Skip to end of metadata
Go to start of metadata

Redirection Notice

This page will redirect to lamsdocs:LDAP Configuration.

Implementation as of 2.0

It is possible to use an LDAP server for authentication in LAMS 2.0, but it requires substantial knowledge on the part of the system administrator. It is functioning, but not friendly. The following is a brief overview of how it is currently set up. It has been tested using OpenLDAP 2.2.26.

Authentication and Authorisation

LDAP is used to authenticate a user (i.e. username and password), but that's as far as it goes. For authorisation purposes (roles/permissions), LAMS' own database is used.

User accounts need to be created as usual by a sysadmin or group admin, the only change is that authentication_method_id needs to be set to 3 (i.e. MQ-LDAP in the lams_authentication_method table).


The password sent by LAMS to LDAP is in sha1 format, not cleartext. So any encryption of the password on the ldap side must be done on the sha1 version of the password, and not the password itself.

This is because currently the login form sends the encrypted password to LAMS' database (where it is stored in sha1 format).


The LDAP settings are located in $JBOSS_HOME/server/default/conf/lamsauthentication.xml, in the method block titled "MQ-LDAP". The configurable parameters are as follows:

param name





URL of your LDAP server; this example is on SSL port


Use 'simple' for sending password as cleartext


Keep this parameter to communicate with LDAP over ssl (made optional in 2.0.3)



Combines with LAMS username to provide DN for LDAP



Combines with LAMS username to provide DN for LDAP



LAMS datasource, don't change



Not used


<see file for the SQL query>

Used to retrieve roles from LAMS DB. Don't change



Necessary when communicating via SSL



Necessary when communicating via SSL

Relevant Code

The class in lams_central handles the set up of the JNDI context. Parameters are read in from lamsauthentication.xml by in lams_central.

What's Missing (aka Nice to Haves)

Automatic user provisioning

Currently LAMS accounts must exist before any authentication is even considered. However it would make it easier for admins if LAMS accounts (i.e. rows in lams_user) were created on-the-fly when a user logs in using LDAP credentials for the first time.

Automatic roles provisioning

Even better if we could also automatically translate any grouping/roles/permissions information into LAMS roles/group/subgroup format. Alternatively, add an LDAP option to the 'add/remove user' screens so that LDAP users are included in the available list of users.

SASL support for LDAP v3

Add support for security measures in communication other than SSL, for security and compatibility.

GUI-configurable settings

Currently jboss needs to be restarted when a change is made in lamsauthentication.xml.

Compatibility with different implementations

(22/12/06) I've tested partially with OpenLDAP 2.2.26, but other implementations such as Active Directory may have their differences.

  • No labels