LDAP

Vidispine can authenticate users against an LDAP server and automatically synchronize users and groups from a directory at regular intervals if required.

User authentication

For users to be authenticated by an LDAP server, the server must first be configured in Vidispine.

  1. An LDAP resource must be created, containing the connection details. There can currently only be one configured LDAP resource.
  2. LDAP authentication must be enabled using the ldapAuthentication configuration property.

Users that are successfully authenticated will be added to Vidispine and will have the _user role by default.

Example: Enabling LDAP authentication

First, create the LDAP resource:

POST /resource
Content-Type: application/xml

<ResourceDocument xmlns="http://xml.vidispine.com/schema/vidispine">
  <ldap>
    <url>ldap://someserver:389</url>
    <useStartTLS>false</useStartTLS>
    <userDN>cn=Users,dc=example,dc=com</userDN>
    <usernameAttribute>sAMAccountName</usernameAttribute>
    <userSearchFilter>(objectClass=user)</userSearchFilter>
    <bindDN>cn=Administrator,cn=Users,dc=example,dc=com</bindDN>
    <bindPassword>password</bindPassword>
  </ldap>
</ResourceDocument>

Then enable LDAP authentication:

PUT /configuration/properties
Content-Type: application/xml

<ConfigurationPropertyDocument xmlns="http://xml.vidispine.com/schema/vidispine">
  <key>ldapAuthentication</key>
  <value>true</value>
</ConfigurationPropertyDocument>

Configuration

The elements in the LDAP resource are:

url

The LDAP server(s) to connect to. Specify multiple servers to enable failover. Can be either ldap:// or ldaps:// (for SSL).

New in version 5.1.

To utilize the VSA port forwarding service feature for LDAP servers; the URL needs to be added as such: vxa://<vxaUUID>:<id>

Note

The scheme for the URL must be vxa and the port should refer to the ID of the port forwaring service. For example:

<url>vxa://e5817fdb-9deb-4f25-a689-72349a78407a:1</url>
useStartTLS
Enables/disables StartTLS. Will be ignored when connecting using SSL.
userDN
The user search base.
userSearchFilter

The user search filter. The default is (objectClass=*). The search filter and username attribute together define the filter that is used in the user query:

(@(`userSearchFilter`)(`usernameAttribute`=username))

If a single entry is found then a second bind is made to authenticate the user.

usernameAttribute
The attribute that contains a users username/login name. Must uniquely identify a user. The default is sAMAccountName.
realNameAttribute
The attribute that contains a users real name. The default is cn.
cacheLifetime
Passwords are cached to reduce the number of requests made to the server. This element specifies how long password should be cached (in milliseconds). The default is 1800000 (30 minutes).
usernameFormat
Can be set to lower to force Vidispine to lower case all usernames read from the LDAP server.

The bind properties can be set so that Vidispine authenticates using a bind request before searching for users or groups:

bindDN
The DN of the entry to bind to before searching for a user.
bindPassword
The password to provide in the bind request.

User and group synchronization

Vidispine can automatically synchronize users and groups, as well as user and group dependencies. Synchronization will be enabled if the sync element has been set.

Users from the directory that do not exist in Vidispine can be automatically created. If this should be enabled or not is typically a matter of:

  • Licensing. If you are restricted to a certain number of users, then you may not want to create them in Vidispine if they are not using the system.
  • Application needs. Access to an item can only be granted to a user that exists in Vidispine for example.

Caution

Password validation using PUT /user/(username)/validate will not work for imported users unless type=raw. This because a users password won’t be available until the user has authenticated successfully at least once before. Validation should instead be performed using normal HTTP authentication.

Configuration

The sync element in the LDAP resource controls the synchronization:

sync
If set then users and groups will periodically be updated from the LDAP server.
sync/interval
The interval in milliseconds between synchronization attempts. The default is 1800000 (30 minutes).
sync/importOrganizationalUnits
Indicates whether or not organizational units should be created as groups in Vidispine. Only units having users or groups will be added (as well as the parent units to these.)
sync/createUsers
If new users should automatically be created. If false, then existing users will be updated by new/unknown users will be ignored.
sync/createGroups
If new groups should automatically be created. If false, then existing groups will be updated by new/unknown groups will be ignored.

Old installations may still use the import element.

import

Deprecated since version 4.0: The import element was previously used to enable synchronization. Use sync with createUsers=true and createGroups=true instead.

How groups are synchronized can be configured using the elements below.

groupDN
The group search base. The default is the same as userDN.
groupSearchFilter
The group search filter. The default is (objectClass=group).
groupnameAttribute
The attribute that contains a groups name. The default is name.

Subgroups are supported, that is, if the LDAP group query returns two groups, A and B, and B is listed as a member of A, then B will be added as a subgroup of A in Vidispine.

Examples

Importing all users from the Users organizational unit from an Active Directory server:

<ResourceDocument xmlns="http://xml.vidispine.com/schema/vidispine">
  <ldap>
    <url>ldap://example.com:389</url>
    <userDN>cn=Users,dc=example,dc=com</userDN>
    <usernameAttribute>sAMAccountName</usernameAttribute>
    <userSearchFilter>(objectClass=user)</userSearchFilter>
    <bindDN>cn=Administrator,cn=Users,dc=example,dc=com</bindDN>
    <bindPassword>{password}</bindPassword>
  </ldap>
</ResourceDocument>

Importing only members of a certain group:

<ResourceDocument xmlns="http://xml.vidispine.com/schema/vidispine">
  <ldap>
    ...
    <userSearchFilter>(&amp;(objectClass=user)(memberOf=cn=mam,cn=Groups,dc=example,dc=com))</userSearchFilter>
    <groupSearchFilter>(&amp;(objectClass=group)(memberOf=cn=mam,cn=Groups,dc=example,dc=com))</groupSearchFilter>
    ...
  </ldap>
</ResourceDocument>

Importing no groups, but creating groups to mirror the organizational unit tree structure.

<ResourceDocument xmlns="http://xml.vidispine.com/schema/vidispine">
  <ldap>
    ...
    <groupSearchFilter>(&amp;(objectClass=group)(|))</groupSearchFilter>
    <import>
      <importOrganizationalUnits>true</true>
    </import>
  </ldap>
</ResourceDocument>

The user Joe (cn=Joe,ou=Users,dn=example,dc=com) would then be added to the Users group.

Trigger LDAP synchronization

This resource can be used to force a synchronization of users and groups, for example to verify that it is working properly.

POST /resource/(type)/(resource-id)/sync

Triggers a synchronization of users and groups.

If users and groups are already synchronizing, than this will have no effect.

Parameters:
  • type – Must be ldap.

For example:

HTTP POST /resource/ldap/VX-1/sync

200 OK

Troubleshooting

If you are having problems with the LDAP integration then the best place to start is to check the LDAP self test. The test will connect to the LDAP server and list the users and groups that are found using the current configuration.

GET /selftest/ldap
Content-Type: application/xml

<SelfTestDocument xmlns="http://xml.vidispine.com/schema/vidispine" name="ldap" status="ok" took="1ms">
  <message>No LDAP resource has been defined</message>
</SelfTestDocument>

You can also use tools such as ldapsearch or ldp.exe to verify the configuration:

$ ldapsearch -h ad.example.com -D "CN=VS,OU=Users,DC=example,DC=com" -W -b "OU=Users,DC=example,DC=com"

If the configuration is correct, but users are still not being authenticated properly, then set the following log levels, try to authenticate once more and then check the application server log file to see what is going on.

com.vidispine.security=FINEST
com.vidispine.authentication=FINEST

For example, this error would indicate that the userDN element is missing:

Caused by: com.sun.enterprise.security.auth.realm.BadRealmException: A search base DN must be provided.
        at com.vidispine.security.auth.realm.MultiRealm.init(MultiRealm.java:89)
        at com.sun.enterprise.security.auth.realm.Realm.doInstantiate(Realm.java:233)

Users are not assigned to the correct groups

Users will only be added to LDAP groups that have a corresponding group in Vidispine. If LDAP import is enabled then groups will also be created. Verify that the name attribute of the group corresponds to the name of the group in Vidispine.

Note that if a group is removed from the directory then the users will still be a part of the group. This is because we currently do not track which groups are to be synchronized with the groups from the directory, except by name.

Users can only log in by entering their upper case username

What you can do is set usernameFormat to lower in the LDAP resource. Vidispine will then lower case all usernames read from the LDAP directory. Your users can then login by entering their username in lower case, or in any letter case if your application is lower casing usernames.

Disabled the user can still login

A user will be marked as disabled if:

  • The user has been removed from the directory.
  • If the user has been disabled (Active Directory only.)

If users should be disabled based on some other criteria then update the user search filter so that it excludes users accordingly. For example:

(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

It’s still not working

Contact us directly and we will try to figure out what’s going on.