Configuring LDAP Integration
The Lightweight Directory Access Protocol (LDAP) configuration file (core.ldap.properties) is located in the <Code Insight_ROOT_DIR>\<version>\config\core directory. Code Insight imports LDAP user metadata into its database. User passwords are never stored into our system. LDAP user authentication is handled on a real-time basis against the LDAP server for every login. If the user does not exist in LDAP, authentication is performed against the Code Insight database.
Imported LDAP users are given a default requester role in the system. The users that are added during the LDAP sync process are not allowed to use the Forgot Password or Modify Preferences features of the application. The Application administrator can set a role for a user if it is different than that of a participant.
The system can maintain user information for users that do not exist in LDAP. An example of this scenario is an external contractor who needs access to LDAP but does not exist in LDAP. In such a case, the user information is managed via Code Insight directly.
| • | You define LDAP user import frequency by modifying the ldap configuration file. The default setting in the properties file is ldap.jobFrequency=0 0 6 * * ?. This means that every morning at 6 AM the system syncs up with the LDAP server. |
| • | Refer to http://www.quartz-scheduler.org/documentation/quartz-2.x/tutorials/crontrigger for further information about the cron expression format. LDAP frequency example syntax is as follows: |
ldap.jobFrequency=0 0 6 * * ? (every morning 6 AM) ldap.jobFrequency=0 0/1 * * * ? (every minute)
| • | During the initial startup, the application replaces the plain-text LDAP password with an encrypted value. |
| • | The application reads the plain text password and writes the encrypted password back into the core.ldap.properties file in the following format: <ENCRYPTED_PASSWORD>ENCRYPTED. For subsequent server re-starts, the application uses the encrypted password. |
| • | To change the password, the administrator needs to bring down the server, then, you can enter the new plain-text password into the core.ldap.properties file, and restart the server. During the server startup, the application will again read the plain-text password and write the encrypted password back into core.db.properties. |
| • | If your LDAP server supports anonymous access, and you prefer to connect to the LDAP server anonymously rather than via a password-protected account, you can enable this by specifying ldap.anonymous=true in the core.ldap.properties file. |
The configurable properties from the LDAP configuration files are shown below. Ensure that you DO NOT comment out any attribute mappings. If you do not want to map an attribute, set it equal to blank.
# LDAP server connection settings, url, userName and password
# this user should have read right to be able to access the schema
# Do you want to sync users from LDAP ?
ldap.user.sync.enabled = false
#To enable LDAP Authentication set ldap.enabled to true
ldap.enabled = false
# To enable anonymous access to read LDAP directory turn this property on,
# this will allow you to not specify ldap.userName and ldap.password properties.
ldap.anonymous=false
#URL of the LDAP server, for eg. ldap://<ldap_server>:389
ldap.url = ldap://10.100.1.27:389
#Base node of LDAP server, for all the searches base node will be automatically appended.
ldap.base = dc=adtest,dc=palamida,dc=com
#User name to login to LDAP server
ldap.userName = cn=administrator,CN=users,DC=adtest,DC=palamida,DC=com
#Password to login to LDAP server
ldap.password = palamida123
#searchBase and searchFilter are used to import users to Palamida system.
#DO NOT append ldap.base to ldap.searchBase
# Search base where you can see all the desired users.
ldap.searchBase = CN=Users
# Search filter to pull only desired users to the Palamida System, you can use LDAP Query here.
ldap.searchFilter = (&(objectClass=person)(memberOf=CN=PalamidaAppsecGroup,CN=Users,DC=adtest,DC=palamida,DC=com))
# LDAP user login filter, sAMAccountName={0} (for Active directory)
ldap.loginFilter = sAMAccountName={0}
# Turn it on if LDAP server has paging enabled, mostly for Active Directory
ldap.serverPaging = true
#Turn it on to sync LDAP users inside subtree directory
ldap.search.subtree = true
# page size if using paging
ldap.page.size = 1000
#LDAP user login attribute, loginAttr and loginFilter must always be in sync
ldap.user.loginAttr = sAMAccountName
#Uniquely identifiable attribute for each user, if none found loginAttr will be used.
ldap.user.externalIdAttr = sAMAccountName
#LDAP user email attribute, it should always have a valid email address value
ldap.user.emailAttr = mail
# Do NOT comment out unwanted attribute mappings, set them equal to blank to not assign a value
#LDAP user firstName attribute (Optional)
ldap.user.firstNameAttr = title
#LDAP user middleName attribute (Optional)
ldap.user.middleNameAttr = title
#LDAP user lastName attribute (Optional)
ldap.user.lastNameAttr = title
#LDAP user business unit attribute (Optional)
ldap.user.businessUnitAttr = title
#LDAP user job title attribute (Optional)
ldap.user.jobTitleAttr = title
#LDAP user location attribute (Optional)
ldap.user.locationAttr = title
#LDAP user telephone attribute (Optional)
ldap.user.telephoneAttr = title
#LDAP user fax attribute (Optional)
ldap.user.faxAttr = title
#LDAP user state attribute (Optional)
ldap.user.stateAttr = title
# Use Cron frequency syntax
# Refer to http://www.quartz-scheduler.org/docs/tutorials/crontrigger.html for examples
# runs every 4 hours
#ldap.jobFrequency=0 0 */4 * * ?
# runs every morning at 6 AM
ldap.jobFrequency=0 0 6 * * ?
# runs every Monday at 6 AM
# ldap.jobFrequency=0 0 6 ? * MON
# Default roles to be assigned to all the ldap users in Palamida system.
# Comma separated list should be provided below with possible values of requester, reviewer, participant.
ldap.user.role =
# Associations of LDAP queries to User Lists
# LDAP Query for user list consists of 2 parameters (<userlist_name>.ldap.description & <userlist_name>.ldap.query).
# These 2 parameters need to be configured for each user list that is associated with an LDAP query.
# The LDAP query description will be shown in the Web UI in place of the actual query.
# The LDAP query will be executed each tyme an LDAP sync occurs.
#<userlist_name>.ldap.description = <enter description of LDAP query to be shown on user list details page in Web UI>
#<userlist_name>.ldap.query = <enter LDAP query to be executed for this user list each tyme an LDAP sync occurs>