Hybrid User Management
A user database and an LDAP service can be integrated simultaneously.
Users from both user data sources can sign in and use secured services.
The two data sources are each mapped to a domain which has to be specified as a part of the username when a user logs on (user@ldap.myorg
).
Installation and Configuration
To activate hybrid user management and to configure the domains the parameters in the following list have to be customized or added after the installation.
These parameters are located in [DATA_FOLDER]/application.properties
.
- usermgr.type=hybrid
-
Activates the hybrid mode
- usermgr.domains.ldap.name=ldap.conterra.de
-
Name of the domain that all LDAP users belong to. This name or one of the alias names (see following parameter) has to be appended to the username, separated by an @ character, for example
user@ldap.conterra.de
. - usermgr.domains.ldap.aliases=ldap-alias.conterra.de
-
Comma-separated list of names for the LDAP domain, which can be used as alternatives for the LDAP domain name. Leave it empty to not support any aliases.
- usermgr.domains.db.name=db.conterra.de
-
Name of the domain that all users of the security.manager database belong to. This name or one of the alias names (see following parameter) has to be appended to the username, separated by an @ character, for example
user@ldap.conterra.de
. - usermgr.domains.db.aliases=db-alias.conterra.de
-
Comma-separated list of names for the database domain, which can be used as alternatives for the database domain name. Leave it empty to not support any aliases.
- usermgr.domains.default=db
-
Defines the default login domain, possible values are
db
andldap
. If a login name does not define a domain, then this property defines the default domain. - configtab.enabled=true
-
Enables the Settings tab in the Administrator application, through which the LDAP configuration section can be reached. Logging in using Domain-Based usernames
- security.remoteuser.postfix=ldap.conterra.de
-
Adds
@ldap.conterra.de
to the username when using container-based authentication. This might be necessary when Integrated Windows Authentication is used in hybrid mode. Empty by default.
Domain-based Login
When the domain-based hybrid user management is enabled the login dialog features an additional domain selection field.
When logging in the user can specify a domain and extend his username with a postfix of the form @[DOMAIN]
.
When the login form is submitted the username is checked for a valid domain postfix.
If no valid postfix can be found the domain name selected in the domain selection field is appended to the username.
Login forms that do not offer a domain selection field, the domain-qualified username has to be specified. If no domain name is specified the system tries to log on the user in the database domain. This has to be considered when logging on to a gateway or when using HTTP-BASIC authentication.
Domain-based User Management
When using hybrid user management all writing access is performed on the database domain. Available roles and groups are always retrieved from the database domain. User data is brought together from all domains and displayed collectively. New users are always created in the database domain. Therefore, in the username input field a domain name must not be specified. When inferring all those users that belong to certain roles or groups, the users of all domains are searched.
LDAP Configuration Differences
To ensure a flawless mapping of LDAP users to roles and groups stored in the database domain the dialogs for role and group mapping in hybrid user management differ slightly from the ones shown for non-hybrid user management. In case of hybrid user management you can choose from a list of the available role and group entities from the database. This avoids misspellings. Semantically the procedure for configuring the LDAP connection stays the same.