ldap_adaptor¶

Name¶

ldap_adaptor — LDAP connector for authentication

Description¶

ldap_adaptor is a service plugin for Gromox that facilitates the use of an LDAP server for authentication purposes. Since the authoritative user database is in MySQL, LDAP is only used to perform authentication (Bind operations), and metadata searches that lead up to such Binds, i.e. looking for the LDAP object that has a particular "mail" attribute.

Gromox versions 1.33 and onwards have support for per-organization LDAP credentials. The SQL database for Gromox users (and domains and organizations) has room to store properties on the individual organization objects. Use Grommunio AAPI/AWEB to create and/or change organizations and their properties. These properties from SQL can selectively override the six config directives ldap_host, ldap_start_tls, ldap_bind_user, ldap_bind_pass, ldap_search_base and ldap_mail_attr.

Configuration directives¶

The configuration file, /etc/gromox/ldap_adaptor.cfg, serves not only the ldap_adaptor plugin, but is also read by the Grommunio Admin API.

Gromox directives¶

auth_connections: The maximum number of LDAP connections that may be used for authentication requests. (Authentication cannot be run on the metadata connections, and so this consistutes a separate set of connections.) This parameter has fixed value and is currently not settable.

Default: (same as data_connections)
data_connections: The number of LDAP connections that will be kept active to the LDAP server for the purpose of metadata searches.

Default: 4
ldap_edirectory_workarounds: Attempt to deal with wire protocol violations brought about by Novell/NetIQ eDirectory server implementations.

Default: false
ldap_bind_user: An LDAP binddn to use for metadata searches. You can only use Simple Authentication at this time. If an organization object defines LDAP credentials of its own, those will be used in preference to ldap_bind_user.

Default: (unset)
ldap_bind_pass: Password for Simple Authentication of ldap_bind_user.

Default: (unset)
ldap_host: Whitespace-separated set of LDAP URIs in the form of ldap[si]://[name[:port]] for the default LDAP tree. The openldap2 ldap.conf(5) manpage does not specify trailing slashes or DN bases like RFC 2255 does, and because of this, you should not use them. openldap2 utilities accept-ignore such part of the URI, while other implementations like python-ldap3 fail to connect. Per-organization LDAP credentials override ldap_host as necessary.

Default: (libldap default, see ldap.conf(5))
ldap_mail_attr: The name of the LDAP attribute which holds the primary e-mail address of the user. Pick mail (OpenLDAP as well as Active Directory schemes).

Default: (empty)
ldap_search_base: Default: (libldap default)
ldap_start_tls: Use the STARTTLS mechanism on LDAP connections. Prefer using Explicit TLS (ldaps:// in the URI field) in favor of ldap:// with STARTTLS; see Internet blog posts "STARTTLS considered harmful" for details.

Default: off

Take note that libldap may reject self-signed certificates from the LDAP server. This may be worked around with the "TLS_REQCERT allow" directive in ldap.conf. See the ldap.conf(5) manpage for details. However, by its description, TLS_REQCERT will also make encryption optional, which means becoming the victim of a downgrade attack is a possibility.

Grommunio Admin API directives¶

ldap_host ldap_bind_user ldap_bind_pass ldap_search_base ldap_start_tls ldap_mail_attr

(These six as above)

ldap_disabled: If true, Grommunio Admin API will not make use of LDAP (which generally just means synchronization). This directive has no effect on Gromox; users which have been synchronized previously and which exist in MySQL keep their validity as far as Gromox is concerned.
ldap_object_id: The name of the LDAP attribute which holds a unique, unchanging object identifier for synchronization purposes. Pick entryUUID for OpenLDAP, objectGUID for Active Directory.

Default: (empty)
ldap_user_filter: An LDAP search filter that specifies which users should be synchronized. Recommendations are (objectClass=posixAccount) for OpenLDAP/RFC2307bis, (objectClass=user) for Active Directory.

Default: (empty)
ldap_user_displayname: The name of the LDAP attribute which holds the value for PR_DISPLAY_NAME. Pick displayName (OpenLDAP as well as Active Directory schemes).

Default: (empty)
ldap_user_search_attrs: The name(s) of LDAP attributes which the Admin API will compare when using AAPI's search function. To specify multiple attributes, repeat this directive, and specify one attribute per line, i.e. put ldap_user_search_attrs=mail and ldap_user_search_attrs=cn, etc. in the config file.

Default: (empty set)
ldap_user_template: The name(s) of Admin API templates to use. Multi-value directive like search_attrs. Pick ldap_user_template=common and ldap_user_template=OpenLDAP for OpenLDAP, or ldap_user_template=common and ldap_user_template=ActiveDirectory for Active Directory.

Default: (empty set)
ldap_user_aliases: The name of the LDAP attribute which contains secondary e-mail addresses. Pick mailAlternativeAddress (OpenLDAP) or proxyAddresses (Active Directory). The smtp: prefix in proxyAddresses is automatically trimmed when read.

Default: (empty)