Using LDAP |
In ViewsFlash, LDAP can be used in several areas.
1. User Authentication and Authorization. If the Application Server hosting the ViewsFlash application supports LDAP, then its Users and Roles are available to use with User Security. For example, users in the role of ViewsFlashSurveyCreator or LawFaculty could be granted the Access Right to create surveys. Selecting Basic or Role authentication in a questionnaire's Security page uses getRemoteUser() and isUserInRole(). When using these options, ViewsFlash does NOT communicate directly with the LDAP server.
If you need for ViewsFlash to communicate directly with the LDAP server, please contact Cogix. The production release does not include these components.
2. An Invite List can use an LDAP Group to define a set of users that should be invited to respond to a questionnaire, as well as to prevent users not in that group from participating, and tracking who has completed it and remind them to do so. See Using LDAP Invite Lists.
3. Using an LDAP directory instead of the Application Server to identify users and Roles. When an application server is set up to authenticate users only (using perhaps a method such as webauth) and the definition of what user is in what role lives in an independent LDAP server, then ViewsFlash can communicate with that LDAP server directly to determine if a user is in a particular role. This is also useful when using User Security to use LDAP Groups directly, without having to map users to groups in the application server. To activate this, use the lookuprole=LDAPLookupRole servlet parameter. This causes roles to be looked up directly in the LDAP server instead of using the Application server. See Role Lookup Extensibility in Extensible Authentication.
Uses an optional jndiroleproperties servlet parameter to point to an LDAP property file, described below. If this servlet parameter is not used, then the /etc/cogix/ldap.properties must contain appropriate parameters.
3. An Invite List can use an LDAP server to select who should be invited to take a survey, in addition to using a database table or a comma-delimited file.
Uses an optional jndilistproperties servlet parameter to point to an LDAP property file, described below. If this servlet parameter is not used, then the /etc/cogix/ldap.properties must contain appropriate parameters.
LDAP properties files
These files contain a series of parameters describing an LDAP server. It is possible to have different LDAP properties files for different purposes. If not, they default to /etc/cogix/ldap.properties.
Linux LDAP server parameters
# define the JNDI context factory:
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
# define a Linux LDAP server:
java.naming.provider.url=ldap://yourcompany.com:389/dc=yourcompany,dc=com
# these may be required to present credentials -- consult with the LDAP Administrator
#java.naming.security.principal=cn=Manager,dc=yourcompany,dc=com
#java.naming.security.credentials=password
#java.naming.security.protocol=ssl
# Role Lookup related parameters. If not using roles, omit them.
# roleBase: Set to the element that is the base of the search for matching
roles.
# If not specified, the entire directory context will be searched.
roleBase=ou=Sets
# roleSearch: Set to a filter expression used to search for role/group elements
# in the roleBase context. The search will find those roles/groups
# that contain a given username. Use {0} as a placeholder for the
# username.
roleSearch=(memberUid={0})
# roleSubtree: Determines whether the role/group search will be restricted
to
# objects within the roleBase or will recurse through subtrees.
# The default is false, i.e., restrict the search to one level.
roleSubtree=false
# roleName: Set to the attribute name of the role/group
roleName=cn
Windows 2000 LDAP server parameters
# define the JNDI context factory:
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
# define a Windows 2000 LDAP server:
java.naming.provider.url=ldap://servername.domainname.yourcompany.cogix.com:389/dc=domainname,dc=yourcompany,dc=com
# these
may be required to present credentials -- consult with the LDAP Administrator
#java.naming.security.principal=domainname\\UserName
#java.naming.security.credentials=password
#java.naming.security.protocol=ssl
# Role Lookup related parameters. If not using roles, omit them.
# roleBase: Set to the element that is the base of the search for matching
roles.
# If not specified, the entire directory context will be searched.
roleBase=ou=Users
# roleSearch: Set to a filter expression used to search for role/group elements
# in the roleBase context. The search will find those roles/groups
# that contain a given username. Use {0} as a placeholder for the
# username.
roleSearch=(member={0})
# roleSubtree: Determines whether the role/group search will be restricted
to
# objects within the roleBase or will recurse through subtrees.
# The default is false, i.e., restrict the search to one level.
roleSubtree=false
# roleName: Set to the attribute name of the role/group
roleName=cn