JBoss.orgCommunity Documentation
Table of Contents
The LDAP identity store allows an LDAP directory server to be used to provide identity state. You can use this store in read-only or write-read mode, depending on your permissions on the server.
The LDAP identity store can be configured by providing the following configuration:
IdentityConfigurationBuilder builder = new IdentityConfigurationBuilder();
builder
.named("ldap.config")
.stores()
.ldap()
.baseDN("dc=jboss,dc=org")
.bindDN("uid=admin,ou=system")
.bindCredential("passwd")
.url("ldap://localhost:389")
.supportType(IdentityType.class)
.supportGlobalRelationship(Grant.class, GroupMembership.class)
.mapping(Agent.class)
.baseDN("ou=Agent,dc=jboss,dc=org")
.objectClasses("account")
.attribute("loginName", UID, true)
.readOnlyAttribute("createdDate", CREATE_TIMESTAMP)
.mapping(User.class)
.baseDN("ou=User,dc=jboss,dc=org")
.objectClasses("inetOrgPerson", "organizationalPerson")
.attribute("loginName", UID, true)
.attribute("firstName", CN)
.attribute("lastName", SN)
.attribute("email", EMAIL)
.readOnlyAttribute("createdDate", CREATE_TIMESTAMP)
.mapping(Role.class)
.baseDN("ou=Roles,dc=jboss,dc=org")
.objectClasses(GROUP_OF_NAMES)
.attribute("name", CN, true)
.readOnlyAttribute("createdDate", CREATE_TIMESTAMP)
.mapping(Group.class)
.baseDN("ou=Groups,dc=jboss,dc=org")
.objectClasses(GROUP_OF_NAMES)
.attribute("name", CN, true)
.readOnlyAttribute("createdDate", CREATE_TIMESTAMP)
.parentMembershipAttributeName("member")
.mapping(Grant.class)
.forMapping(Role.class)
.attribute("assignee", "member")
.mapping(GroupMembership.class)
.forMapping(Group.class)
.attribute("member", "member");
The following table describes all configuration options:
Table 8.1. LDAP Configuration Options
| Option | Description |
|---|---|
baseDN | Sets the base DN for a specific mapped type or all types. |
bindDN | Sets the the DN used to bind against the ldap server. If you want to perform write operations the DN must have permissions on the agent,user,role and group contexts. |
bindCredential | Sets the password for the bindDN. |
url | Sets the url that should be used to connect to the server. Eg.: ldap://<<server>>:389. |
mapping | Defines a set of mapping options for a specific type. |
objectClasses | Defines the objectClasses that should be used by entries of a specific type. |
attribute | Defines the mapping between a type property and its corresponding LDAP attribute. |
forMapping | Defines that a specific type is related with another mapped type. Useful when mapping relationships. |
Sometimes may be useful to map a specific group to a specific context or DN.
The following configuration maps the group with path /QA Group to ou=QA,ou=Groups,dc=jboss,dc=org
mapping(Group.class)
.baseDN(embeddedServer.getGroupDnSuffix())
.objectClasses(GROUP_OF_NAMES)
.attribute("name", CN, true)
.readOnlyAttribute("createdDate", CREATE_TIMESTAMP)
.parentMembershipAttributeName("member")
.parentMapping("QA Group", "ou=QA,ou=Groups,dc=jboss,dc=org")
With this configuration you can have groups with the same name, but with different paths.
IdentityManager identityManager = getIdentityManager();
Group managers = new SimpleGroup("managers");
identityManager.add(managers); // group's path is /manager
Group qaGroup = identityManager.getGroup("QA Group");
Group managersQA = new SimpleGroup("managers", qaGroup);
// the QA Group is mapped to a different DN.
Group qaManagerGroup = identityManager.add(managersQA); // group's path is /QA Group/managers