Skip to content
Connect2id
LdapAuth

LdapAuth 2.0

LdapAuth 2.0 is out!

LdapAuth is a simple and lightweight JSON-RPC service for LDAP user authentication and details provisioning. It is designed to be used from web applications or as part of a Single Sign-On (SSO) arrangement.

Version 2.0, released last week, is a major overhaul of LdapAuth. It extends the service capabilities in a number of aspects; it also touches the web API and the configuration, so if you’re upgrading you’ll have to take this into account as well.

Json2Ldap gateway / proxy support

LdapAuth relies on a back-end LDAP directory, such as MS Active Directory or OpenDJ, to verify user credentials and to provision selected user attributes. Until now this was done by establishing direct LDAP connections to the directory. With the new 2.0 version you can also make use of the Json2Ldap gateway / proxy which adds more flexibility.

DN and Json2Ldap CID provisioning

LdapAuth clients may be allowed to receive the user’s directory DN with user.get calls. For Json2Ldap backends an LDAP connection identifier may also be provided, to allow web clients to make subsequent directory requests authenticated as the user’s DN.

{ "result"  : { "DN"         : "uid=alice,ou=people,dc=wonderland,dc=net",
                "attributes" : { "userID" : "alice",
                                 "name"   : "Alice Adams",
				 "email"  : [ "alice@wonderland.net" ],
                                 "phone"  : [ "+1 685 622 6202",
				              "+1 010 154 3228",
					      "+1 225 216 5900" ] },
                "Json2Ldap" : { "URL" : "http:\/\/ldap.example.com",
		                "CID" : "9163a3c2-d15a-41af-9b7a-114afed7dd80" } },
  "id"      : "0001",
  "jsonrpc" : "2.0" }

Retrieving single + multi-valued user attributes

The LdapAuth user.get call can now retrieve single as well as multi-valued user attributes from the directory entry. The names of the attributes to retrieve and their LDAP to JSON name mapping is defined by the ldapAuth.userAttributes.* configuration setting.

Example mapping configuration:

ldapAuth.userAttributes.single.userID=uid
ldapAuth.userAttributes.single.name=cn
ldapAuth.userAttributes.multi.email=mail
ldapAuth.userAttributes.multi.phone=telephoneNumber mobile homePhone

Support for directory-based user DN resolution

LdapAuth has to perform an operation called DN resolution to discover the directory distinguished name (DN) of a user from the entered username or other identifier, such as email address. The DN is needed to refer to the user’s entry in the LDAP directory for the purpose of authentication (bind) and attribute retrieval.

Until now LdapAuth supplied two methods for DN resolution – TEMPLATE and SEARCH, configured via ldapAuth.dnResolution.*

Version 2.0 adds a third method called NONE which actually allows the DN resolution to be performed by the directory itself. This can be done if the LDAP directory supports plain SASL bind (auth) operations with a username. The advantage of this method is that it simplifies LdapAuth configuration, centralises administration into the directory and may make user.auth and user.get calls quicker to process too. Most modern LDAP directories support plain SASL bind, so this is the recommended method now.

If you have an LdapAuth licence you will receive a notification how to download the upgrade. We also have a free evaluation version available in the Connect2id downloads page.