When LDAP authentication is enabled, Архива authenticates to a directory service such as OpenLDAP using pure password-based credentials.
The following process occurs during LDAP console login:
- Архива authenticates with the directory using a service account DN and a password
- Архива searches for the user, starting from the Base DN, by matching the supplied username with the Bind Attribute (normally, UID)
- Архива retrieves the DN of the located user
- Архива uses the retrieved user DN and user password to login into the directory
- Once logged in, Архива looks for a matching role and retrieves the user’s email address from the Email Attribute field (usually, email or mail).
Since directory structures tend be to unique across different organizations, care must be taken to ensure that the base DN, service account login DN, bind attribute and email attribute is correct for the target directory. For example, some companies use “mail” as the location where user email addresses are stored, while others use “email”.To determine the structure of a directory, it may be useful to connect to it using a the Linux command line utility ldapsearch or one of the many LDAP browsers available. Once the correct LDAP settings have been entered, it is necessary to create one or more role assignments for purpose of assigning Архива roles to the users residing in the directory.
Field | Description | Example |
---|---|---|
LDAP Server Address | Fully qualified domain name of LDAP server | openldap.company.com:389 |
Base DN | The distinguished name of the location in AD where Архива should start searching for end-user entries. | dc=company,dc=com |
Service Account Login | DN The distinguished name of an admin user in LDAP | cn=Administrator,cn=Users, dc=company, dc=com |
Service Account Password | The service account password | |
Mail Attribute | The mail attribute where the user’s email addresses are obtained mail | |
Mail Value | The regular expression used to extract the user’s email address from the mail attribute | (.*) |
Bind Attribute | The field in LDAP that contains the username or login name of the user. | uid |
Field | Description | Server.conf Example |
---|---|---|
Alternate Email Address | Secondary location where the user's emails can be found. Архива will retrieve the user's email addresses from both the mail attribute and the alternate email address. | ldap3.alternateemailaddress.attribute=emai |
Alternate Email Address Value | The regular expression pattern used to extract the email address. If you wish to take as is, use (.*). If you email addresses are in the format SMTP:joe@blog.com, then you would specify SMTP:(.*). Note position of brackets. | ldap3.alternateemailaddress.value=(.*) |