Overview
LDAP Authentication is allows to prioritize authentication into Mango to use LDAP. The module allows you to configure the order in which Mango will attempt to authenticate a user. Mango will attempt all available authentication methods in order of priority and reject the user if none succeed. This module will optionally synchronize roles upon login based upon the regex matching and role behavior setting. Mango can always synchronize all matching roles from the LDAP server which is usually desired to that roles removed on an LDAP user are reflected in Mango. Any new user logging into Mango for the first time will be automatically created in Mango.
Env Properties
#LDAP Configuration
ldap.enabled=true
#In what order should the LDAP authentication be used, Lower values are higher priority. Core authentication schemes are Token Auth = 2 Mango Username password = 1
ldap.authentication.order=0
ldap.authentication.url=ldap://localhost:8389/dc=springframework,dc=org
#Username (DN) of the "manager" user identity (i.e. "uid=admin,ou=system") which
# will be used to authenticate to a (non-embedded) LDAP server. If omitted,
# anonymous access will be used.
ldap.authentication.managerDn=
#The password for the manager DN. This is required if the manager-dn is specified.
ldap.authentication.managerPassword=
#How should passwords be decoded? [PLAIN, BCRYPT, SCRYPT, ARGON2, SHA, PBKDF2, MD4] using anything other than PLAIN, BCRYPT and SHA will result in locked passwords
ldap.authentication.encoder=PLAIN
#Lock passwords so only can login via LDAP
ldap.authentication.lockPasswords=false
#Comma separated list
ldap.authentication.dnPatterns=
#The LDAP filter used to search for users (optional). For example "(uid={0})". The
# substituted parameter is the user's login name.
ldap.authentication.userSearchFilter=
#Search base for user searches. Defaults to "". Only used with ldap.authentication.userSearchFilter
ldap.authentication.userSearchBase=
#If your users are at a fixed location in the directory (i.e. you can work out the
# DN directly from the username without doing a directory search), you can use this
# attribute to map directly to the DN. It maps directly to the userDnPatterns
# property of AbstractLdapAuthenticator. The value is a specific pattern used to
# build the user's DN, for example "uid={0},ou=people". The key "{0}" must be present
# and will be substituted with the username. This can contain multiple search entries that will be tried in order
# separate lines(searches) by a semicolon ;
ldap.authentication.userDnPatterns=uid={0},ou=people
#The search base for group membership searches. Defaults to ""
ldap.authentication.groupSearchBase=ou=groups
#The LDAP filter to search for groups. Defaults to "(uniqueMember={0})". The
# substituted parameter is the DN of the user.
ldap.authentication.groupSearchFilter=(uniqueMember={0})
#Specifies the attribute name which contains the role name. Default is "cn"
ldap.authentication.groupRoleAttribute=cn
#Attributes for mapping to Mango users
ldap.authentication.passwordAttribute=userPassword
ldap.authentication.nameAttribute=cn
ldap.authentication.emailAttribute=mail
#Create any new roles for users when logging in
ldap.authorization.createNewRoles=true
#For Active Directory Only
ldap.authentication.isActiveDirectory=true
#can be empty domain used if username has no domain when authenticating
ldap.authentication.activeDirectory.domain=
#can be empty root dn
ldap.authentication.activeDirectory.rootDn=
#Control Mango Role Synchronization
#Enable new role creation for missing roles (if matches regex below)
ldap.authorization.createNewRoles=true
#Regex to match which roles should be created ldap.authorization.newRoleRegex=.*
#How are roles handled?
#LDAP_ONLY=only ldap roles used and will be replaced on every login (default)
#MANGO_ONLY=all ldap roles ignored
#LDAP_ADDITIVE=Roles are imported from LDAP and the Mango user is ensured to have all roles assigned to them from LDAP. (This would imply manual intervention if an LDAP role is removed from a user)
ldap.authentication.roleBehavior=LDAP_ONLY