|
|
|
In V11 and later, FairCom has implemented LDAP support within the FairCom DB Server technology. Initial development and testing was completed against the OpenLDAP implementation.
FairCom DB Server authenticates a supplied username / password (from InitISAMXtd) against the LDAP server itself. By default, FairCom DB doesn't query the server for any other information to be returned, it's simply pass/fail. Note: If the LDAP server becomes unavailable for any reason, users can't be authenticated.
The one exception is when LDAP_ALLOWED_GROUP options are specified. In those cases, FairCom DB additionally authenticates to LDAP with a specific LDAP account provided by the LDAP_APPLICATION_ID option (and passwords specified with LDAP_KEY_STORE) and query and validate group membership for that user. If a user is not allowed in the group, the connection is denied. The optional LDAP_GROUP_CHECK can be used to return and update group membership in FAIRCOM.FCS.
Once a user is authenticated and all group checks are complete, FairCom DB discards all authentication information and disconnects from the LDAP server and there is no further interaction.
Example
FairCom Server provides a set of keywords for configuring the LDAP subsystem:
SUBSYSTEM USER_AUTH LDAP
{
LDAP_SERVER localhost
LDAP_TIMEOUT 10
LDAP_PREFIX cn=
LDAP_BASE ou=people,dc=faircom,dc=com
LDAP_APPLICATION_ID cn=ctreesql,ou=applications,dc=faircom,dc=com
LDAP_ISAM_ALLOWED_GROUP cn=ctreeisamusers,ou=groups,dc=faircom,dc=com
LDAP_SQL_ALLOWED_GROUP cn=ctreesqlusers,ou=groups,dc=faircom,dc=com
LDAP_GROUP_CHECK
{attr:member} {base:ou=groups,dc=faircom,dc=com} {filter:(objectclass=groupOfNames)}
LDAP_PORT 389
LDAP_SSL NO
LDAP_KEY_STORE ldap.fkf
}
LDAP Keywords
The LDAP SUBSYSTEM keywords are included in c-tree Server's configuration file only when mtmake enables the new LDAP support.
Only LDAP keywords are allowed to be specified inside the SUBSYSTEM USER_AUTH LDAP block of the configuration file. Logic prevents non-LAP keywords from being specified in this block.
The following keywords can be use din the SUBSYSTEM USER_AUTH LDAP block:
General LDAP configuration
Site-specific directives
Required for group management checks
