Product Documentation

Database Administrator's Guide

Previous Topic

Next Topic

LDAP

In V11 and later, FairCom has implemented LDAP support within the FairCom DB Server technology. Initial development and testing was completed against the OpenLDAP implementation.

FairCom DB Server authenticates a supplied username / password (from InitISAMXtd) against the LDAP server itself. By default, FairCom DB doesn't query the server for any other information to be returned, it's simply pass/fail. Note: If the LDAP server becomes unavailable for any reason, users can't be authenticated.

The one exception is when LDAP_ALLOWED_GROUP options are specified. In those cases, FairCom DB additionally authenticates to LDAP with a specific LDAP account provided by the LDAP_APPLICATION_ID option (and passwords specified with LDAP_KEY_STORE) and query and validate group membership for that user. If a user is not allowed in the group, the connection is denied. The optional LDAP_GROUP_CHECK can be used to return and update group membership in FAIRCOM.FCS.

Once a user is authenticated and all group checks are complete, FairCom DB discards all authentication information and disconnects from the LDAP server and there is no further interaction.

Example

FairCom Server provides a set of keywords for configuring the LDAP subsystem:

SUBSYSTEM USER_AUTH LDAP

{

LDAP_SERVER localhost

LDAP_TIMEOUT 10

LDAP_PREFIX cn=

LDAP_BASE ou=people,dc=faircom,dc=com

LDAP_APPLICATION_ID cn=ctreesql,ou=applications,dc=faircom,dc=com

LDAP_ISAM_ALLOWED_GROUP cn=ctreeisamusers,ou=groups,dc=faircom,dc=com

LDAP_SQL_ALLOWED_GROUP cn=ctreesqlusers,ou=groups,dc=faircom,dc=com

LDAP_GROUP_CHECK

{attr:member} {base:ou=groups,dc=faircom,dc=com} {filter:(objectclass=groupOfNames)}

LDAP_PORT 389

LDAP_SSL NO

LDAP_KEY_STORE ldap.fkf

}

Security

LDAP client authentication requires passing an actual client LDAP password to the FairCom DB server. This requires additional encryption to protect the password in transit. Unique public/private key pairs are generated at runtime and are only used for this one particular connection request.

The encryption algorithm that the client library uses to securely pass the user password to the server when using LDAP authentication was updated in V13 to use an AES-GCM encryption with a random initialization vector (iv).

If a client library that uses AES-GCM for LDAP authentication connects to a server that does not support it, the connection attempt now fails with error code 1179, CLIENT_LOGON_REQUIRES_AES_GCM at the ISAM level, or error -18179 at the SQL level.

If a client library that does not use AES-GCM for LDAP authentication connects to a server that use AES-GCM authentication at the ISAM level, the connection attempt now fails with error code 941 or 1180 (SERVER_LOGON_REQUIRES_AES_GCM), or error code -17941 or -18180 at the SQL level.

Limitations

  • The ADO.NET driver uses AES-CBC with a random iv, since AES-GCM is not supported by the .NET Framework (only .NET Core supports AES-GCM).
  • While the JDBC driver can be compiled with Java 1.7 for backward compatibility, it requires Java 1.8 or later in order to use AES-GCM.

LDAP Keywords

The LDAP SUBSYSTEM keywords are included in c-tree Server's configuration file only when mtmake enables the new LDAP support.

Only LDAP keywords are allowed to be specified inside the SUBSYSTEM USER_AUTH LDAP block of the configuration file. Logic prevents non-LAP keywords from being specified in this block.

The following keywords can be use din the SUBSYSTEM USER_AUTH LDAP block:

General LDAP configuration

LDAP_SERVER

LDAP_PORT

LDAP_TIMEOUT

LDAP_SSL

Site-specific directives

LDAP_PREFIX

LDAP_BASE

Required for group management checks

LDAP_APPLICATION_ID

LDAP_KEY_STORE

LDAP_ISAM_ALLOWED_GROUP

LDAP_SQL_ALLOWED_GROUP

LDAP_GROUP_CHECK

In This Section

ADMIN_USER_GROUP

GUEST_USER_GROUP

LDAP_APPLICATION_ID

LDAP_BASE

LDAP_GROUP_CHECK

LDAP_ISAM_ALLOWED_GROUP & LDAP_SQL_ALLOWED_GROUP

LDAP_KEY_STORE

LDAP_LOCAL_PREFIX

LDAP_MODULE

LDAP_PORT

LDAP_PREFIX

LDAP_SERVER

LDAP_SSL

LDAP_TIMEOUT

LOGIN_ALLOWED_GROUP

TOCIndex