How to Set up LDAP Authentication
To configure LDAP authentication for Oxygen Feedback Enterprise:
- Enable LDAP authentication support by editing the
$OXYGEN_FEEDBACK_INSTALL_DIR/oxygen-feedback-home/config/feedback-ldap.properties
file and set the
feedback.ldap.enabled
property to true. - Configure the URL for your LDAP server by setting the
feedback.ldap.serverUrl
property. For example:feedback.ldap.serverUrl=ldap://ldap.example.com:33389/dc=myco,dc=org
-
Specify the pattern for the search filter used to identify a user entity on the LDAP server by setting the
feedback.ldap.userSearchFilter
property. For example:(|(mail={0})(uid={0}))
The substituted parameter is the user's login name. This example pattern enables user authentication with both the username and email address.
- Specify the name of the email attribute for the LDAP user entity by
setting the
feedback.ldap.emailAttribute
property.Important: For the authentication to work, it is mandatory that your LDAP users entities have an associated email address. - Specify whether or not new account registration is allowed by setting
the
feedback.ldap.userRegistrationEnabled
property. For example, to disable new account registration (hides the Sign Up form in the login page):feedback.ldap.userRegistrationEnabled=false
Note: Thefeedback.ldap.userRegistrationEnabled
property does not disable the possibility of authenticating using a local (DB) account. It only hides the Sign Up form, thus inhibiting the possibility of creating new local user accounts.
Example of the Configuration Properties
File
###########################################################################
# Stores the configuration properties for the LDAP authentication support #
###########################################################################
# Flag used to enable the LDAP authentication support.
feedback.ldap.enabled=true
# Flag used to enable users to register with a Feedback local (non-ldap) account.
feedback.ldap.userRegistrationEnabled=true
# Specifies the LDAP server URL of the form ldap://localhost:389/base_dn
# LDAPS URLs may be used
# For example: "ldap://ldap.example.com:33389/dc=myco,dc=org".
feedback.ldap.serverUrl=ldap://ldap.example.com:33389/dc=myco,dc=org
# The LDAP filter used to search for users.
# For example "(uid={0})". The substituted parameter is the user's login name.
feedback.ldap.userSearchFilter=(|(mail={0})(uid={0}))
# Context name to search for users in, relative to the Base DN specified in the server URL
# May be empty -> the search will be performed against the Base DN
# For example: "cn=users"
# => Considering "ldap://ldap.example.com:33389/dc=myco,dc=org" as server URL, then the users will be searched under "cn=users,dc=myco,dc=org"
feedback.ldap.userSearchBase=cn=users
# The name of the email attribute of the user entity.
# Defaults to 'mail'
feedback.ldap.emailAttribute=mail
# The name of the attribute containing the user's full (display) name.
# Defaults to 'cn'
feedback.ldap.nameAttribute=cn
# Credentials of the user that has privileges to search the directory. Simple binding is used.
# If not provided, anonymous bind is used.
feedback.ldap.admin.dn=cn=admin,cn=users,dc=myco,dc=org
# Must be non-empty if 'feedback.ldap.admin.dn' is provided
feedback.ldap.admin.password=myPassword
How to Handle LDAP Servers That do not Support Anonymous Binding
If your LDAP server does not support anonymous binding (i.e. it requires
authentication), you can specify the DN (distinguished
name) and password of a user that has privileges for searching the LDAP user
directory by setting both of the following configuration properties in the
$OXYGEN_FEEDBACK_HOME_DIR/config/feedback-ldap.properties file:
feedback.ldap.admin.dn
- Specifies the distinguished name of the user with LDAP searching privileges.feedback.ldap.admin.password
- Specifies the password of the user with LDAP searching privileges.
Note: If these properties are missing or left blank, anonymous
binding is used.
The following optional properties can also set in the
$OXYGEN_FEEDBACK_HOME_DIR/config/feedback-ldap.properties file:
feedback.ldap.userSearchBase
- Specifies the context name to be used when searching for users (relative to the Base DN specified in the server URL). If this property is left empty, the search will be performed against the Base DN.feedback.ldap.nameAttribute
- Specifies the name of the attribute that contains the full display name of the user. If omitted, the value defaults to cn.