[ You are here:
XTF ->
Tag Reference ->
dynaXML ->
Document Request Parser Output Tags -> LDAP Authentication Tag ]
LDAP Authentication Tag
This variant of the authentication tag is used to provide access to documents based on an LDAP database. It has the form:
<auth access = "allow"
type = "LDAP"
server = "LDAPServerURL"
realm = "PswdRequestDescr"
{bindName = "LDAPConnectName"}
{bindPassword = "LDAPConnectPswd"}
{queryName = "LDAPRecordNameToFind"}
{matchField = "LDAPFieldToFind"}
{matchValue = "LDAPValueToMatch"}/>
where
server="LDAPServerURL" |
identifies the location of the LDAP server to use. |
realm="PswdDialogDescr" |
is a string to display in the browser dialog box that asks for the user's name and password. |
bindName="LDAPConnectName" |
is an optional attribute specifying the name to use when connecting to the LDAP server. If this attribute is omitted, then an anonymous LDAP connection will be attempted. If anonymous connections are permitted by the LDAP database, then the bindPassword attribute should also be omitted, and the queryName attribute must be present for user authentication to proceed. For anonymous LDAP access the matchField and matchValue attributes are optional. If the name passed for this attribute is the LDAP administrator name, then the bindPassword attribute must be set to the LDAP administrator password, and the queryName must also be present for user authentication to proceed. For administrative LDAP access, the matchField and matchValue attributes are optional. It should also be noted that the user name will be substituted for any occurrence of the % symbol in this attribute. Doing so allows connections with the LDAP database to be established using the user name instead of an LDAP administrator name. Finally, if successfully connecting to the LDAP database with a user name and password is all that is required for authentication, then no other attributes need to be specified in the authentication tag. Otherwise, the queryName attribute and optionally the matchField and matchValue attributes may be specified to complete the authentication request. |
bindPassword="LDAPConnectPswd" |
is an optional attribute specifying the password to use when connecting to the LDAP server. If an anonymous LDAP connection is being performed (i.e, the bindName attribute has not been specified), this attribute should also not appear in the authentication tag. If the bindName attribute specifies the LDAP administrator name, this attribute must be set to the LDAP administrator password. Finally, the user password will be substituted for any occurrence of the % symbol in this attribute. Doing so allows connections with the LDAP database to be established using the user password instead of an LDAP administrator password. |
queryName="LDAPRecordToFind" |
is an attribute identifying the name of an LDAP record to find. If an anonymous or administrator connection to the LDAP server is being attempted, this attribute is required. For user connections, this attribute is optional. As with the bindName attribute, the user name will be substituted for any occurrence of the % symbol in this attribute. Doing so allows connections with the LDAP database to be established using the user name instead of an LDAP administrator name. Also, if the queryName attribute is specified without the matchField or matchValue attributes, then user authentication will succeed if the given record name simply exists in the LDAP database. If the given record is not in the LDAP database, authentication will fail. |
matchField="LDAPFieldToFind" |
is an attribute identifying the name of a field to find in the LDAP record named by the queryName attribute. Note that the matchField attribute should not be used if the queryName attribute hasn't been specified. Like the queryName attribute, the user name will be substituted for any occurrence of the % symbol in this attribute. Doing so allows connections with the LDAP database to be established using the user name instead of an LDAP administrator name. Finally, if the matchField attribute is specified without the matchValue attribute, then user authentication will succeed if the given field name simply exists in the LDAP record. If the given field name does not exist in the LDAP database authentication will fail. |
matchValue="LDAPValueToMatch" |
is an attribute that specifies the value that must exist in the LDAP field named by the matchField attribute for authentication to succeed. If the specified value doesn't match the LDAP field, user authentication will fail. As with the previous attributes, the user's password will be substituted for any occurrences of the % symbol. Doing so allows connections with the LDAP database to be established using the user password instead of an LDAP administrator password. |
Note: One or more auth tags must exist in the
Document Request Parser stylesheet. These tags will be processed in the order they are encountered until one of them authorizes or denies access. If none of the authentication tags explicitly authorize or deny access, the dynaXML servlet will deny access by default.