How to use LDAP login

cuba.web.ldap.enabled = true
cuba.web.ldap.urls = ldap://ip:389
cuba.web.ldap.base = o=domains,dc=artwell-hk,dc=com
cuba.web.ldap.user = cn=vmail,dc=artwell-hk,dc=com
cuba.web.ldap.password = password

just add these to web-app.properties?

Do I need to do anything else?

I’ve added these.
but Logon failure

Use cuba.web.ldap.enabled instead of external authentication since 6.8 version

I updated to 6.8,
and use cuba.web.ldap.enabled ,
but login failure

Login failed: com.haulmont.cuba.security.global.LoginException: Unknown login name or bad password: tiger.tian@artwell-hk.com

uid=uid: tiger.tian, mail=mail: tiger.tian@artwell-hk.com

I creat a test class , this is return
so the login Name is uid or mail?
we LDAP’s pwd encrypted by SSHA,but i input pwd no encrypted

Do I need to set an account with the same name in the program (no password)?

Hi,
You should create a user with the same login in your CUBA application. You should set up access rights for this user. As LDAP is used only for authentication (password storing).

By default, login is matched with sAMAccountName of the entry (Active directory stores login in this property).
If you use another LDAP implementation, for instance, Apache DS and another field is ID, you should adjust cuba.web.ldap.userLoginField.
In my test environment I use Apache Directory Studio. By default “sn” is used as ID there. So I have got the following settings:

cuba.web.ldap.enabled = true
cuba.web.ldap.urls = ldap://localhost:10389
cuba.web.ldap.base = dc=example,dc=com
cuba.web.ldap.user = cn=iskandarov,ou=system
cuba.web.ldap.userLoginField = sn

cuba.web.standardAuthenticationUsers = admin
cuba.web.ldap.password = password

How the basic platform LDAP-authentication works:

  1. login and password are input in the login form of the application
  2. platform is authenticated in LDAP using credentials defined in cuba.web.ldap.user / cuba.web.ldap.password
  3. application does LDAP-search in cuba.web.ldap.base: it searches an entry with sn = login
  4. if the entry is found, the application tries to authenticate in LDAP by the found FQN and the provided password.
  5. if successful, the user gets access to the application

Thank you,
I just solved the problem.
I found the class of CubaAuthProvider is obsolete in cuba-6.8 .
so I back to 6.7 ,set cuba.web.externalAuthentication = true and creat a class implements CubaAuthProvider,
and I Override the methods of authenticate,Use my own method to validation username.
Now ,It’s OK!

and then my pwd in LADP Server is SHA-1,
but in ldapTemplate.authenticate,the input pwd no SHA-1,
so it’s why I’ve been not through the verification.

Hi,
CubaAuthProvider is obsolete in 6.8 but you can define externalAuthenticationProviderClass.

cuba.web.externalAuthentication = true
cuba.web.externalAuthenticationProviderClass = com.haulmont.cuba.web.auth.LdapAuthProvider

Hi,

I’d recommend that you take a look at the new login subsystem in 6.8 version. You can easily replace existing LdapLoginProvider (or implement a new one): https://doc.cuba-platform.com/manual-6.8/web_login.html#web_login_extension_points instead of using deprecated external authentication property.

2 posts were split to a new topic: How to start a local LDAP server and connect a CUBA application to it