You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- `identity.ldap.servers.name`: A unique name to identify this LDAP server. Once set, it cannot be changed. It is stored in the database as part of the unique key to identify a LDAP identity. See [The database schema of a LDAP identity](#the-database-schema-of-a-ldap-identity) for details.
62
65
- `identity.ldap.servers.url`: The connection URL to the LDAP server. The scheme MUST be `ldap:` or `ldaps:`. The URL MUST contain `host`, and optionally a port. If the port is omitted, the default port of the scheme is assumed. The default port of `ldap:` is `389`, while the default port of `ldaps:` is `636`. The URL MUST NOT contain other elements, such as path, nor query.
63
66
- `identity.ldap.servers.base_dn`: The base DN to construct a Search Request, as defined in [Section 4.5.1 in RFC4511](https://datatracker.ietf.org/doc/html/rfc4511#section-4.5.1).
64
67
- `identity.ldap.servers.search_filter_template`: A Go template that renders to a filter to be used in the Search Request. This template can use the variable `$.Username` to render the username entered by the end-user. `$.Username` is pre-processed so that it is an escaped LDAP string. The strings function from [https://masterminds.github.io/sprig/](https://masterminds.github.io/sprig/) can be used in the template.
65
-
- `identity.ldap.servers.user_id_attribute`: The attribute that is guaranteed to be unique and never change for a given user in the LDAP server. It is used to identify a user from the LDAP server. Warning: Changing this value will cause Authgear not able to look up any previous LDAP identities.
68
+
- `identity.ldap.servers.user_id_attribute_oid`: The attribute that is guaranteed to be unique and never change for a given user in the LDAP server. It is used to identify a user from the LDAP server. Warning: Changing this value will cause Authgear not able to look up any previous LDAP identities.
66
69
67
70
> Why does `identity.ldap.servers.url` allow scheme, host, and port?
68
71
> The LDAP URL, defined in [Section 2 in RFC 4516](https://datatracker.ietf.org/doc/html/rfc4516#section-2), is syntactically different from the URL defined in [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986).
@@ -96,7 +99,7 @@ Here is the JSON schema for the LDAP server configuration.
@@ -114,9 +117,9 @@ Here is the JSON schema for the LDAP server configuration.
114
117
"type": "string",
115
118
"format": "ldap_search_filter_template"
116
119
},
117
-
"user_id_attribute": {
120
+
"user_id_attribute_oid": {
118
121
"type": "string",
119
-
"format": "ldap_attribute_name"
122
+
"format": "ldap_oid"
120
123
}
121
124
}
122
125
}
@@ -125,14 +128,14 @@ Here is the JSON schema for the LDAP server configuration.
125
128
- `format: ldap_url`: It is a JSON schema format that implements the rules of `identity.ldap.servers.url`.
126
129
- `format: ldap_dn`: It is a JSON schema format that validates the value to be a valid DN.
127
130
- `format: ldap_search_filter_template`: It is a JSON schema format that validates the rendered string to be a valid Search Filter. It does the validation by running the template with `Username=user`, `Username=user@example.com`, and `Username=+85298765432`, and then parse the resulting Search Filter as a Search Filter.
128
-
- `format: ldap_attribute_name`: It is a JSON schema format that validates the value to be a valid LDAP attribute name.
131
+
- `format: ldap_oid`: It is a JSON schema format that validates the value to be a valid LDAP oid.
129
132
130
133
## Testing on the configuration
131
134
132
135
> TODO: Add a mutation in the Admin API to test LDAP connection.
133
136
> It should take the whole server configuration, and optionally a end-user username.
134
137
> It connects the LDAP server with the URL and the credentials.
135
-
> If the optional end-user username is given, it performs a Search request, and validates the user exists and has user_id_attribute.
138
+
> If the optional end-user username is given, it performs a Search request, and validates the user exists and has user_id_attribute_oid.
136
139
> It returns detailed API errors so that the portal can display relevant information for the developer to debug the configuration.
137
140
> Such detailed API errors ARE NOT returned in actual use. They are reported as internal errors.
138
141
@@ -141,29 +144,29 @@ Here is the JSON schema for the LDAP server configuration.
141
144
```sql
142
145
CREATE TABLE _auth_identity_ldap
143
146
(
144
-
id text PRIMARY KEY REFERENCES _auth_identity (id),
145
-
app_id text NOT NULL,
146
-
server_name text NOT NULL,
147
-
user_id_attribute text NOT NULL,
148
-
user_id_value text NOT NULL,
149
-
claims jsonb NOT NULL,
150
-
raw_entry_json jsonb NOT NULL
147
+
id text PRIMARY KEY REFERENCES _auth_identity (id),
148
+
app_id text NOT NULL,
149
+
server_name text NOT NULL,
150
+
user_id_attribute_oid text NOT NULL,
151
+
user_id_attribute_value text NOT NULL,
152
+
claims jsonb NOT NULL,
153
+
raw_entry_json jsonb NOT NULL
151
154
);
152
155
153
-
CREATE UNIQUE INDEX _auth_identity_ldap_unique ON _auth_identity_ldap (app_id, server_name, user_id_attribute, user_id_value);
156
+
CREATE UNIQUE INDEX _auth_identity_ldap_unique ON _auth_identity_ldap (app_id, server_name, user_id_attribute_oid, user_id_attribute_value);
154
157
```
155
158
156
159
-`id`: The primary key of this table. This is the same as other `_auth_identity_*` tables.
157
160
-`app_id`: The app ID of this table for multi-tenant. This is the same as other `_auth_identity_*` tables.
158
161
-`server_name`: The `name` of the LDAP server.
159
-
-`user_id_attribute`: The `user_id_attribute` of the LDAP server when this identity is created.
160
-
-`user_id_value`: The value of the `user_id_attribute` of the user.
162
+
-`user_id_attribute_oid`: The `user_id_attribute_oid` of the LDAP server when this identity is created.
163
+
-`user_id_attribute_value`: The value of the `user_id_attribute_oid` of the user.
161
164
-`claims`: The standard claims extracted from this LDAP entry.
162
165
-`raw_entry_json`: The raw LDAP entry encoded in JSON. It looks like `{ "dn": "uid=johndoe,dc=example,dc=com", "attr1": ["value1"] }`.
163
166
164
167
## Handling of a LDAP identity
165
168
166
-
- To look up a LDAP identity in Authgear, we use the tuple `(app_id, server_name, user_id_attribute, user_id_value)`.
169
+
- To look up a LDAP identity in Authgear, we use the tuple `(app_id, server_name, user_id_attribute_oid, user_id_attribute_value)`.
167
170
- Similar to OAuth identity, we update an LDAP identity when it is used in login.
168
171
169
172
## The UX of LDAP in Auth UI
@@ -179,5 +182,5 @@ This section documents the expected errors.
179
182
180
183
|Description|Name|Reason|Info|
181
184
|---|---|---|---|
182
-
|When the LDAP server is service unavailable, `user_id_attribute` not found in a user, search filter turns out to be invalid, etc|InternalError|UnexpectedError||
185
+
|When the LDAP server is service unavailable, `user_id_attribute_oid` not found in a user, search filter turns out to be invalid, etc|InternalError|UnexpectedError||
183
186
|When the end-user cannot authenticate to the LDAP server|Unauthorized|InvalidCredentials||
0 commit comments