Skip to main content
Version: 10.0

LDAP Server and Active Directory

If you use the default installation of webPDF, the users found in the conf/users.xml XML database are used for authentication. It is also possible to use the users from an LDAP or Active Directory (AD) service.

You can set an LDAP or AD service via the server's Admin Portal under Server > User source.

tip

The following explanations (under "Manual configuration") can also help when entering the necessary data on the portal, as they explain the general functioning of LDAP or AD usage.

Manual configuration

The user database can be modified by changing the settings in conf/server.xml."

tip

If possible, use the Admin Portal of the server to change the user database.

To take the users from an LDAP server or Active Directory, you must add the entry <ldap> to the <user>. Below is an example of a complete configuration of LDAP settings.

note

Please note that some of the configuration settings have to be specified as "Distinguished Names". This is especially the case when LDAP or AD objects have to be referenced.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>  
<server xmlns="http://schema.webpdf.de/1.0/configuration/server">  
...  
  <user roleAdminGroup="webPDFAdmin" roleUserGroup="webPDFUser">  
    <ldap connectionName="cn=ldapuser,cn=Users,dc=example,dc=local"  
          connectionPassword="my_password"  
          connectionURL="ldap://server.example.com:389/"  
          roleBase="CN=Users,DC=example,DC=local"  
          roleField="cn"  
          roleSearch="(member={0})"  
          userBase="CN=Users,DC=example,DC=local"  
          userSearch="(sAMAccountName={0})"/>  
  </user>  
...  
</server>

After making this modification, you must configure the access to the LDAP server or the Active Directory. For this purpose, adjust the values in the example above to match your configuration. In the example, example.com is used as the domain. Change the values accordingly to those of your own domain.

Basically, you need to adjust the server name and domain in the connectionURL entry. In this example they are shown as server and example.com.

Important

Note that ldap:// must be replaced with ldaps:// if you want to use an TLS connection to the LDAP server. As a rule, the port must also be changed from 389 to 636.

Under the entries connectionName and connectionPassword please enter a user and the associated password to be used for accessing the LDAP or AD server.

note

If no user is required for LDAP access, then these settings can be left empty.

userBase and userSearch define the basis on which the directory search is to take place and how the login name for the user is to be found. userBase provides the list of users (objects) in which userSearch is used to search for the login name of the user. The wildcard {0} is replaced by the login name of the user during evaluation of the query. In the previously listed example, CN=Users,DC=example,DC=local and (sAMAccountName={0}) are typical values for a search in an Active Directory used as LDAP. You may need to modify these values to match the structure of your directory service.

Example: (sAMAccountName='jdo') (with jdo as login name for user "John Doe")

Once the user is found, the "Distinguished Name" (DN) is taken from the user object (attribute distinguishedName) and used to find the matching group.

Example: distinguishedName: CN=John Doe,CN=Users,DC=example,DC=local

The roleBase and roleSearch settings are used to search for the group. While roleBase is the base for the search, roleSearch is used to find all groups that have the previously determined DN as an attribute. The placeholder {0} in roleSearch is replaced with the DN.

Example: (member='CN=John Doe,CN=Users,DC=example,DC=local')

In all found groups the attribute defined via roleField is read (in this example cn). If the value that was read, i.e. the name of the group, matches user and admin, then the corresponding permission role (webPDF group) is assigned:

  • user - Access authorization as a normal user
  • admin - Access authorization as administrator (access to the Admin Portal)
note

For more information about the groups, see User groups.

With the entries roleAdminGroup and roleUserGroup you define your own group names (LDAP and AD groups respectively) to be assigned to the webPDF groups user and admin. Change the group names to the names of your LDAP or AD groups:

Example: Use LDAP group webPDFAmin (roleAdminGroup) for webPDF group admin and webPDFUser (roleUserGroup) for user.

<user roleAdminGroup="webPDFAdmin" roleUserGroup="webPDFUser">

After all modifications have been made, the webPDF server must be restarted so that all the settings take effect and the users are read.