In order to have OpenClinica configured to authenticate users using LDAP/Active Directory, these configuration values need to be defined in datainfo properties. As of 3.1.4, these are the new properties that are added to the datainfo properties and need to be set in order to enable LDAP.

 

Property name

Description

ldap.enabled

Set to true if LDAP/ActiveDirectory should be used to authenticate users in OpenClinica.

Values allowed for this field are true and false.

ldap.host

LDAP/ActiveDirectory server host address.

 

Example:

ldap://ldapserver:389

ldap.userDn

Distinguished name (DN) of the user account which can authenticate to LDAP/ActiveDirectory, to perform the authentication of OpenClinica users. This user must have privileges to search the LDAP structure. We recommend creating a dedicated LDAP/ActiveDirectory account to be used in this property.

 

Example:

CN=openclinica,OU=example,OU=com

ldap.password

Password of the user configured in the property ldap.userDn.

ldap.loginQuery

Query used during login to retrieve an LDAP account by username, where the placeholder {0} is replaced by the username typed in the login screen. This query must never return more than one account. To increase overall application security, this query should never return a user account that has no access to OpenClinica (e.g., by filtering accounts that belong to a specific group).

 

Example:

(&(memberOf=CN=group,OU=example,OU=com)(sAMAccountName=*{0}*))

ldap.passwordRecoveryURL

URL to redirect LDAP/ActiveDirectory users when the forgotten password link is clicked.

ldap.userSearch.baseDn

Base DN to search for user accounts in LDAP/ActiveDirectory. Only user accounts that belong to this base DN can be configured as an OpenClinica user account.

 

Example:

OU=example,OU=com

ldap.userSearch.query

LDAP query used to search for users in the LDAP Users Search screen, where the placeholder {0} is replaced by the text entered in the Search field. To increase overall application security, this query should never return a user account that has no access to OpenClinica (e.g., by filtering accounts that belong to a specific group).

 

Example:

(&(memberOf=CN=group,OU=example,OU=com)(sAMAccountName=*{0}*))

ldap.userData.distinguishedName

Name of the LDAP property from which the distinguished name (DN) will be retrieved.

ldap.userData.username

Name of the LDAP property from which the username will be retrieved.

ldap.userData.firstName

Name of the LDAP property from which the first name will be retrieved.

ldap.userData.lastName

Name of the LDAP property from which the last name will be retrieved.

ldap.userData.email

Name of the LDAP property from which the email will be retrieved.

ldap.userData.organization

Name of the LDAP property from which the organization will be retrieved.