I am doing external authentication using LDAP. I have to authenticate a user via LDAP and allow the user to access many app servers. I want to know how to map all the ldap user ( users in ldap server Example:ldap://company1.local:389) with users in Database. I have created a external configuration object and assigned to a new http server with application level authentication. I dont want to store ldap user password in database. Do I have to create all users(same as in active directory) in database with some password and map them?
Yes, it's possible to configure ML to use external authentication via LDAP:
http://docs.marklogic.com/guide/security/external-auth
Related
I have an external identity provider (OpenLdap or AD). I configured Keycloak to federate the users form Ldap server. I'd like to enable OTP flow for these users without impoting them in Keycloak's database. Is there any way or procedure to do it ?
OTP belongs to the user, so user must be imported in the Keycloak DB. So you can do that, but without without importing them in Keycloak's database requirement.
Let's say I want to have keycloak synced with the LDAP and use it as the source for authentication. (I've managed to do this already)
But is there a way to let the keycloak be itself the identity provider if, for some reason, the LDAP connection is down?
First you should avoid ldap going down, by setting HA, using HAproxy and keepalived for example, as for Keycloak, you can disable "Sync Registrations" in your keycloak LDAP IDP, and create users using the admin interface, these users are stored in your local database of keycloak, and not on the LDAP so even if its goes down those users can stil get access to Keyclaok.
Refer to https://www.janua.fr/understanding-keycloak-user-federation/ for more details.
I managed to create a custom LDAP Storage Provider to do this.
check How to create a custom UserStorageSPI on Keycloak
Our system is using a LDAP server (OUD) and we're bringing Zimbra to the system. However, Zimbra use its default LDAP server (OpenLDAP). That's is paintul with 2 LDAP servers which store same user information.
Is there any way that Zimbra store its users in an external LDAP server?
Many thanks
Nope, zimbra needs his own internal LDAP server. Zimbra LDAP server stores user accounts, Class of Services, global settings and servers configuration.
The best practice is to manage user accounts in an external LDAP server (OpenLdap, Active Directory...) and then sync data beetwen external LDAP and Zimbra internal LDAP. There are many scripts on the Internet you'll find to do that.
You can either configure "Delegated Auth", zimbra will validate user auth against you external LDAP server and not internal LDAP (unless you activate the fallback). The point is to manage user passwords in your external LDAP server, so users won't be confused.
Can we enable both authentication method LDAP and External User in owncloud ?
we have two types of user internal and external.
for internal users we want to configure LDAP and
for external user we want to configure External User IMAP.
Please reply can we do this.
We are developing a self registration app.
Our app allows users to register for web apps and is deployed on a weblogic 10.3.5 app server. The weblogic is connected to a local ldap system.
Once the user registeres with our app we call corporate servces to generate a user id. password activation, authentication is all handled by the corporate servcies. which also has a corporate ldap that contains all users in the company.
The approach works fine for 'new users' ie users that are not present in the corporate ldap or the local ldap: users enter their details and are issued a user id which we then copy into the local ldap once the user activates their account.
The use case we're grappling with at the moment is how to handle 'existing' users that wish to register. These are users that are currently in the corporate ldap and wish to 'register' with our applications. They get rejected during the normal registration process as they already exist in the coroporate ldap.
What i'd like to do is force them to login (simply so they don't register on behalf of somone else) and once they're logged in simply copy their data into the local ldap.
The problem is even if they are successfully authenticated by the corporate service, they don't (yet exist) as far as the weblogic server is concerned. is there a way to obtain the user id that comes with the authentication token ?
The authentication method is SAML 1.1
The application is a standard Java EE servlet based webapp using the struts2 framework.
Any ideas would be much appreciated.
Within WebLogic, you can define multiple authentication providers and set them up in the order you would like the system to use. Since you are copying data over, you would have to programmatically check for the existence of the account before attempting to create it on the LDAP server.
It would be a lot simpler if you use the external LDAP server directly instead of copying the data to the internal LDAP server, letting you attempt logging the user in and creating the account only while catching the appropriate exception.