Particular Requirements for an LDAP Server

In order to connect a CMS application to a user manager based on LDAP, the LDAP server must only fulfill a small number of conditions:

  1. First, two schemes must be defined which allow users and user groups to be identified as Content Manager users or Content Manager groups respectively. For example, there could be a scheme called fionaUser and one called fionaGroup to which particular LDAP entries have been allocated which are to represent the users and the groups (e.g. inetOrgPerson and groupOfUniqueNames).

  2. An entry which represents a Content Manager user must possess an attribute (e.g. uid) which is suitable for defining a login. The login must be unique for all entries, i. e. the user must be identified uniquely by this field. Additionally, only values must be accepted into this field which satisfy the general criteria for logins.

  3. An entry for a Content Manager user must possess an additional attribute which corresponds to the user password in the Content Manager. The value of this attribute must satisfy the general criteria for passwords. Passwords should be stored in unencrypted form or encrypted using the crypt method. Alternatively, base64-encoding can be used.

  4. An entry which represents a Content Manager user group must possess an attribute which is suitable for defining a group name. The login must be unique for all entries, i. e. the group must be identified uniquely by this field.

  5. It must be possible to allocate the user groups of the CMS application and users to each other. This means that either the user entries of the CMS application must possess attributes in which the groups to which they belong are stored or the groups must contain a corresponding attribute for the users who belong to them.

  6. Additionally, both group entries and user entries should possess attributes in which the granted global permissions are stored. The permissions need simply be saved as strings since the user manager does not have to be able to administer the relevant permissions in the Content Manager. It must be possible to determine whether a user is a superuser or not. To do this, e.g. the users can be allocated the superuser attribute.