+1 vote
1 view

Hello everyone,

can someone explain to me what actualy hast to stand at each point of this "ldap.properties" file?

INITIAL_CONTEXT_FACTORY        = com.sun.jndi.ldap.LdapCtxFactory (thats defined i think, nothing to change)
PROVIDER_URL                                 = ldaps://XXX.XXX.XXX.XXX:389 (thats clear)
SECURITY_AUTHENTICATION    = simple (also clear)
DN_PREFIX                                            = CN= ?
DN_POSTFIX                                           = ?
SEARCH_USER_BEFORE                       = ?
SEARCH_USER_BEFORE_USER                =  ?
SEARCH_USER_BEFORE_PSW                 =  ?
SEARCH_USER_BEFORE_FILTER  = (&((objectclass=person))(uid=%s)) (Thats defined too is it?)

I put a questionmark after each point i dont really get.

Thanks for the help allready.

Environment Knowage 7.2.16, Cent OS 7, implemented Tomcat as application Server, Brave Browser
asked Mar 22, 2021 in LDAP by klennartinikum (220 points) | 1 view

1 Answer

+3 votes
Best answer

Hi klennartinikum,

DN_PREFIX is the prefix that will be prepended to the username to create the distinguished name of the logging user.
DN_POSTFIX is the suffix that will be appended to the username to create the distinguished name of the logging user.

For example, if you want to get 'UID=jsmith,DC=example,DC=net' you need to set

  • DN_PREFIX= UID=
  • DN_POSTFIX=, DC=example,DC=net

The final concatenation DN_PREFIX + <Knowage user ID> + DN_POSTFIX must be equal to the distinguished name of the user as defined in the LDAP server, according to the LDAP syntax DN https://ldapwiki.com/wiki/DN%20Syntax.

Otherwise, if you need to search for the fully qualified distinguished name before verifying authentication, you need to set the SEARCH_USER_BEFORE property to true. Using this approach, the binding will not be anonymous but the SEARCH_USER_BEFORE_USER and SEARCH_USER_BEFORE_PSW values ​​will be used as credentials to perform it.

Also, the SEARCH_USER_BEFORE_FILTER value is used as a filter to retrieve the user on the LDAP server; Knowage uses the username as a parameter to find it.

The example you can see in the documentation (& ((objectclass=person)) (uid=%s)) can be used when your user has the objectClass attribute equal to person. Instead, the uid attribute will be replaced with the username you are verifying authentication for. For this reason, be careful not to delete %s from the filter.

If you need more information on this, you can read the official Knowage documentation at https://knowage-suite.readthedocs.io/en/7.2/installation-guide/advanced-configuration.html?highlight=ldap#ldap -security-connectors.

Greetings
Alberto

answered Apr 6, 2021 by albnale (6,760 points)
selected May 12, 2021 by klennartinikum
1,553 questions
1,017 answers
2,037 comments
2,567 users