ldap_adaptor - LDAP connector for authentication
Name Description Configuration directives Gromox directives Grommunio Admin API directives See alsoName
ldap_adaptor — LDAP connector for authentication
Description
ldap_adaptor is a service plugin for Gromox that facilitates the use of an LDAP server for authentication purposes. Since the authoritative user database is in MySQL, LDAP is only used to perform authentication (Bind operations), and metadata searches that lead up to such Binds, i.e. looking for the LDAP object that has a particular "mail" attribute.
Gromox versions 1.33 and onwards have support for per-organization LDAP credentials. The SQL database for Gromox users (and domains and organizations) has room to store properties on the individual organization objects. Use Grommunio AAPI/AWEB to create and/or change organizations and their properties. These properties from SQL can selectively override the six config directives ldap_host, ldap_start_tls, ldap_bind_user, ldap_bind_pass, ldap_search_base and ldap_mail_attr.
Configuration directives
The configuration file, /etc/gromox/ldap_adaptor.cfg, serves not only the ldap_adaptor plugin, but is also read by the Grommunio Admin API.
Gromox directives
auth_connections
The maximum size of the
connection pool for authentication requests. This parameter
has fixed value (same as data_connections) and is currently
not settable!
(Authentication operations incur an implicit logout of
whatever identity was used before, which could incur extra
latency if authentication operations and metadata lookups
were to be done on the same connection, which is why
ldap_adaptor has two separate connection pools.)
Default: (same as data_connections)
data_connections
The number of LDAP connections
that will be kept active to the LDAP server for the purpose
of metadata searches.
Default: 4
ldap_edirectory_workarounds
Attempt to deal with wire
protocol violations brought about by Novell/NetIQ eDirectory
server implementations.
Default: false
ldap_bind_user
An LDAP binddn to use for
metadata searches. You can only use Simple Authentication at
this time. If an organization object defines LDAP
credentials of its own, those will be used in preference to
ldap_bind_user.
Default: (unset)
ldap_bind_pass
Password for Simple
Authentication of ldap_bind_user.
Default: (unset)
ldap_host
Whitespace-separated set of
LDAP URIs in the form of ldap[si]://[name[:port]] for
the default LDAP tree. The openldap2 ldap.conf(5) manpage
does not specify trailing slashes or DN bases like RFC 2255
does, and because of this, you should not use them.
openldap2 utilities accept-ignore such part of the URI,
while other implementations like python−ldap3 fail to
connect. Per-organization LDAP credentials override
ldap_host as necessary.
Default: (libldap default, see ldap.conf(5))
ldap_mail_attr
The name of the LDAP attribute
which holds the primary e-mail address of the user. Pick
mail (OpenLDAP as well as Active Directory schemes).
Default: (empty)
ldap_search_base
Default: (libldap default)
ldap_start_tls
Use the STARTTLS mechanism on
LDAP connections. Prefer using Explicit TLS (ldaps:// in the
URI field) in favor of ldap:// with STARTTLS; see Internet
blog posts "STARTTLS considered harmful" for
details.
Default: off
Take note that libldap may reject self-signed certificates
from the LDAP server. This may be worked around with the
"TLS_REQCERT allow" directive in ldap.conf. See
the ldap.conf(5) manpage for details. However, by its
description, TLS_REQCERT will also make encryption optional,
which means becoming the victim of a downgrade attack is a
possibility.
Grommunio Admin API directives
ldap_host
ldap_bind_user
ldap_bind_pass
ldap_search_base
ldap_start_tls
ldap_mail_attr
(These six as above)
ldap_disabled
If true, Grommunio Admin API will not make use of LDAP (which generally just means synchronization). This directive has no effect on Gromox; users which have been synchronized previously and which exist in MySQL keep their validity as far as Gromox is concerned.
ldap_object_id
The name of the LDAP attribute
which holds a unique, unchanging object identifier for
synchronization purposes. Pick entryUUID for
OpenLDAP, objectGUID for Active Directory.
Default: (empty)
ldap_user_filter
An LDAP search filter that
specifies which users should be synchronized.
Recommendations are (objectClass=posixAccount) for
OpenLDAP/RFC2307bis, (objectClass=user) for Active
Directory.
Default: (empty)
ldap_user_displayname
The name of the LDAP attribute
which holds the value for PR_DISPLAY_NAME. Pick
displayName (OpenLDAP as well as Active Directory
schemes).
Default: (empty)
ldap_user_search_attrs
The name(s) of LDAP attributes
which the Admin API will compare when using AAPI’s
search function. To specify multiple attributes, repeat this
directive, and specify one attribute per line, i.e. put
ldap_user_search_attrs=mail and
ldap_user_search_attrs=cn, etc. in the config file.
Default: (empty set)
ldap_user_template
The name(s) of Admin API
templates to use. Multi-value directive like search_attrs.
Pick ldap_user_template=common and
ldap_user_template=OpenLDAP for OpenLDAP, or
ldap_user_template=common and
ldap_user_template=ActiveDirectory for Active
Directory.
Default: (empty set)
ldap_user_aliases
The name of the LDAP attribute
which contains secondary e-mail addresses. Pick
mailAlternativeAddress (OpenLDAP) or
proxyAddresses (Active Directory). The smtp:
prefix in proxyAddresses is automatically trimmed when read.
Default: (empty)
See also
gromox(7), authmgr(4gx)