LDAP Direct vs Indirect

Document ID : KB000012064
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Release Automation has offered the ability to integrate itself with LDAP (both Active Directory (AD) and Non-AD) for a long time. However, beginning with version 5.5.2 Release Automation offered two different ways for integrating with Non-AD LDAP. These two ways are: Direct & Indirect.

 

This article is to help clarify the difference between the two options.

Question:

What is the difference between Non-AD Direct and Indirect Authentication?

Environment:
There are several Non Active Directory (AD) LDAP servers available. In this article we use ApacheDS and Release Automation 6.2.0.b3017
Answer:

First, it is worth mentioning that these two methods are only utilized when you import ldap groups into Release Automation. If you are importing users then these methods are not used. 

 

The main difference between these methods of authenticating against your ldap server is:

- indirect authentication uses a search base distinguished name (dn) to search for its users. 

- direct authentication uses a very precise preconfigured distinguished name (dn) to append to the userid (uid) logging in. 

 

To try and visualize it let's say that we have one LDAP Group and two LDAP Users. We want to import the one ldap group so that both users can login and use Release Automation. 

Group DN: 

cn=RA-SuperUsers,ou=ReleaseAuto,ou=Applications,ou=Groups,dc=ts.ca,dc=com

 

User DNs:

uid=SupTeam1User,ou=ReleaseAuto,ou=DevOps,ou=TechnicalSupport,dc=ts.ca,dc=com

uid=DevTeam1User,ou=ReleaseAuto,ou=DevOps,ou=Engineering,dc=ts.ca,dc=com

 

If I wanted to use Direct Authentication then I would need to configure my distributed.properties this way:

use.general.ldap.authentication=true

use.general.ldap.url=ldap://apacheds:10389

use.general.ldap.user.fqdn=uid=admin,ou=system

use.general.ldap.user.password=secret

use.general.ldap.user.dn.patterns=uid={0},ou=ReleaseAuto,ou=DevOps,ou=TechnicalSupport,dc=ts.ca,dc=com;uid={0},ou=ReleaseAuto,ou=DevOps,ou=Engineering,dc=ts.ca,dc=com

use.general.ldap.group.search.base=ou=Groups,dc=ts.ca,dc=com

use.general.ldap.group.search.filter=(|(uniqueMember={0})(member={0}))

 

Note that the user.dn.patterns specifies the DN path for both users. That is the only way that both users will be able to login. But this also means that you will need to know the DN for each user in that group and make sure it is in that path (separated by a semi-colon).

 

If I wanted to use Direct Authentication then I would need to configure my distributed.properties this way:

use.general.ldap.authentication=true

use.general.ldap.url=ldap://apacheds:10389

use.general.ldap.user.fqdn=uid=admin,ou=system

use.general.ldap.user.password=secret

use.general.ldap.user.search.base=dc=ts.ca,dc=com

use.general.ldap.user.search.filter=uid={0}

use.general.ldap.group.search.base=ou=Groups,dc=ts.ca,dc=com

use.general.ldap.group.search.filter=(|(uniqueMember={0})(member={0}))

 

This way is nice because you can specify the top level and it will search your directory tree for that user id. But be careful. If you have a large directory tree then searching for the userid could take some time.