Skip to content

Commit d655278

Browse files
Replace user_id_attribute to user_id_attribute_oid
1 parent 860235f commit d655278

1 file changed

Lines changed: 22 additions & 19 deletions

File tree

docs/specs/ldap.md

Lines changed: 22 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -55,14 +55,17 @@ identity:
5555
{{- else }}
5656
(&(objectCategory=person)(objectClass=user)(memberof=dc=anothercompany,dc=com)(sAMAccountName={{ $.Username }}))
5757
{{- end }}
58-
user_id_attribute: "myUserID"
58+
# According to https://datatracker.ietf.org/doc/html/rfc4512#section-2.5
59+
# The unique way to identify an attribute in LDAP is oid.
60+
# For those who are curious, "0.9.2342.19200300.100.1.1" is "uid", according to https://datatracker.ietf.org/doc/html/rfc4519#section-2.39
61+
user_id_attribute_oid: "0.9.2342.19200300.100.1.1"
5962
```
6063
6164
- `identity.ldap.servers.name`: A unique name to identify this LDAP server. Once set, it cannot be changed. It is stored in the database as part of the unique key to identify a LDAP identity. See [The database schema of a LDAP identity](#the-database-schema-of-a-ldap-identity) for details.
6265
- `identity.ldap.servers.url`: The connection URL to the LDAP server. The scheme MUST be `ldap:` or `ldaps:`. The URL MUST contain `host`, and optionally a port. If the port is omitted, the default port of the scheme is assumed. The default port of `ldap:` is `389`, while the default port of `ldaps:` is `636`. The URL MUST NOT contain other elements, such as path, nor query.
6366
- `identity.ldap.servers.base_dn`: The base DN to construct a Search Request, as defined in [Section 4.5.1 in RFC4511](https://datatracker.ietf.org/doc/html/rfc4511#section-4.5.1).
6467
- `identity.ldap.servers.search_filter_template`: A Go template that renders to a filter to be used in the Search Request. This template can use the variable `$.Username` to render the username entered by the end-user. `$.Username` is pre-processed so that it is an escaped LDAP string. The strings function from [https://masterminds.github.io/sprig/](https://masterminds.github.io/sprig/) can be used in the template.
65-
- `identity.ldap.servers.user_id_attribute`: The attribute that is guaranteed to be unique and never change for a given user in the LDAP server. It is used to identify a user from the LDAP server. Warning: Changing this value will cause Authgear not able to look up any previous LDAP identities.
68+
- `identity.ldap.servers.user_id_attribute_oid`: The attribute that is guaranteed to be unique and never change for a given user in the LDAP server. It is used to identify a user from the LDAP server. Warning: Changing this value will cause Authgear not able to look up any previous LDAP identities.
6669

6770
> Why does `identity.ldap.servers.url` allow scheme, host, and port?
6871
> The LDAP URL, defined in [Section 2 in RFC 4516](https://datatracker.ietf.org/doc/html/rfc4516#section-2), is syntactically different from the URL defined in [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986).
@@ -96,7 +99,7 @@ Here is the JSON schema for the LDAP server configuration.
9699
{
97100
"type": "object",
98101
"additionalProperties": false,
99-
"required": ["name", "url", "base_dn", "search_filter_template", "user_id_attribute"],
102+
"required": ["name", "url", "base_dn", "search_filter_template", "user_id_attribute_oid"],
100103
"properties": {
101104
"name": {
102105
"type": "string",
@@ -114,9 +117,9 @@ Here is the JSON schema for the LDAP server configuration.
114117
"type": "string",
115118
"format": "ldap_search_filter_template"
116119
},
117-
"user_id_attribute": {
120+
"user_id_attribute_oid": {
118121
"type": "string",
119-
"format": "ldap_attribute_name"
122+
"format": "ldap_oid"
120123
}
121124
}
122125
}
@@ -125,14 +128,14 @@ Here is the JSON schema for the LDAP server configuration.
125128
- `format: ldap_url`: It is a JSON schema format that implements the rules of `identity.ldap.servers.url`.
126129
- `format: ldap_dn`: It is a JSON schema format that validates the value to be a valid DN.
127130
- `format: ldap_search_filter_template`: It is a JSON schema format that validates the rendered string to be a valid Search Filter. It does the validation by running the template with `Username=user`, `Username=user@example.com`, and `Username=+85298765432`, and then parse the resulting Search Filter as a Search Filter.
128-
- `format: ldap_attribute_name`: It is a JSON schema format that validates the value to be a valid LDAP attribute name.
131+
- `format: ldap_oid`: It is a JSON schema format that validates the value to be a valid LDAP oid.
129132
130133
## Testing on the configuration
131134
132135
> TODO: Add a mutation in the Admin API to test LDAP connection.
133136
> It should take the whole server configuration, and optionally a end-user username.
134137
> It connects the LDAP server with the URL and the credentials.
135-
> If the optional end-user username is given, it performs a Search request, and validates the user exists and has user_id_attribute.
138+
> If the optional end-user username is given, it performs a Search request, and validates the user exists and has user_id_attribute_oid.
136139
> It returns detailed API errors so that the portal can display relevant information for the developer to debug the configuration.
137140
> Such detailed API errors ARE NOT returned in actual use. They are reported as internal errors.
138141
@@ -141,29 +144,29 @@ Here is the JSON schema for the LDAP server configuration.
141144
```sql
142145
CREATE TABLE _auth_identity_ldap
143146
(
144-
id text PRIMARY KEY REFERENCES _auth_identity (id),
145-
app_id text NOT NULL,
146-
server_name text NOT NULL,
147-
user_id_attribute text NOT NULL,
148-
user_id_value text NOT NULL,
149-
claims jsonb NOT NULL,
150-
raw_entry_json jsonb NOT NULL
147+
id text PRIMARY KEY REFERENCES _auth_identity (id),
148+
app_id text NOT NULL,
149+
server_name text NOT NULL,
150+
user_id_attribute_oid text NOT NULL,
151+
user_id_attribute_value text NOT NULL,
152+
claims jsonb NOT NULL,
153+
raw_entry_json jsonb NOT NULL
151154
);
152155
153-
CREATE UNIQUE INDEX _auth_identity_ldap_unique ON _auth_identity_ldap (app_id, server_name, user_id_attribute, user_id_value);
156+
CREATE UNIQUE INDEX _auth_identity_ldap_unique ON _auth_identity_ldap (app_id, server_name, user_id_attribute_oid, user_id_attribute_value);
154157
```
155158

156159
- `id`: The primary key of this table. This is the same as other `_auth_identity_*` tables.
157160
- `app_id`: The app ID of this table for multi-tenant. This is the same as other `_auth_identity_*` tables.
158161
- `server_name`: The `name` of the LDAP server.
159-
- `user_id_attribute`: The `user_id_attribute` of the LDAP server when this identity is created.
160-
- `user_id_value`: The value of the `user_id_attribute` of the user.
162+
- `user_id_attribute_oid`: The `user_id_attribute_oid` of the LDAP server when this identity is created.
163+
- `user_id_attribute_value`: The value of the `user_id_attribute_oid` of the user.
161164
- `claims`: The standard claims extracted from this LDAP entry.
162165
- `raw_entry_json`: The raw LDAP entry encoded in JSON. It looks like `{ "dn": "uid=johndoe,dc=example,dc=com", "attr1": ["value1"] }`.
163166

164167
## Handling of a LDAP identity
165168

166-
- To look up a LDAP identity in Authgear, we use the tuple `(app_id, server_name, user_id_attribute, user_id_value)`.
169+
- To look up a LDAP identity in Authgear, we use the tuple `(app_id, server_name, user_id_attribute_oid, user_id_attribute_value)`.
167170
- Similar to OAuth identity, we update an LDAP identity when it is used in login.
168171

169172
## The UX of LDAP in Auth UI
@@ -179,5 +182,5 @@ This section documents the expected errors.
179182

180183
|Description|Name|Reason|Info|
181184
|---|---|---|---|
182-
|When the LDAP server is service unavailable, `user_id_attribute` not found in a user, search filter turns out to be invalid, etc|InternalError|UnexpectedError||
185+
|When the LDAP server is service unavailable, `user_id_attribute_oid` not found in a user, search filter turns out to be invalid, etc|InternalError|UnexpectedError||
183186
|When the end-user cannot authenticate to the LDAP server|Unauthorized|InvalidCredentials||

0 commit comments

Comments
 (0)