LDAP | Version 3

LDAP Guide

The user authentication within Sophora may be carried out by a LDAP server.

Archived documentation for Sophora 3. End-of-support date for this version: 7/25/21

Documentation for Sophora 4

The connection to the LDAP server has to be configured at the Sophora Primary (Master) Server, whereas only reading operations are performed. Insert the following parameters to the sophora.properties of the Sophora Primary (Master) Server:

sophora.ldap.enabled=true
sophora.ldap.connection.providerUrl=ldap://localhost:10389/dc=subshell,dc=com
sophora.ldap.connection.userDn=uid=admin,ou=system
sophora.ldap.connection.password=secret
sophora.ldap.userSearch.pageSize=500

Beside normal LDAP connections secure LDAP can be used, too. For secure connections the URL starts with ldaps://..

When using secure connection the standard Java validation of SSL certificates allows a connection only to trusted servers. This validation is turned off by default. To enable the validation of SSL certificates the property sophora.ssl.disableCertificateCheck can be set to false.

The properties sophora.ldap.connection.userDn and sophora.ldap.connection.password can also be configured via the DeskClient.

You can add one property or both properties in the "Configuration" document in the administrator view. The configuration in the properties file (sophora.properties) has precedence over the configuration in the administrator view.

With the property sophora.ldap.userSearch.searchAll it is controlled if a list of all users is queried from the ldap server. By default, only users created in sophora are listed if a document search is restricted by a user. When this property is set to 'true' every 60 minutes a query retrieves a list of all users from the LDAP server.

The property sophora.ldap.userSearch.pageSize controls the block size for reading all users from the LDAP server. The configuration of the LDAP server might restrict the number of users the get at once. So in case you have a lot of users and a restricted block size configured for your LDAP server, you might need to adjust this value.

Mode of Operation

When a login is requested from either a Sophora Deskclient or any other Sophora component (e.g. the Sophora Importer), it is checked first whether the login name is an "ordinary" Sophora user. If that is the case, the given password is verified against the internal user's password. By that, it is ensured that administrators can access Sophora even if the LDAP server is (temporarily) unavailable.

If the login name is not a Sophora user or if the password did not match, the LDAP server is searched for this user. To search the LDAP server the subsequent properties are employed:

sophora.ldap.userSearch.searchBase=ou=users
sophora.ldap.userSearch.searchFilter=(uid={0})

Next, if the user has been found, the password is checked. In case of a successful authentication the roles assigned to this user are queried using the following parameters:

sophora.ldap.groupSearch.searchBase=ou=groups
sophora.ldap.groupSearch.searchFilter=(uniqueMember={0})

LDAP roles are directly mapped to roles in Sophora, i.e., only LDAP roles with the prefix "sophora" are respected. This prefix is then removed from all these roles to checked whether there is a correspondent role within Sophora. Thus, only the matching roles are associated with the user at hand.

When a user who has logged on via the LDAP server modifies documents, her username is automatically set as "last modifier" (or whatever the corresponding properties is called in your repository) at these documents. Anyway, some additional properties about a user are read from the LDAP server (see below). These are used to provide meaningful information to other users when they try to open a document that is locked by a "LDAP user". These properties are

  • Name – LDAP attribute: "cn", "displayName"
  • Email address – LDAP attribute: "mail", "email", "emailAddress"
  • Telefon number – LDAP attribute: "telephonNumber"

Caching

The sophora server caches the roles assigned in the ldap server. For every user session the sophora server reads the assigned ldap roles only once. When the assigned roles for an user are changed in the LDAP server, the user has to re-login to set the changes into effect.

Ignoring Case of User Names

If the property sophora.authenticate.user.ignoreUppercase is set to true, the Sophora Server ignores the case of user names during login. This is done by transforming the user name given e.g. to lowercase during login. Therefore, the user names of all Sophora users must be all lowercase. To enforce this, the creation of users containing uppercase characters in the user name is disallowed by the Sophora Server.

The Sophora Importer will keep the case of any user names found in Sophora XML import files. For example, if an imported document is added to a proposal section, the user name given in the <sender> element is kept as-is.

Last modified on 7/26/19

The content of this page is licensed under the CC BY 4.0 License. Code samples are licensed under the MIT License.

Icon