Platform Explorer / Nuxeo Platform 2023.6

Extension point servers

Documentation

The servers extension point is used to register network connection parameters to a pool of LDAP servers.

Examples:

    <server name="default">
        <ldapUrl>ldap://localhost:389</ldapUrl>
        <ldapUrl>ldap://server2:389</ldapUrl>
        <ldapUrl>ldaps://server3:389</ldapUrl>
        <!-- LDAP SRV DNS resolution on _ldap._tcp.example.com -->
        <ldapUrl>ldap:///dc=example,dc=com</ldapUrl>
        <!-- LDAP SRV DNS resolution on _gc._tcp.example.com -->
        <ldapUrl srvPrefix="_gc._tcp">ldap:///dc=example,dc=com</ldapUrl>
        <connectionTimeout>10000</connectionTimeout>
        <retries>5</retries>
        <poolingEnabled>true</poolingEnabled>
        <poolingConnectionTimeout>60000</poolingConnectionTimeout>
        <verifyServerCert>true</verifyServerCert>
        <bindDn>cn=nuxeo5,ou=applications,dc=example,dc=com</bindDn>
        <bindPassword>changeme</bindPassword>
    </server>

The ldapUrl tags point to server (IP address or DNS name) and ports. If more than one is provided, the Nuxeo EP will use a pool of load balanced connections to each server. They are assumed to be replicated versions of a master server that should belong to the list.

The connectionTimeout element specifies a connection timeout in milliseconds. The default is 10000.

The retries element indicates how many times the request will be retried if LDAP server returns a ServiceUnavailableException. The default is 5.

The poolingEnabled element specifies whether to use LDAP connection pooling. The default is true.

The poolingTimeout element specifies, in milliseconds, how long a connection may remain in the pool when LDAP connection pooling is enabled. The default is 60000.

The verifyServerCert element specifies whether, in SSL mode, all certificates should be checked. This should only be disabled when testing with test server having self-signed certificates. The default is true.

The bindDn and bindPassword credentials are used by Nuxeo EP to access the content of the LDAP servers. It should have the read permission to any entry that is to be used by Nuxeo EP and write right to branches were Nuxeo EP is supposed to create or edit entries.

For instance, in OpenLDAP you should have ACLs such as:

        access to attrs="userPassword"
        by dn="cn=ldapadmin,dc=example,dc=com" write
        by dn="cn=nuxeo5,ou=applications,dc=example,dc=com" write
        by anonymous auth
        by self write
        by * none

        access to dn.base="" by * read

        # nuxeo5 can manage the ou=people branch
        access to dn.subtree="ou=people,dc=example,dc=com"
        by dn="cn=nuxeo5,ou=applications,dc=example,dc=com" write
        by users read
        by self write
        by * none

        access to dn.subtree="ou=groups,dc=example,dc=com"
        by dn="cn=nuxeo5,ou=applications,dc=example,dc=com" write
        by users read
        by self write
        by * none

        # The admin dn has full write access
        # other
        access to *
        by dn="cn=ldapadmin,dc=example,dc=com" write
        by users read
        by * none

User authentication is done using a bind method against the user provided login and password from the login form and not the bindDn / bindPassword credentials.

Contribution Descriptors

  • Class: org.nuxeo.ecm.directory.ldap.LDAPServerDescriptor

Contributions

No known contributions.