Extension point servers
Documentation
The servers extension point is used to register network connection parameters to a pool of LDAP servers.
Examples:
<server name="default">
<ldapUrl>ldap://localhost:389</ldapUrl>
<ldapUrl>ldap://server2:389</ldapUrl>
<ldapUrl>ldaps://server3:389</ldapUrl>
<!-- LDAP SRV DNS resolution on _ldap._tcp.example.com -->
<ldapUrl>ldap:///dc=example,dc=com</ldapUrl>
<!-- LDAP SRV DNS resolution on _gc._tcp.example.com -->
<ldapUrl srvPrefix="_gc._tcp">ldap:///dc=example,dc=com</ldapUrl>
<connectionTimeout>10000</connectionTimeout>
<retries>5</retries>
<poolingEnabled>true</poolingEnabled>
<verifyServerCert>true</verifyServerCert>
<bindDn>cn=nuxeo5,ou=applications,dc=example,dc=com</bindDn>
<bindPassword>changeme</bindPassword>
</server>
The ldapUrl tags point to server (IP address or DNS name) and ports. If more than one is provided, the Nuxeo EP will use a pool of load balanced connections to each server. They are assumed to be replicated versions of a master server that should belong to the list.
The connectionTimeout element specifies a connection timeout in milliseconds. The default is 10000.
The retries element indicates how many times the request will be retried if LDAP server returns a ServiceUnavailableException. The default is 5.
The poolingEnabled element specifies whether to use LDAP connection pooling. The default is true.
The verifyServerCert element specifies whether, in SSL mode, all certificates should be checked. This should only be disabled when testing with test server having self-signed certificates. The default is true.
The bindDn and bindPassword credentials are used by Nuxeo EP to access the content of the LDAP servers. It should have the read permission to any entry that is to be used by Nuxeo EP and write right to branches were Nuxeo EP is supposed to create or edit entries.
For instance, in OpenLDAP you should have ACLs such as:
access to attrs="userPassword"
by dn="cn=ldapadmin,dc=example,dc=com" write
by dn="cn=nuxeo5,ou=applications,dc=example,dc=com" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
# nuxeo5 can manage the ou=people branch
access to dn.subtree="ou=people,dc=example,dc=com"
by dn="cn=nuxeo5,ou=applications,dc=example,dc=com" write
by users read
by self write
by * none
access to dn.subtree="ou=groups,dc=example,dc=com"
by dn="cn=nuxeo5,ou=applications,dc=example,dc=com" write
by users read
by self write
by * none
# The admin dn has full write access
# other
access to *
by dn="cn=ldapadmin,dc=example,dc=com" write
by users read
by * none
User authentication is done using a bind method against the user provided login and password from the login form and not the bindDn / bindPassword credentials.
Contribution Descriptors
- Class: org.nuxeo.ecm.directory.ldap.LDAPServerDescriptor