LDAP

LDAP properties will be used to define how and what to access in your company directory service. They are to be defined in providers of type ldap.

The mandatory properties are the following:

url, the URL of the Directory Server, default port is usually 636.
principal, the DN used to bind against the Directory Server for the user and groups queries. It should have read or search permissions on the usersCtxDN value.
password, the password for the bind DN.
usersCtxDN, the fixed DN of the context to start the user search from.
usersFilter, the search query sent by Squore to the LDAP server when fetching users. For more information about LDAP query syntax, see https://ldap.com/ldap-filters. Note that the & characters must be written as an entity (&) in the settings file.
userLoginAttribute, the attribute field to use when loading the user login. Should be unique.

Additional properties can be defined in order to map user information:

userDisplayNameAttribute, the attribute that will be used to specify Squore user display name.
userMailAttribute, the attribute that will be used to specify Squore user mail.
userDepartmentAttribute, the attribute that will be used to specify Squore user department.
loginFilter, to allow the use of alternative attributes for the user login.

Here is an example of a complete authentication configuration using LDAP and allowing the users to log in with either the login or mail attributes as defined in the company directory service:

<subsystem xmlns="urn:com:vector:squore:1.0" >
	<security>
		<authentication name="default">
			<auth-module name="ldap" provider="ldapAuth" flag="sufficient"/>
		</authentication>
		<providers>
			<provider name="ldapAuth" type="ldap">
				<property name="url" value="ldaps://hostname:port/"/>
				<property name="principal" value="cn=admin,dc=domain,dc=com"/>
				<property name="password" value="password"/>
				<property name="usersCtxDN" value="ou=people,dc=example,dc=com"/>
				<property name="usersFilter" value="(objectClass=person)"/>
				<property name="userLoginAttribute" value="login"/>
				<property name="userDisplayNameAttribute" value="displayName"/>
				<property name="userMailAttribute" value="mail"/>
				<property name="userDepartmentAttribute" value="department"/>
				<property name="loginFilter" value="(|(login={0})(mail={0}))"/>
			</provider>
		</providers>
	</security>
</subsystem>

Note that for Active Directory, OU, DC and other keywords are all uppercase.

Most directory servers are not configured to be case-sensitive so users authentication and synchronization won’t be. If your server is configured to be case-sensitive, users authentication and synchronization will be too.

It is highly recommended to use LDAPS instead of LDAP: ldaps://<hostname>:<port>/.

The java instance used by WildFly shall be able to check the certificate of the LDAP server.
If the LDAP certificate has not been signed by an "official" CA (self-signed certificate, or the company issued its own root CA), please refer to Import a certificate section.