ldap_adaptor

Name

ldap_adaptor — LDAP connector for authentication

Description

ldap_adaptor is a service plugin for Gromox that facilitates the use of an LDAP server for authentication purposes. Since the authoritative user database is in MySQL, LDAP is only used to perform authentication (Bind operations), and metadata searches that lead up to such Binds, i.e. looking for the LDAP object that has a particular “mail” attribute.

Configuration directives

The configuration file, /etc/gromox/ldap_adaptor.cfg, serves not only the ldap_adaptor plugin, but is also read by the Grommunio Admin API.

Gromox directives

auth_connections
The maximum number of LDAP connections that may be used for authentication requests. (Authentication cannot be run on the metadata connections, and so this consistutes a separate set of connections.) This parameter has fixed value and is currently not settable.
Default: (same as data_connections)
data_connections
The number of LDAP connections that will be kept active to the LDAP server for the purpose of metadata searches.
Default: 4
ldap_edirectory_workarounds
Attempt to deal with wire protocol violations brought about by Novell/NetIQ eDirectory server implementations.
Default: false
ldap_bind_user
An LDAP binddn to use for metadata searches. You cannot use but Simple Authentication at this time.
Default: (unset)
ldap_bind_pass
Password for Simple Authentication of ldap_bind_user.
Default: (unset)
ldap_host
Whitespace-separated set of LDAP URIs in the form of ldap[si]://[name[:port]]. The openldap2 ldap.conf(5) manpage does not specify trailing slashes or DN bases like RFC 2255 specifies. openldap2 utilities accept-ignore such part of the URI, while other implementations like python-ldap3 fail to connect.
Default: (libldap default, see ldap.conf(5))
ldap_mail_attr
The name of the LDAP attribute which holds the primary e-mail address of the user. Pick mail (OpenLDAP as well as ActiveDirectory schemes).
Default: (empty)
ldap_search_base
Default: (libldap default)
ldap_start_tls
Use the STARTTLS mechanism on LDAP connections. If possible, use Explicit TLS (ldaps:// in the URI field) in favor of STARTTLS; see Internet blog posts “STARTTLS considered harmful” for details.
Default: off
Take note that libldap may reject self-signed certificates from the LDAP server. This may be worked around with the “TLS_REQCERT allow” directive in ldap.conf. See the ldap.conf(5) manpage for details. However, by its description, TLS_REQCERT will also make encryption optional, which means becoming the victim of a downgrade attack is a possibility.

Grommunio Admin API directives

ldap_host

ldap_bind_user

ldap_bind_pass

ldap_search_base

ldap_start_tls

ldap_mail_attr
(These six as above)
ldap_disabled
If true, Grommunio Admin API will not make use of LDAP (which generally just means synchronization). This directive has no effect on Gromox; users which have been synchronized previously and which exist in MySQL keep their validity as far as Gromox is concerned.
ldap_object_id
The name of the LDAP attribute which holds a unique, unchanging object identifier for synchronization purposes. Pick entryUUID for OpenLDAP, objectGUID for ActiveDirectory.
Default: (empty)
ldap_user_filter
An LDAP search filter that specifies which users should be synchronized. Recommendations are (objectClass=posixAccount) for OpenLDAP/RFC2307bis, (objectClass=user) for ActiveDirectory.
Default: (empty)
ldap_user_displayname
The name of the LDAP attribute which holds the value for PR_DISPLAY_NAME. Pick displayName (OpenLDAP as well as ActiveDirectory schemes).
Default: (empty)
ldap_user_search_attrs
The name(s) of LDAP attributes which the Admin API will compare when using AAPI’s search function. To specify multiple attributes, repeat this directive, and specify one attribute per line, i.e. put ldap_user_search_attrs=mail and ldap_user_search_attrs=cn, etc. in the config file.
Default: (empty set)
ldap_user_template
The name(s) of Admin API templates to use. Multi-value directive like search_attrs. Pick ldap_user_template=common and ldap_user_template=OpenLDAP for OpenLDAP, or ldap_user_template=common and ldap_user_template=ActiveDirectory for AD.
Default: (empty set)
ldap_user_aliases
The name of the LDAP attribute which contains secondary e-mail addresses. Pick mailAlternativeAddress (OpenLDAP) or proxyAddresses (AD). The smtp: prefix in proxyAddresses is automatically trimmed when read.
Default: (empty)

See also

gromox(7), authmgr(4gx)