Platform Explorer / Nuxeo Platform 5.8

Extension point servers

Documentation

The servers extension point is used to register network connection parameters to a pool of LDAP servers.

Examples:

    <server name="default">
        <ldapUrl>ldap://localhost:389</ldapUrl>
        <ldapUrl>ldap://server2:389</ldapUrl>
        <ldapUrl>ldaps://server3:389</ldapUrl>
        <!-- LDAP SRV DNS resolution on _ldap._tcp.example.com -->
        <ldapUrl>ldap:///dc=example,dc=com</ldapUrl>
        <!-- LDAP SRV DNS resolution on _gc._tcp.example.com -->
        <ldapUrl srvPrefix="_gc._tcp">ldap:///dc=example,dc=com</ldapUrl>
        <retries>5</retries>
        <bindDn>cn=nuxeo5,ou=applications,dc=example,dc=com</bindDn>
        <bindPassword>changeme</bindPassword>
    </server>

The ldapUrl tags point to server (IP address or DNS name) and ports. If more than one is provided, the Nuxeo EP will use a pool of load balanced connections to each server. They are assumed to be replicated versions of a master server that should belong to the list.

The retries attribute indicates how many times the request will be retried if LDAP server returns a ServiceUnavailableException (Default value is 5)

The bindDn and bindPassword credentials are used by Nuxeo EP to access the content of the LDAP servers. It should have the read permission to any entry that is to be used by Nuxeo EP and write right to branches were Nuxeo EP is supposed to create or edit entries.

For instance, in OpenLDAP you should have ACLs such as:

        access to attrs="userPassword"
        by dn="cn=ldapadmin,dc=example,dc=com" write
        by dn="cn=nuxeo5,ou=applications,dc=example,dc=com" write
        by anonymous auth
        by self write
        by * none

        access to dn.base="" by * read

        # nuxeo5 can manage the ou=people branch
        access to dn.subtree="ou=people,dc=example,dc=com"
        by dn="cn=nuxeo5,ou=applications,dc=example,dc=com" write
        by users read
        by self write
        by * none

        access to dn.subtree="ou=groups,dc=example,dc=com"
        by dn="cn=nuxeo5,ou=applications,dc=example,dc=com" write
        by users read
        by self write
        by * none

        # The admin dn has full write access
        # other
        access to *
        by dn="cn=ldapadmin,dc=example,dc=com" write
        by users read
        by * none

User authentication is done using a bind method against the user provided login and password from the login form and not the bindDn / bindPassword credentials.

Contribution Descriptors

  • Class: org.nuxeo.ecm.directory.ldap.LDAPServerDescriptor

Contributions

No known contributions.