Home Documentation Tracker Download

LDAP-based authentication

When synchronising two repositories, they authenticate to each other using a public-private-key-based mechanism. This is extremely secure and therefore the only authentication mechanism supported for repository-to-repository-authentication.

This type of authentication, however, cannot be used when accessing a repository via an ordinary web-browser.

In order to access files via a web-browser, LDAP-based authentication must be configured. There are currently two variants of LDAP authentication algorithm. The choice of the algorithm is based on the ldap.query configuration property. If this setting is not provided, then the first variant will be chosen, otherwise the second one. Both variants use the ldap.url property to know the LDAP server’s URL.

After changing any of the properties or admin’s password with a CLI command, you should restart the server since LDAP configuration is only loaded once at the first usage.

First variant

To configure this variant you need to provide ldap.bindDnTemplate[${index}] property/properties.

Every template should contain one or more of ${login} template variables, which will be replaced with userName, provided by user during authentication. After this replacement, the template will be used as DN in a bind operation (along with password provided by user).
All templates will be used as DNs, in specified order, until authentication is successful with one of them, or all templates were already used.

Second variant

To configure this variant you need to provide ldap.query, ldap.queryDn, ldap.adminDn properties. Also you need to set admin’s password. You can do it with command:

~/cloudstore/bin/cloudstore changeLdapPassword {password}

You can change it at anytime with the same command.

Authentication is composed of a few steps:

  • DirContext is created based on credentials of admin user - ldap.adminDn property and admin password, which was set with CLI command.
  • Search method is executed on this context, using ldap.query as filter and ldap.queryDn as name.
  • If this search doesn’t return any results then authentication is not successful.
  • If there are results, then DN of every one of them is tried to be bound to the context (along with password provided by user), until one of these operations is successful. If none is successful, then authentication isn’t successful either.