Post

1 follower Follow
0
Avatar

How to connect two (multiple) LDAP servers?

The use of Deployit is growing in our organisation, hence we want to onboard a new unit. Since this unit uses a different LDAP and other units will join deployit in the future, we need to decide if we can/want to connect multiple LDAPs to deployit.

Main questions

1. Is this even possible?

2. How can I configure this in deployit-security.xml?

Some thoughts and possibilities: 

- ldapServer bean:

From other forums about the Spring Framework I learn that I can configure multiple LDAP URL's in a single ldapserver bean. (all on one line seperated by a space)

 - Since our two LDAP's are different, each URL has a different MANAGER_DN and MANAGER_PASSWORD.

  1. Do I need to define two ldapserver beans?
     
  2. ldapProvider bean:

    For each LDAP we use a different LDAP search filter.

  3. Can we define two ldapProvider beans?

Other thoughts:

Then there are some possible security issues, but lets keep that for later.

Regards,

Eric

Eric Cornet Answered

Please sign in to leave a comment.

4 comments

0
Avatar

Hi Eric,

LDAP is exactly my specialty but I have tinkered with getting Active Directory connections going so I think I can answer your questions.

  1. Yes it is possible to have mutiple ldap providers defined. Actually this is possibly already the case as the local XL Deploy accounts use their own security provider.

  2. What you need to define is a new bean. And multiple can be defined. In the security.xml you then specifiy which ones to use:

<security:authentication-manager alias="authenticationManager">

<security:authentication-provider ref="rememberMeAuthenticationProvider"/>

<security:authentication-provider ref="ldapProvider"/>

<security:authentication-provider ref="jcrAuthenticationProvider"/>

/security:authentication-manager

Here the ldapProvider one is the bean that connects to the Active Directory and the jcrAuthenticationProvider one is for XL Deploy's internal users.

  1. Yes, you will need to define your own. Have a look here as to how to do that: https://support.xebialabs.com/entries/38937317-How-to-connect-to-your-ldap-or-active-directory-in-11-steps

  2. Yes you can, this should not be a problem.

As you figured out already XL Deploy uses the Srring Security Framework so if you run into issues you can also search for answers related to that.

Hope this helps!

Gr,

Coert

Coert van den Thillart 0 votes
0
Avatar

Hoi Coert,

Thank you for your clear response. I followed your advice and it works like a charm.

I have still some doubts on possible security issues. Maybe you have an idea on these points:

Assume we have two LDAPs: LDAP1 and LDAP2. The order is defined by the order of the childs of the authentication-manager tag:

<security:authentication-manager alias="authenticationManager">

 <security:authentication-provider ref="rememberMeAuthenticationProvider"/>

 <security:authentication-provider ref="ldapProvider1"/>

 <security:authentication-provider ref="ldapProvider2"/>

 <security:authentication-provider ref="jcrAuthenticationProvider"/>

/security:authentication-manager

And assume LDAP1 contains a group GRP1 which is maps to ROLE1 in Deployit. Analogue we have LDAP2, GRP2 and ROLE2.

  1. What if users exists in both LDAPs (same username and password), but with different roles.

    Options:

    a. Will this user get both roles (ROLE1 and ROLE2)?

    b. Will this user always get ROLE1 corresponding to LDAP1?

    c. will it be random...?

  2. What happends if someone defines a new group in LDAP2 called GRP1? Will the users in this new GRP1 be able to login to deployit with ROLE1?

Regards,

Eric

Eric Cornet 0 votes
0
Avatar

Hoi,

 

Both questions have been put to a test.

 

Question 1:

  • The LDAP search stops after the first hit, hence the user will only get ROLE1.

  • The order between the LDAPs is determined by the order of the 'security:authentication-manager' tag in deployit-security.xml (as expected).

  • Note: This problem is bypassed if all user use different passwords for each LDAP. 

 

Question 2:

The hypothesis was correct. Users of LDAP2 will be able to get ROLE1.

 

Regards,

Eric

Eric Cornet 0 votes