This documentation refers to the coming unreleased 5.6 version of the Nuxeo Platform. For the last stable version, you can read the 5.5 documentation.
Skip to end of metadata
Go to start of metadata

Principles

In Nuxeo, users and groups are managed by directories. If you want your Nuxeo instance to use a LDAP directory you will need to:

  • configure a user directory pointing to your LDAP server(s),
  • configure a group directory pointing to your LDAP server(s) (if you need LDAP groups).

Of course you can have a specific custom config where:

  • you use a custom user / group schema,
  • you use several LDAP directories, or a mix of SQL and LDAP directories.

But for the most common use case, all you want to do is map the default userDirectory to your LDAP Server. Since groups are used in Nuxeo to associate permissions with content, fetching groups from LDAP is usually not very efficient: LDAP groups are usually not designed for that.

Simple configuration example

Create a file called default-ldap-users-directory-config.xml in your config directory

  • server/default/deploy/nuxeo.ear/config/ in JBoss,
  • nxserver/config/ in Tomcat.

Then copy this content (make sure it's valid XML, sometimes what you think is a space character is actually a non-breaking space (U+00A0) which is invalid in XML):

Then you should edit this file:

  • to set the correct server
    • <ldapUrl>
    • <bindDn> and <bindPassword>
  • to set the correct LDAP config:
    • <searchBaseDN>
    • <searchClass>
    • <fieldMapping>

If you want Nuxeo to be able to create users in the LDAP directory, you will need to:

  • make sure the user you use to access LDAP has write access,
  • define the <creationBaseDn> and associated parameters.

The third contribution is here to define the default mapping:

  • since the Administrator user won't exists anymore, you should assign at least one user to be administrator using <defaultAdministratorId>,
  • you can also choose to make all users members of the default "members" group using <defaultGroup>.

Once done, restart the Nuxeo server, and you should now be able to authenticate against LDAP.

If you want to roll back the changes, simply delete the default-ldap-users-directory-config.xml file and restart the server.

For a more detailed view about possible configuration see:

The ldaptools/ folder in source code of the nuxeo-platform-directory-ldap module further provides sample ldiff files and OpenLDAP configuration file to help you setup a sample OpenLDAP server you can use as a base setup to build your corporate directory.

Using Active Directory

If you use Active Directory and want to use it with Nuxeo you will need to:

  • be sure that LDAP mode is enabled on the Active Directory server,
  • get the schema info (because Active Directory schema changes depending on a lot of external factors).

Once you have this information, you can connect Nuxeo to Active Directory as it it was a real LDAP server.

Active Directory users are advised to use the aggregated global catalog port number (3268 by default) instead of the default LDAP port (389) in order to avoid getting referrals request to sub directories blocked by corporate firewalls.

Usually with AD you will have to map the field "username" to "sAMAccountName".

Known issues

LDAP contribution not activated

Since Nuxeo 5.4.2, https://jira.nuxeo.com/browse/NXP-6574 prevents the LDAP contribution from being activated.

A quick solution is to put in comments the "<directory name="userDirectory">...</directory>" part in templates/common/config/default-sql-directories-bundle.xml (or overwrite that file with a custom template).

A cleaner workaround is to define directories whose name are different from the default ones (userDirectory for users, groupDirectory for groups). Then you need to use the user manager to specify the name of the directories which will be used for authentication, searching, ...
Therefore you should apply the changes described below to your existing LDAP contributions:

See attached files for templates of LDAP configuration.

This method applies to multi-directories too.

Debug information

If you encounter some difficulties configuring LDAP, the first step is to get more details about what happens.

In the Log4J configuration, increase the log level for org.nuxeo.ecm.directory and org.nuxeo.runtime.model.impl:

This will give you more informations such as:

  • Is your XML contribution properly loaded ? Search for the component name of your contribution in the log file (for instance "org.nuxeo.ecm.directory.ldap.storage.users").
  • Did the LDAP directory initialized ? If so, your "servers" extension point is working.
  • What is the LDAP request sent when you try to log in Nuxeo ? You must be run the same request outside Nuxeo, using your preferred LDAP tool.
Labels:
authentication authentication Delete
ldap ldap Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.