Versions Compared

Old Version 3

changes.mady.by.user Lonnie VanZandt

Saved on

compared with

New Version 4

changes.mady.by.user Lonnie VanZandt

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Syndeia interfaces with LDAP servers using RFC 4511 standard LDAP URL requests.

Tip: Research the configuration for LDAP outside of Syndeia

The recommended way to discover how to configure Syndeia for LDAP-speaking IdPs is to use one of the several open-source utilities for LDAP searching. These include:

...

  • the particular attributes which are returned will vary depending on the vendor of the LDAP service

  • the simple utility verifies that the specified LDAP server is reachable at the specified port and that the client and the server negotiated a secure TLS session using credentials and cypher algorithms that are acceptable to both parties

  • the LDAP server does require the DN and password of an administrator account, some do not require those

  • although the protocol uses SSL, by the time the client utility ldapsearch displays results to the screen, that encryption has been decrypted. The LDIF results are shown in decrypted plain text.

Tip: Compare Configuration attempts with this real-world Example

At Intercax, we use OpenLDAP servers as the delegated Identity Providers for our internal Syndeia deployments. We use open-source Apache Directory Studio to help us provision those LDAP servers.

We are a small company and so we don’t have many users and many groups but our LDAP structure does represent what does occur in larger organizations: there are more corporate users than there are users permitted to log into Syndeia and the users who are permitted to login into Syndeia are limited to those who have been added in the LDAP IdP as members of a specific group.

The screen here shows our LDAP structure.

...

At the root of the LDAP tree is a base Designated Node for the company. DN: dc=intercax,dc=com

Within the company DN is an Organizational Unit (OU) node that holds all the users, the Organizational Persons. DN: ou=Users,dc=intercax,dc=com

Also within the company DN is a node that holds all the groups or teams within the company. DN: ou=Groups,dc=intercax,dc=com

Within the Users OU are separate entries for each individual and these have three key properties:

  1. The name of the attribute used as the unique identifier. uid

  2. The name of the attribute used to store the person’s unique email address. mail

  3. The DN of each entry. DN: uid=lvanzandt,ou=Users,dc=intercax,dc=com

Within the Groups OU are separate entries for each team and these have three key properties:

  1. The name of the attribute used as the unique identifier. cn

  2. The name of the attribute used to store a reference to a member of the group. uniqueMember

  3. The DN of each entry. DN: cn=SyndeiaUsers,ou=Groups,dc=intercax,dc=com

When there is intentional or errant customization of the silhouette.conf file and its ldap properties, Syndeia won't be able to delegate identity authorization requests to the intended LDAP server and users will not be able to authenticate into Syndeia with their accurate (or flawed) LDAP credentials.

...