External Authentication Extension (LDAP)
One widely-used authentication system is the Lightweight Directory Access Protocol (LDAP). Because many of our customers use a standard LDAP server, we have written a generic LDAP External Authentication Extension that is flexible and easy to configure. Using this extension, you can have LDAP authentication working on your Delivery Hub in just a few minutes. These instructions provide the required files and steps for enabling LDAP authentication for your Secure Delivery Center installation.
System Admin Management
Before diving into the details about the extension, it's important to understand how system admins are managed. Though SDC can manage system admins through a custom implementation of the External Authentication Extension, the generic implementation described here does not manage system admins. Instead, SDC keeps a local list of users with administrator rights. The Delivery Hub does the following:
- Authenticates a user against your LDAP service.
- If the user is authenticated, the Delivery Hub searches its local index of admins.
- If the Delivery Hub can find a local system admin that matches the LDAP user ID, then the LDAP user is considered a system admin.
Because of this architecture, the first step is to create at least one system admin user within the Admin Console with the same ID as a user from your LDAP server.
Once the External Authentication Extension is enabled and you have logged into the Admin Console with this special LDAP user ID, you can search for any LDAP user and mark as a system admin. You can create as many system admins as required, and it's also possible to mark LDAP users as group admins in the same way as you would for locally managed users.
The Authentication Extension
In the zip file below, ldap-auth.jar file is the authentication extension ready to be used on your Delivery Hub.
Extension files: LDAP_authentication_extension.zip
Follow the steps below to enable the extension.
- Create the local system admin in the Admin Console with an ID that matches the LDAP ID of the user that will be your admin.
- Exit the Admin Console, and stop the SDC hub.
- Copy the ldap-auth.jar file from LDAP_authentication_extensions.zip to Data Files/system-config/private/server-extensions.
- Configure your LDAP context queries (see the section below).
- Start the SDC server.
- Open and log in to the Admin Console, and confirm extensions are active on the Advanced tab of the System page.
Note: As described in System Admin Management above, this specific implementation does not manage admins, so the Externally Defined Administrators is marked as disabled.
The Configuration File
Because this is a generic extension, you need a way to configure it with your LDAP service information. In the extension file zip, you will find the fileldap.properties, which contains the specific information needed to access and query your LDAP service. The properties listed are just an example and though your implementation may be very similar, you can add or remove as many properties as required. The External Authentication Extension reads this file and uses the properties you define.
The property names you use should be valid LDAP properties, but for the External Authentication Extension to read them they must have the prefix lookup.prop. This prefix will be stripped out when creating the LDAP context.
Follow the steps below to finish the extension configuration.
- Copy the ldap.properties file fromLDAP_authentication_extensions.zip to Data Files/server/.
- Edit ldap.properties to include your required LDAP service information and your query information. You can add as many properties as you need.
If your login is successful after following these steps, your External Authentication Extension is installed and working.