|
|
|
In V11 and later, FairCom has implemented LDAP support within the FairCom DB Server technology. Initial development and testing was completed against the OpenLDAP implementation.
FairCom DB Server authenticates a supplied username / password (from InitISAMXtd) against the LDAP server itself. By default, FairCom DB doesn't query the server for any other information to be returned, it's simply pass/fail. Note: If the LDAP server becomes unavailable for any reason, users can't be authenticated.
The one exception is when LDAP_ALLOWED_GROUP options are specified. In those cases, FairCom DB additionally authenticates to LDAP with a specific LDAP account provided by the LDAP_APPLICATION_ID option (and passwords specified with LDAP_KEY_STORE) and query and validate group membership for that user. If a user is not allowed in the group, the connection is denied. The optional LDAP_GROUP_CHECK can be used to return and update group membership in FAIRCOM.FCS.
Once a user is authenticated and all group checks are complete, FairCom DB discards all authentication information and disconnects from the LDAP server and there is no further interaction.
Example
FairCom Server provides a set of keywords for configuring the LDAP subsystem:
SUBSYSTEM USER_AUTH LDAP
{
LDAP_SERVER localhost
LDAP_TIMEOUT 10
LDAP_PREFIX cn=
LDAP_BASE ou=people,dc=faircom,dc=com
LDAP_APPLICATION_ID cn=ctreesql,ou=applications,dc=faircom,dc=com
LDAP_ISAM_ALLOWED_GROUP cn=ctreeisamusers,ou=groups,dc=faircom,dc=com
LDAP_SQL_ALLOWED_GROUP cn=ctreesqlusers,ou=groups,dc=faircom,dc=com
LDAP_GROUP_CHECK
{attr:member} {base:ou=groups,dc=faircom,dc=com} {filter:(objectclass=groupOfNames)}
LDAP_PORT 389
LDAP_SSL NO
LDAP_KEY_STORE ldap.fkf
}
Security
LDAP client authentication requires passing an actual client LDAP password to the FairCom DB server. This requires additional encryption to protect the password in transit. Unique public/private key pairs are generated at runtime and are only used for this one particular connection request.
The encryption algorithm that the client library uses to securely pass the user password to the server when using LDAP authentication was updated in V13 to use an AES-GCM encryption with a random initialization vector (iv).
If a client library that uses AES-GCM for LDAP authentication connects to a server that does not support it, the connection attempt now fails with error code 1179, CLIENT_LOGON_REQUIRES_AES_GCM at the ISAM level, or error -18179 at the SQL level.
If a client library that does not use AES-GCM for LDAP authentication connects to a server that use AES-GCM authentication at the ISAM level, the connection attempt now fails with error code 941 or 1180 (SERVER_LOGON_REQUIRES_AES_GCM), or error code -17941 or -18180 at the SQL level.
Limitations
LDAP Keywords
The LDAP SUBSYSTEM keywords are included in c-tree Server's configuration file only when mtmake enables the new LDAP support.
Only LDAP keywords are allowed to be specified inside the SUBSYSTEM USER_AUTH LDAP block of the configuration file. Logic prevents non-LAP keywords from being specified in this block.
The following keywords can be use din the SUBSYSTEM USER_AUTH LDAP block:
General LDAP configuration
Site-specific directives
Required for group management checks
