The LDAP/Active Directory (AD) integration allows delegation of authentication to your organization's LDAP/AD server.
To configure the LDAP/AD integration do these steps:
After you have completed the configuration, allow your users to log in using LDAP authentication
To support LDAP/AD configure the following properties. See also Abiquo Configuration Properties#ldap
Whether Abiquo should authenticate only via database or it should also authenticate against LDAP/Active Directory.
URL of LDAP/Active Directory server
Port to connect to on LDAP/Active Directory server.
Protocol to be used when authenticating to LDAP/Active Directory. Values: ldap , ldaps
Base Distinguished Name of the LDAP/Active Directory.
Use this property to tell Abiquo to perform an additional custom query against the specified schema in the LDAP/Active Directory.
The attribute in LDAP/Active Directory to look up the Enterprise Name which must be an Enterprise in Abiquo.
|abiquo.ldap.authentication.autoUserCreation||true||Whether Abiquo must create a user in Abiquo based on a successful login to LDAP|
In LDAP/AD mode, at first login, Abiquo will retrieve the following information from LDAP/AD to create the users.
From the attribute defined by the abiquo.ldap.authentication.attribute.enterprise property
|Full Name||The user's given name and surname.|
From the groups of the user that match a single Abiquo role by its External roles attributes
The Distinguished Name (DN) of the user
The contact e-mail address of the user for notifications. If this value is not present at user creation, you can enter it in Abiquo later
|Phone||The phone number of the user. The platform will not validate this field|
|Description||The description of the user|
In LDAP/AD mode:
Abiquo currently supports these username forms:
You can use any of these and even switch from one to another and this will not add extra users to the Abiquo database. Each user will only have one database entry.
Abiquo supports the following LDAP implementations:
To perform a login, and retrieve the currently logged in user the API has a LoginResource. This is a secure resource that can only be accessed after a successful login.
Abiquo DOES NOT support switching authentication modes after installation. However:
If you need to switch from Abiquo to LDAP/AD authentication, to prevent previously created Abiquo users from logging in, delete or disable their accounts
If you need to switch from LDAP/AD to another authentication type, LDAP/AD users will not be able to log in because the password field is blank.
If the automatic user creation fails, as does the login, and the platform returns a 401 (Bad Credentials) error, it may be that Abiquo cannot link the user entry in LDAP/AD to an active Enterprise in the Abiquo database. Check if there is an appropriate enterprise attribute in LDAP/AD and that there is a matching enterprise in Abiquo. There should be debugging output in the platform logs. The property that Abiquo will look up should be configured in the abiquo.properties file (abiquo.ldap.authentication.attribute.enterprise). The user's Enterprise can be modified but it will be overwritten at each new login.
Remember that the user's group may only match to one Abiquo role.
If you are using a non-standard schema, and the integration fails, check that you correctly set the abiquo.ldap.authentication.custom.userDnPattern to define the userDN pattern.
If you are have connection timeout issues, you can also set the connection timeout and read timeout in abiquo.properties. See Abiquo Configuration Properties#ldap
Abiquo does not guarantee the uniqueness of users based on their username. Abiquo users are made unique by username + authType. AuthType is what the user is logged in against. So it is possible to have more than one user with the same username as long as their 'AuthType' is different and the platform should log in the appropriate user based on the authentication module property.