From 8b376ccdeb0f3e2f55dec851d6d34a3eadc755eb Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Fri, 8 Aug 2008 14:59:44 +0000 Subject: [PATCH] SEC-910: Finished LDAP ns reference --- src/docbkx/appendix-namespace.xml | 61 +++++++++++++++++++++++++++---- 1 file changed, 53 insertions(+), 8 deletions(-) diff --git a/src/docbkx/appendix-namespace.xml b/src/docbkx/appendix-namespace.xml index 17840c772b..bfc7a51afa 100644 --- a/src/docbkx/appendix-namespace.xml +++ b/src/docbkx/appendix-namespace.xml @@ -577,19 +577,64 @@
- The <literal><ldap-provider> Element</literal> + The <literal><ldap-provider></literal> Element This element is shorthand for the creation of an LdapAuthenticationProvider instance. - + By default this will be configured with a BindAuthenticator instance and a + DefaultAuthoritiesPopulator. + +
+ The <literal>user-dn-pattern</literal> Attribute + + If your users are at a fixed location in the directory (i.e. you can work out the DN + directly from the username without doing a directory search), you can use this attribute + to map directly to the DN. It maps directly to the userDnPatterns + property of AbstractLdapAuthenticator. + +
+ +
+ The <literal>user-search-base</literal> and <literal>user-search-filter</literal> Attributes + + If you need to perform a search to locate the user in the directory, then you + can set these attributes to control the search. The BindAuthenticator will be configured + with a FilterBasedLdapUserSearch and the attribute values map directly to the first two + arguments of that bean's constructor. If these attributes aren't set and no user-dn-pattern + has been supplied as an alternative, then the default search values of user-search-filter="(uid={0})" + and user-search-base="" will be used. + +
+
+ <literal>group-search-filter</literal>, <literal>group-search-base</literal>, <literal>group-role-attribute</literal> and <literal>role-prefix</literal> Attributes + + The value of group-search-base is mapped to the groupSearchBase constructor argument + of DefaultAuthoritiesPopulator and defaults to "ou=groups". The default filter value is + "(uniqueMember={0})", which assumes that the entry is of type "groupOfUniqueNames". group-role-attribute + maps to the groupRoleAttribute attribute and defaults to "cn". Similarly role-prefix + maps to rolePrefix and defaults to "ROLE_". + +
+
+ The <literal><password-compare></literal> Element + + This is used as child element to <ldap-provider> and switches + the authentication strategy from BindAuthenticator to + PasswordComparisonAuthenticator. This can optionally be supplied with a + hash attribute or with a child <password-encoder> + element to hash the password before submitting it to the directory for comparison. + +
+
+
+ The <literal><ldap-user-service></literal> Element + + This element configures an LDAP UserDetailsService. The class used + is LdapUserDetailsService which is a combination of a FilterBasedLdapUserSearch + and a DefaultAuthoritiesPopulator. The attributes it supports have the same usage as in + <ldap-provider>.
- - - - - -