LDAP

LDAP properties will be used to define how and what to access in your company directory service. They are to be defined in providers of type ldap.

The mandatory properties are the following:

url, the URL of the Directory Server, default port is usually 636.
principal, the DN used to bind against the Directory Server for the user and groups queries. It should have read or search permissions on the usersCtxDN value.
password, the password for the bind DN.
usersCtxDN, the fixed DN of the context to start the user search from.
usersFilter, the search query sent by PC-lint Plus View to the LDAP server when fetching users. For more information about LDAP query syntax, see https://ldap.com/ldap-filters. Note that the & character must be written as an entity (&) in the settings file. Additionally, using a placeholder in the filter, i.e. {0}, is strongly discouraged as it can lead to conflicts during authentication.
userLoginAttribute, the attribute field to use when loading the user login. Should be unique.

Additional properties can be defined in order to map user information:

userDisplayNameAttribute, the attribute that will be used to specify PC-lint Plus View user display name.
userMailAttribute, the attribute that will be used to specify PC-lint Plus View user mail.
userDepartmentAttribute, the attribute that will be used to specify PC-lint Plus View user department.
loginFilter (default: userLoginAttribute={0}), to allow the use of alternative attributes for the user login. Where "{0}" is a placeholder for the login value provided by the user. Note that the final authentication filter is a concatenation of both usersFilter and loginFilter, i.e. (&(usersFilter)(loginFilter)).

Here is an example of a complete authentication configuration using LDAP and allowing the users to log in with either the login or mail attributes as defined in the company directory service:

<subsystem xmlns="urn:com:vector:squore:1.0" >
	<security>
		<authentication name="default">
			<auth-module name="ldap" provider="ldapAuth" flag="sufficient"/>
		</authentication>
		<providers>
			<provider name="ldapAuth" type="ldap">
				<property name="url" value="ldaps://hostname:port/"/>
				<property name="principal" value="cn=admin,dc=domain,dc=com"/>
				<property name="password" value="password"/>
				<property name="usersCtxDN" value="ou=people,dc=example,dc=com"/>
				<property name="usersFilter" value="(objectClass=person)"/>
				<property name="userLoginAttribute" value="login"/>
				<property name="userDisplayNameAttribute" value="displayName"/>
				<property name="userMailAttribute" value="mail"/>
				<property name="userDepartmentAttribute" value="department"/>
				<property name="loginFilter" value="(|(login={0})(mail={0}))"/>
			</provider>
		</providers>
	</security>
</subsystem>

Note that for Active Directory, OU, DC and other keywords are all uppercase.

Most directory servers are not configured to be case-sensitive so users authentication and synchronization won’t be. If your server is configured to be case-sensitive, users authentication and synchronization will be too.

It is highly recommended to use LDAPS instead of LDAP: ldaps://<hostname>:<port>/.

The java instance used by WildFly shall be able to check the certificate of the LDAP server.
If the LDAP certificate has not been signed by an "official" CA (self-signed certificate, or the company issued its own root CA), please refer to Import a certificate section.