ldap
Description
This client will handle Users, Groups and UserPasswords events, and store data in an LDAP directory.
The local Datamodel keys will be used as LDAP attributes names, without any constraints, and it is possible to specify some Datamodel keys to ignore (typically the primary keys) that won’t be stored in LDAP directory with the attributesToIgnore setting.
The GroupMembers will only store data (typically LDAP member attribute) in LDAP group entries as it is possible to use LDAP overlays (dynlist or the deprecated memberOf) to dynamically generate the corresponding data in user entries. You should consider reading the propagateUserDNChangeOnGroupMember setting documentation.
If you need to generate LDAP password hashes, you may consider looking at ldapPasswordHash attribute plugin.
Configuration
hermes-client-usersgroups_ldap:
# MANDATORY: LDAP server URI
uri: ldaps://ldap.example.com:636
# MANDATORY: LDAP server credentials to use
binddn: cn=account,dc=example,dc=com
bindpassword: s3cReT_p4s5w0rD
# MANDATORY: LDAP base DN
basedn: dc=example,dc=com
users_ou: ou=users,dc=example,dc=com
groups_ou: ou=groups,dc=example,dc=com
ssl: # Facultative
# Path to PEM file with CA certs
cafile: /path/to/INTERNAL-CA-chain.crt # Facultative
# Path to file with PEM encoded cert for client cert authentication, requires keyfile
certfile: /path/to/client.crt # Facultative
# Path to file with PEM encoded key for client cert authentication, requires certfile
keyfile: /path/to/client.pem # Facultative
# MANDATORY: Name of DN attribute for Users, UserPasswords and Groups
# You have to set up values for the three, even if you don't use some of the types
dnAttributes:
Users: uid
UserPasswords: uid
Groups: cn
# Depending on group and group membership settings in LDAP, you may use another
# attribute than the default 'member' attribute to store the DN of group member
# Facultative. Default value: "member"
groupMemberAttribute: member
# Depending on group and group membership settings in LDAP, you usually may want
# to propagate a user DN change on group member attributes. But sometimes, it
# may be handled by an overlay, e.g. with memberOf overlay and the
# memberof-refint/olcMemberOfRefint setting to TRUE
# If set to true, it requires 'groupsObjectclass' to be defined
# Facultative. Default value: true
propagateUserDNChangeOnGroupMember: true
# If you've set 'propagateUserDNChangeOnGroupMember' to true,
# you MUST indicate your group objectClass that will be used to search
# your groups entries
# Mandatory only if 'propagateUserDNChangeOnGroupMember' is true
groupsObjectclass: groupOfNames
# It is possible to set a default value for some attributes for Users, UserPasswords and Groups
# The default value will be set on added and modified events if the local attribute has no value
defaultValues:
Groups:
member: "" # Hack to allow creation of an empty group, because of the "MUST member" in schema
# The local attributes listed here won't be stored in LDAP for Users, UserPasswords and Groups
attributesToIgnore:
Users:
- user_pkey
UserPasswords:
- user_pkey
Groups:
- group_pkeyDatamodel
The following data types may be set up:
UsersUserPasswords: obviously requireUsers, and requires the following attribute namesuser_pkeycorresponding to the primary keys ofUsersGroupsGroupsMembers: obviously requireUsersandGroups, and requires the following attribute namesuser_pkeygroup_pkeycorresponding to the primary keys ofUsersandGroups
datamodel:
Users:
hermesType: your_server_Users_type_name
attrsmapping:
user_pkey: user_primary_key_on_server
uid: login_on_server
# ...
UserPasswords:
hermesType: your_server_UserPasswords_type_name
attrsmapping:
user_pkey: user_primary_key_on_server
userPassword: ldap_pwd_hash_list_on_server
# ...
Groups:
hermesType: your_server_Groups_type_name
attrsmapping:
group_pkey: group_primary_key_on_server
cn: group_name_on_server
# ...
GroupsMembers:
hermesType: your_server_GroupsMembers_type_name
attrsmapping:
user_pkey: user_primary_key_on_server
group_pkey: group_primary_key_on_server
# ...