How to use LDAP login

tiger · February 6, 2018, 5:58am

cuba.web.ldap.enabled = true
cuba.web.ldap.urls = ldap://ip:389
cuba.web.ldap.base = o=domains,dc=artwell-hk,dc=com
cuba.web.ldap.user = cn=vmail,dc=artwell-hk,dc=com
cuba.web.ldap.password = password

just add these to web-app.properties?

Do I need to do anything else?

tiger · February 6, 2018, 6:01am

I’ve added these.
but Logon failure

artamonov · February 6, 2018, 6:59am

Use cuba.web.ldap.enabled instead of external authentication since 6.8 version

tiger · February 6, 2018, 8:02am

I updated to 6.8,
and use cuba.web.ldap.enabled ,
but login failure

tiger · February 6, 2018, 8:05am

Login failed: com.haulmont.cuba.security.global.LoginException: Unknown login name or bad password: tiger.tian@artwell-hk.com

tiger · February 6, 2018, 8:14am

uid=uid: tiger.tian, mail=mail: tiger.tian@artwell-hk.com

I creat a test class , this is return
so the login Name is uid or mail?
we LDAP’s pwd encrypted by SSHA,but i input pwd no encrypted

tiger · February 6, 2018, 9:07am

Do I need to set an account with the same name in the program (no password)?

iskandarov · February 7, 2018, 8:22am

Hi,
You should create a user with the same login in your CUBA application. You should set up access rights for this user. As LDAP is used only for authentication (password storing).

By default, login is matched with sAMAccountName of the entry (Active directory stores login in this property).
If you use another LDAP implementation, for instance, Apache DS and another field is ID, you should adjust cuba.web.ldap.userLoginField.
In my test environment I use Apache Directory Studio. By default “sn” is used as ID there. So I have got the following settings:

cuba.web.ldap.enabled = true
cuba.web.ldap.urls = ldap://localhost:10389
cuba.web.ldap.base = dc=example,dc=com
cuba.web.ldap.user = cn=iskandarov,ou=system
cuba.web.ldap.userLoginField = sn

cuba.web.standardAuthenticationUsers = admin
cuba.web.ldap.password = password

How the basic platform LDAP-authentication works:

login and password are input in the login form of the application
platform is authenticated in LDAP using credentials defined in cuba.web.ldap.user / cuba.web.ldap.password
application does LDAP-search in cuba.web.ldap.base: it searches an entry with sn = login
if the entry is found, the application tries to authenticate in LDAP by the found FQN and the provided password.
if successful, the user gets access to the application

tiger · February 7, 2018, 9:20am

Thank you,
I just solved the problem.
I found the class of CubaAuthProvider is obsolete in cuba-6.8 .
so I back to 6.7 ,set cuba.web.externalAuthentication = true and creat a class implements CubaAuthProvider,
and I Override the methods of authenticate,Use my own method to validation username.
Now ,It’s OK!

tiger · February 7, 2018, 9:37am

and then my pwd in LADP Server is SHA-1,
but in ldapTemplate.authenticate,the input pwd no SHA-1,
so it’s why I’ve been not through the verification.

iskandarov · February 8, 2018, 7:49am

Hi,
CubaAuthProvider is obsolete in 6.8 but you can define externalAuthenticationProviderClass.

cuba.web.externalAuthentication = true
cuba.web.externalAuthenticationProviderClass = com.haulmont.cuba.web.auth.LdapAuthProvider

artamonov · February 18, 2018, 11:50am

Hi,

I’d recommend that you take a look at the new login subsystem in 6.8 version. You can easily replace existing LdapLoginProvider (or implement a new one): Web Login - CUBA Platform. Developer’s Manual instead of using deprecated external authentication property.

iskandarov · May 31, 2018, 2:48pm

2 posts were split to a new topic: How to start a local LDAP server and connect a CUBA application to it