you can log in by “pupkine” with the password from LDAP
    image

5 Likes
#3

Hi @Rostislav Iskandarov,

big thank you to you, I am very happy for this example
I will take a look at it, with a cup of coffee :slight_smile:

Kind regards

#6

Hi @iskandarov,

thanks, it helped me a lot.

Now, I can login with this sample.
But in my case, I use this properties in web-app.properties

cuba.web.requirePasswordForNewUsers = false
cuba.web.ldap.enabled = true
cuba.web.ldap.urls = ldap://company.url:3268
cuba.web.ldap.base = DC=corp,DC=company,DC=com
cuba.web.ldap.user = OU=Workers,DC=ccr,DC=corp,DC=company,DC=com
cuba.web.ldap.userLoginField = sAMAccountName
cuba.web.standardAuthenticationUsers = admin
cuba.web.ldap.password = system_user_password

The problem is, that I can only make a “connection” to this ldap-server with my username and password. If I do so, I can see the “structure” of the ldap, but I dont know the password of this ldap-server by its own.

I want to ask, what shall I do next? Does I have to implement my own class? Or can I just “read” this password of mine and put it on properties automatically?

And the strucuture of the tree is:

com, company, corp, ccr, and in this, there is a node called “Workers”, where are a lot of leaf of the informations of worker.

How does shall I modify this?
cuba.web.ldap.user = OU=Workers,DC=ccr,DC=corp,DC=company,DC=com

Thank you

javax.naming.AuthenticationException: [LDAP: error code 49
#7

Hi,
cuba.web.ldap.user should be the FQN of the “user” entry which you have created
cuba.web.ldap.password is the value which you have entered when added userPassword attribute to the entry

This is the “system user”. Your application(not your users) will login to LDAP with this credentials.

Then we can create more LDAP entries and define userPassword in cuba.web.ldap.base.
cuba.web.ldap.base = dc=example,dc=com in my application:

image

Now we shoud create users in your CUBA application.
We have specified cuba.web.ldap.userLoginField = cn so the login of CUBA user should correspond to CN of a LDAP-entry.

image

If everything was correctly set up. The users (user1, user2 etc) can log in to the application with password from LDAP.

#8

Thanks,

I have described the problem in detail:

Can you please take a look?

#9

Nice HowTo Rotislav!

Between steps 3 and 4 I had to start the newly created LDAP server by simply right-clicking on it and selecting Run, otherwise an error would show.

To use this local LDAP server with ldap-addon simply use this configuration in step 10:

  • app.properties
###############################################################################
#                                   LDAP                                      #
###############################################################################
ldap.contextSourceUrl = ldap://127.0.0.1:10389
ldap.contextSourceBase = dc=example,dc=com
ldap.contextSourceUserName = cn=pupkine,dc=example,dc=com
ldap.contextSourcePassword = Password01
ldap.referral = follow
ldap.sessionExpiringPeriodSec = 120
ldap.userSynchronizationBatchSize = 100
ldap.userSynchronizationOnlyActiveProperty = true
ldap.cubaGroupForSynchronization = company
ldap.cubaGroupForSynchronizationInverse = false
ldap.synchronizeCommonInfoFromLdap = true
cuba.web.standardAuthenticationUsers = admin,anonymous
  • web-app.properties
###############################################################################
#                                   LDAP                                      #
###############################################################################
cuba.web.standardAuthenticationUsers = admin,anonymous
ldap.expiringSessionNotificationCron = */10 * * * * *
ldap.addonEnabled = true
ldap.expiringSessionsEnable = true
cuba.web.requirePasswordForNewUsers = false

And change LDAP Component → Ldap Config → Attribute Settings → Login Attribute from sAMAccountName to cn before step 13.

1 Like
#10

To be honest, I dont understand the “password” property…
I need to specify the password and user of the “application” and not of the user itself?

But in the example itself, where @iskandarov specify the password of

“cuba.web.standardAuthenticationUsers = admin
cuba.web.ldap.password = system_user_password”

In which step does he did it?

Thanks

#11

Hi,
Which sample and which exact “password” property do you mean? My sample or ldap-addon?

#12

Yes, why you need a system user, or how you set this password property in your sample…

where I can find the implementation of the loginProvider?
Maybe I can also look there and try to fix it…

Thanks

#13

Ok,

so as far as I understand,
it is a must to have a “user” or something generic, that I can login into ldap-server, that is why you created pupkine it was like a “dummy”, which have cn/sn = pupkine,

that was only to make a connection to the ldap server?

Thank you

#14

I have a problem,

I tried to make a connection with eclipse to the ldap server and it works, but only display 1000 entries.
My goal is, that it shows more then 1000 entries, but how to change this “limit”? I tried something out, but nothing worked…

#15

Properties initialProperties = new Properties();
initialProperties.put(Context.INITIAL_CONTEXT_FACTORY, “com.sun.jndi.ldap.LdapCtxFactory”);
initialProperties.put(Context.PROVIDER_URL, “ldap://localhost:10389”);
initialProperties.put(Context.SECURITY_PRINCIPAL, “uid=admin,ou=system”);
initialProperties.put(Context.SECURITY_CREDENTIALS, “secret”);
DirContext context = new InitialDirContext(initialProperties);

		String searchFilter = "(objectClass=inetOrgPerson)";
		String[] requiredAttributes = {"sn", "cn", "employeeNumber"};
		SearchControls controls = new SearchControls();
		controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
		controls.setReturningAttributes(requiredAttributes);
		NamingEnumeration users = context.search("ou=users,o=Company", searchFilter, controls);

is there a way to filter like only employeeNumber between 1 to 10, or only employeeNumber with number 1?

Or increase the number of output?

Thanks