...
Within the Groups OU are separate entries for each team and these have three four key properties:
The name of the attribute used as the unique identifier.
cn
The name of the attribute used to store a reference to a member of the group.
uniqueMember
The DN of each entry.
DN: cn=SyndeiaUsers,ou=Groups,dc=intercax,dc=com
An attribute or objectClass that identifies that the OU is a group.
ou=groups
Note that groups can be nested. Syndeia allows users to be specified in one chosen group; it does not support searching for users who collectively come from separate groups which do not share a common outer group.
Sample silhouette.conf for the Intercax example LDAP
Given an LDAP server such as described here, which responds appropriately to attempted ldapsearch
queries, and which is available at the URL ldaps://myldap.acme.org:636
, then the following silhouette.conf
LDAP setting properties are used:
Code Block | ||
---|---|---|
| ||
# LDAP provider # The values for hostname, baseDN and adminUserDN are placeholder values. # Please provide actual values, and the value for adminPassword, before using an LDAP provider. ldap.hostname="myldap.acme.org" ldap.port=636 ldap.baseDN="dc=intercax,dc=com" ldap.adminUserDN="cn=admin,dc=intercax,dc=com" ldap.adminPassword="ShhItIsSecret" ldap.userBindAttribute="uid" ldap.startTLS=true ldap.trustAllCertificates=true ldap.mailAttribute="mail" # we limit Syndeia to only those users in the SyndeiaUsers team so: ldap.groupSettings.dn="ou=Groups,dc=intercax,dc=com" ldap.groupSettings.ou="groups" ldap.groupSettings.name="SyndeiaUsers" ldap.groupSettings.bindAttribute="cn" ldap.groupSettings.memberAttribute="uniqueMember" |
When there is intentional or errant customization of the silhouette.conf
file and its ldap
properties, Syndeia won't be able to delegate identity authorization requests to the intended LDAP server and users will not be able to authenticate into Syndeia with their accurate (or flawed) LDAP credentials.
...