JBoss.orgCommunity Documentation
The LDAP identity store allows an LDAP directory server to be used to provide identity state. You can use this store in read-only or write-read mode, depending on your permissions on the server.
The LDAP identity store can be configured by providing the following configuration:
IdentityConfigurationBuilder builder = new IdentityConfigurationBuilder();
builder
.stores()
.ldap()
.baseDN("dc=jboss,dc=org")
.bindDN("uid=admin,ou=system")
.bindCredential("secret")
.url("ldap://localhost:10389")
.userDNSuffix("ou=People,dc=jboss,dc=org")
.roleDNSuffix("ou=Roles,dc=jboss,dc=org")
.groupDNSuffix("ou=Groups,dc=jboss,dc=org")
.supportAllFeatures();
The following table describes all configuration options:
Table 8.1. LDAP Configuration Options
| Option | Description | Required |
|---|---|---|
baseDN | Sets the fixed DN of the context from where identity types are stored. | Yes |
bindDN | Sets the the DN used to bind against the ldap server. If you want to perform write operations the DN must have permissions on the agent,user,role and group contexts. | Yes |
bindCredential | Sets the password for the bindDN. | Yes |
url | Sets the url that should be used to connect to the server. Eg.: ldap://<<server>>:389. | Yes |
userDNSuffix | Sets the fixed DN of the context where users should be read/stored from. | Yes |
agentDNSuffix | Sets the fixed DN of the context where agents should be read/stored from. If not provided, will be used the context provided by the setUserDNSuffix | No |
roleDNSuffix | Sets the fixed DN of the context where roles should be read/stored from. | Yes |
groupDNSuffix | Sets the fixed DN of the context where groups should be read/stored from. | Yes |
Sometimes may be useful to map a specific group to a specific context or DN. By default, all groups are stored and read from the DN provided by the setGroupDNSuffix method, which means that you can not have groups with the same name.
The following configuration maps the group with path /QA Group to ou=QA,dc=jboss,dc=org
LDAPIdentityStoreConfiguration ldapStoreConfig = new LDAPIdentityStoreConfiguration();
ldapStoreConfig
.addGroupMapping("/QA Group", "ou=QA,dc=jboss,dc=org");
With this configuration you can have groups with the same name, but with different paths.
IdentityManager identityManager = getIdentityManager();
Group managers = new SimpleGroup("managers");
identityManager.add(managers); // group's path is /manager
Group qaGroup = identityManager.getGroup("QA Group");
Group managersQA = new SimpleGroup("managers", qaGroup);
// the QA Group is mapped to a different DN.
Group qaManagerGroup = identityManager.add(managersQA); // group's path is /QA Group/managers