-
Notifications
You must be signed in to change notification settings - Fork 3
LDAP Setting
Kustvakt full version needs a file containing all necessary information to access the LDAP system and to authenticate and authorize users (see example LDAP config below).
ldap.config = path-to-ldap-config-file
To find, authenticate and authorize users, the ldap filter expression specified in searchFilter is used. Within this expression all occurrences of the placeholders ${login} and ${password} are replaced with the name and password the user has entered for logging in.
If searchFilter does not contain any occurrence of ${password} the user DN found via the filter expression will be authenticated via a regular LDAP bind operation, using the entered password. In this case, depending on the LDAP server, also hashed passwords are supported.
Optionally, the two filters authFilter and userNotBlockedFilter can be specified, in addition. The first should be used to check whether a known user has also signed the necessary EULA, for example, and the second to check that the known user is not blocked. This will be reflected in the error messages for failed logins.
host=ldap.example.org
# use LDAP over SSL (LDAPS) if the server supports it
useSSL=true
port=636
# to trust all certs, leave trustStore empty
trustStore=truststore.jks
# add ssl cipher suites if required as csv, e.g. TLS_RSA_WITH_AES_256_GCM_SHA384
additionalCipherSuites=
searchBase=dc=example,dc=org
# DN of a user with full read access
sLoginDN=cn=admin,dc=example,dc=org
pwd=adminpassword
# search for user with uid or email matching login, and signed EULA
searchFilter=(&(|(uid=${login})(mail=${login}))(signedeula=TRUE))Instead of you own LDAP server, you can also use Kustvakt-full's embedded in-memory LDAP server which uses UnboundID LDAP SDK for this purpose. In order to do so, the following additional settings are required in your ldap.conf:
useEmbeddedServer=true
ldifFile=path-to-users-directory.ldif
# port=1234Note that currently the embedded server ignores the host and useSSL settings, and only listens on the localhost interface. The port setting, on the other hand, is used.
The embedded server currently supports the following password encodings: clear passwords (prefix {CLEAR} or empty), {HEX}, {BASE64}, {SHA}, {SHA256}.
Note that none of these are safe against brute force attacks.
You can try Kustvakt-full with embedded LDAP server using the example configuration provided in embedded-ldap-example.conf and users defined in example-users.ldif like this:
$ cp src/main/resources/kustvakt.conf .
$ java -jar target/Kustvakt-full-*.jarThe example-users.ldif defines the following login:password combinations: user:password, user1:password1, …, user4:password4, with differently encoded passwords.
To try it out together with KorAP's web user interface Kalamar, add "Auth" to the loaded plugins in kalamar.conf:
plugins => ["Auth"],- OAuth2 client registration
- OAuth2 client info
- OAuth2 client deregistration
- OAuth2 client secret reset
- Plugin registration
- Plugin list (Marketplace)
- Plugin installation
- Plugin uninstallation
- Installed plugin list
- User group creation
- User group deletion
- User group list
- Member invitation
- Member deletion
- Approval of member invitation
- Rejection of member invitation
- Member role management
- Virtual corpus creation and update
- Virtual corpus deletion
- Virtual corpus list
- Virtual corpus retrieval
- Virtual corpus statistics
- Virtual corpus statistics with KoralQuery