LDAP¶
Vidispine can authenticate users against an LDAP server and automatically synchronize users and groups from a directory at regular intervals if required.
User authentication¶
For users to be authenticated by an LDAP server, the server must first be configured in Vidispine.
- An LDAP resource must be created, containing the connection details. There can currently only be one configured LDAP resource.
- LDAP authentication must be enabled using the ldapAuthenticationconfiguration property.
Users that are successfully authenticated will be added to Vidispine and will
have the _user role by default.
Example: Enabling LDAP authentication¶
First, create the LDAP resource:
POST /resource
Content-Type: application/xml
<ResourceDocument xmlns="http://xml.vidispine.com/schema/vidispine">
  <ldap>
    <url>ldap://someserver:389</url>
    <useStartTLS>false</useStartTLS>
    <userDN>cn=Users,dc=example,dc=com</userDN>
    <usernameAttribute>sAMAccountName</usernameAttribute>
    <userSearchFilter>(objectClass=user)</userSearchFilter>
    <bindDN>cn=Administrator,cn=Users,dc=example,dc=com</bindDN>
    <bindPassword>password</bindPassword>
  </ldap>
</ResourceDocument>
Then enable LDAP authentication:
PUT /configuration/properties
Content-Type: application/xml
<ConfigurationPropertyDocument xmlns="http://xml.vidispine.com/schema/vidispine">
  <key>ldapAuthentication</key>
  <value>true</value>
</ConfigurationPropertyDocument>
Configuration¶
The elements in the LDAP resource are:
- url
- The LDAP server(s) to connect to. Specify multiple servers to enable failover. Can be either - ldap://or- ldaps://(for SSL).- New in version 5.1. - To utilize the VSA port forwarding service feature for LDAP servers; the URL needs to be added as such: - vxa://<vxaUUID>:<id>
Note
The scheme for the URL must be vxa and the port should refer to the ID of the port forwaring service.
For example:
<url>vxa://e5817fdb-9deb-4f25-a689-72349a78407a:1</url>
- useStartTLS
- Enables/disables StartTLS. Will be ignored when connecting using SSL.
- userDN
- The user search base.
- userSearchFilter
- The user search filter. The default is - (objectClass=*). The search filter and username attribute together define the filter that is used in the user query:- (@(`userSearchFilter`)(`usernameAttribute`=username)) - If a single entry is found then a second bind is made to authenticate the user. 
- usernameAttribute
- The attribute that contains a users username/login name. Must uniquely
identify a user. The default is sAMAccountName.
- realNameAttribute
- The attribute that contains a users real name. The default is cn.
- cacheLifetime
- Passwords are cached to reduce the number of requests made to the server.
This element specifies how long password should be cached (in milliseconds).
The default is 1800000(30 minutes).
- usernameFormat
- Can be set to lowerto force Vidispine to lower case all usernames read from the LDAP server.
The bind properties can be set so that Vidispine authenticates using a bind request before searching for users or groups:
- bindDN
- The DN of the entry to bind to before searching for a user.
- bindPassword
- The password to provide in the bind request.
User and group synchronization¶
Vidispine can automatically synchronize users and groups, as well as user and
group dependencies. Synchronization will be enabled if the sync element
has been set.
Users from the directory that do not exist in Vidispine can be automatically created. If this should be enabled or not is typically a matter of:
- Licensing. If you are restricted to a certain number of users, then you may not want to create them in Vidispine if they are not using the system.
- Application needs. Access to an item can only be granted to a user that exists in Vidispine for example.
Caution
Password validation using PUT /user/(username)/validate will
not work for imported users unless type=raw. This because a users
password won’t be available until the user has authenticated successfully
at least once before. Validation should instead be performed using
normal HTTP authentication.
Configuration¶
The sync element in the LDAP resource controls the synchronization:
- sync
- If set then users and groups will periodically be updated from the LDAP server.
- sync/interval
- The interval in milliseconds between synchronization attempts. The default
is 1800000(30 minutes).
- sync/importOrganizationalUnits
- Indicates whether or not organizational units should be created as groups in Vidispine. Only units having users or groups will be added (as well as the parent units to these.)
- sync/createUsers
- If new users should automatically be created. If false, then existing users will be updated by new/unknown users will be ignored.
- sync/createGroups
- If new groups should automatically be created. If false, then existing groups will be updated by new/unknown groups will be ignored.
Old installations may still use the import element.
- import
- Deprecated since version 4.0: The - importelement was previously used to enable synchronization. Use- syncwith- createUsers=trueand- createGroups=trueinstead.
How groups are synchronized can be configured using the elements below.
- groupDN
- The group search base. The default is the same as userDN.
- groupSearchFilter
- The group search filter. The default is (objectClass=group).
- groupnameAttribute
- The attribute that contains a groups name. The default is name.
Subgroups are supported, that is, if the LDAP group query returns two groups, A and B, and B is listed as a member of A, then B will be added as a subgroup of A in Vidispine.
TLS configuration¶
New in version 5.3.2.
Two new optional elements have been added to control TLS (SSL) connection
to control ldaps connection.
- secureProtocol
- Controls which protocol to use. By default the standard Java setting is used
(normally TLSv1.0). Recommended value is TLSv1.2.
- serverCertificate
- Used to validate the server. Should be in PEM format, lines delimited by new-line character. Multiple certificates can be added. - Example: - -----BEGIN CERTIFICATE----- MIIDd... bmtub... -----END CERTIFICATE----- 
Note
If no certificates are given, all certificates are trusted.
Examples¶
Importing all users from the Users organizational unit from an Active Directory server:
<ResourceDocument xmlns="http://xml.vidispine.com/schema/vidispine">
  <ldap>
    <url>ldap://example.com:389</url>
    <userDN>cn=Users,dc=example,dc=com</userDN>
    <usernameAttribute>sAMAccountName</usernameAttribute>
    <userSearchFilter>(objectClass=user)</userSearchFilter>
    <bindDN>cn=Administrator,cn=Users,dc=example,dc=com</bindDN>
    <bindPassword>{password}</bindPassword>
  </ldap>
</ResourceDocument>
Importing only members of a certain group:
<ResourceDocument xmlns="http://xml.vidispine.com/schema/vidispine">
  <ldap>
    ...
    <userSearchFilter>(&(objectClass=user)(memberOf=cn=mam,cn=Groups,dc=example,dc=com))</userSearchFilter>
    <groupSearchFilter>(&(objectClass=group)(memberOf=cn=mam,cn=Groups,dc=example,dc=com))</groupSearchFilter>
    ...
  </ldap>
</ResourceDocument>
Importing no groups, but creating groups to mirror the organizational unit tree structure.
<ResourceDocument xmlns="http://xml.vidispine.com/schema/vidispine">
  <ldap>
    ...
    <groupSearchFilter>(&(objectClass=group)(|))</groupSearchFilter>
    <import>
      <importOrganizationalUnits>true</true>
    </import>
  </ldap>
</ResourceDocument>
The user Joe (cn=Joe,ou=Users,dn=example,dc=com) would then be added to the
Users group.
Trigger LDAP synchronization¶
This resource can be used to force a synchronization of users and groups, for example to verify that it is working properly.
- 
POST/resource/(type)/(resource-id)/sync¶
- Triggers a synchronization of users and groups. - If users and groups are already synchronizing, than this will have no effect. - Parameters: - type – Must be ldap.
 
For example:
HTTP POST /resource/ldap/VX-1/sync
200 OK
Troubleshooting¶
If you are having problems with the LDAP integration then the best place to start is to check the LDAP self test. The test will connect to the LDAP server and list the users and groups that are found using the current configuration.
GET /selftest/ldap
Content-Type: application/xml
<SelfTestDocument xmlns="http://xml.vidispine.com/schema/vidispine" name="ldap" status="ok" took="1ms">
  <message>No LDAP resource has been defined</message>
</SelfTestDocument>
You can also use tools such as ldapsearch or ldp.exe to verify the
configuration:
$ ldapsearch -h ad.example.com -D "CN=VS,OU=Users,DC=example,DC=com" -W -b "OU=Users,DC=example,DC=com"
If the configuration is correct, but users are still not being authenticated properly, then set the following log levels, try to authenticate once more and then check the application server log file to see what is going on.
com.vidispine.security=FINEST
com.vidispine.authentication=FINEST
For example, this error would indicate that the userDN element is missing:
Caused by: com.sun.enterprise.security.auth.realm.BadRealmException: A search base DN must be provided.
        at com.vidispine.security.auth.realm.MultiRealm.init(MultiRealm.java:89)
        at com.sun.enterprise.security.auth.realm.Realm.doInstantiate(Realm.java:233)
Users are not assigned to the correct groups¶
Users will only be added to LDAP groups that have a corresponding group in Vidispine. If LDAP import is enabled then groups will also be created. Verify that the name attribute of the group corresponds to the name of the group in Vidispine.
Note that if a group is removed from the directory then the users will still be a part of the group. This is because we currently do not track which groups are to be synchronized with the groups from the directory, except by name.
Users can only log in by entering their upper case username¶
What you can do is set usernameFormat to lower in the LDAP resource.
Vidispine will then lower case all usernames read from the LDAP directory.
Your users can then login by entering their username in lower case, or in
any letter case if your application is lower casing usernames.
Disabled the user can still login¶
A user will be marked as disabled if:
- The user has been removed from the directory.
- If the user has been disabled (Active Directory only.)
If users should be disabled based on some other criteria then update the user search filter so that it excludes users accordingly. For example:
(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
It’s still not working¶
Contact us directly and we will try to figure out what’s going on.