To synchronize Access Control with the LDAP server, you should synchronize the user ID in Access Control with the LDAP server, so that the users on the LDAP server also exist in Access Control. This is the first step to involve LDAP server with authentication.
To enable the synchronizing function, you should perform the following procedure first.
1 Configure connection to the LDAP server on the server side.
In the following sample code, SecurityUserLDAPImpl is the engine to get the user information from the LDAP server. All the LDAP connection information is stored in LDAPConfig class, which is the sample code in Access Control. Attributes in the LDAPConfig class are explained in the table below.
Specifies the Initial Context Factory name for LDAP
uidAttribute
Specifies the name of attribute that store the information to identify users
referralsIgnore
Specifies how to process referrals
rootUser
The name of the LDAP server root user
rootPassword
The password of the LDAP server root user
ldapUrl
The URL of the LDAP server
secureConnection
Enables the secure connection or not
baseSearch
The default base search value
searchSecurityLevel
Security level to be used for LDAP connections
updateSecurityLevel
Security level for updates
urlContextPrefix
Package Prefix for loading URL context factories
2 Make some additional configuration on the client side.
In the following code, ISecurityUserDAO is the service connector definition to invoke the LDAP server query function on the server side; SynchronizeUser is passed into the admin UI, which contains the Access Control persistence definition and LDAP server definition. The following diagram illustrates the synchronizing process.
Now, you can perform this function by clicking a button in the admin UI. The following figure illustrates how to synchronize the user information with the Synchronize User Information window.
Provide the required information in the Search Info group, such as the attribute name, attribute value and so on. Specify the location where the search starts in the Base Search field. You can select one condition from the condition collection, >, ~=, >=, <=, and !=.
Click Quick Search, then the LDAP entry that matches the search conditions is listed in the table. The attribute value which is specified by the user is displayed in the uid field, and the corresponding attribute information is displayed in the Description field.
Select the user or users that you want to import to the Access Control persistence in the table, and click Synchronize to perform the synchronization with Access Control persistence.
When the Access Control uses the LDAP server as its user information source, it should also use the authentication function which is provided by the LDAP server.
To use the authentication function of LDAP server, you should override the validateUserByPassword method in the BTTSecurityManager interface. This method also needs the connection configuration of LDAP server, and the value of serviceConnection should be set to true.
When authenticating the user, Access Control puts the user ID into Context.SECURITY_PRINCIPAL, and the password into Context.SECURITY_CREDENTIALS. Then the Access Control uses the LDAP connection information to connect to the LDAP server. If the user and password matches the record, the authentication is passed; otherwise, javax.naming.AuthenticationException is thrown.
