# # Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. # # This enables external authentication, but does not include any specific external identity provider. # Read the comments in 60-ldap-connection.txt for information about configuring an LDAP identity provider. [feature name=external-authentication version=0.7.0] [variables] oak.version=1.8.8 # Add the modules needed for external authentication [artifacts startLevel=15] # This enables generic support for external authentication org.apache.jackrabbit/oak-auth-external/${oak.version} [configurations] # The SyncHandler is responsible for synchronizing user and group information between the external system and the local user profiles. org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DefaultSyncHandler handler.name="default" # LDAP user profiles will be copied in the `ldapUsers` subfolder of the default users directory (/home/users by default) user.pathPrefix="/ldapUsers" # How properties in the local nodes representing users will be populated from LDAP fields. # For example, the `rep:fullname` property will have the value in the `cn` field from the LDAP profile. user.propertyMapping=["rep:fullname\=cn"] # ExternalLoginModuleFactory will be automatically picked up by JAAS # This configures the ExternalLoginModule created by the factory org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModuleFactory idp.name="ldap" # It is sufficient to log in with the external password. In theory, it should be enough to change to REQUISITE if external log in should be mandatory, thus disabling any local accounts including admin, but this doesn't seem to work: local accounts are explicitly ignored by the ExternalLoginModule jaas.controlFlag="SUFFICIENT" # Modules are tried in order from the highest ranking to the lowest, so this will be tried after local login. jaas.ranking=I"50" jaas.realmName="" # Which SyncHandler configuration to use for syncing external profiles. Reference the one configured below. sync.handlerName="default" # # Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. # # This is the LDAP connection information (bind DN, bind password, host name, etc.). # The generic external authentication support is defined in 25-external-auth.txt [feature name=ldap-connection version=0.7.0] [variables] lfs.ldap.baseDn=DC\=sickkids,DC\=ca lfs.ldap.dn=CN\=Sergiu\ Dumitriu,OU\=ComputationalMedicine,DC\=sickkids,DC\=ca lfs.ldap.host=sickkids.ca lfs.ldap.idAttribute=sAMAccountName lfs.ldap.password=siarstasaleasculte lfs.ldap.userClass=user oak.version=1.8.8 # Add the modules needed for LDAP authentication [artifacts startLevel=15] # This adds support for LDAP as a specific external authenticator org.apache.jackrabbit/oak-auth-ldap/${oak.version} [configurations] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider bind.dn="${lfs.ldap.dn}" bind.password="${lfs.ldap.password}" host.name="${lfs.ldap.host}" provider.name="ldap" user.baseDN="${lfs.ldap.baseDn}" user.idAttribute="${lfs.ldap.idAttribute}" user.objectclass=["${lfs.ldap.userClass}"]