Show TOC

LDAP Provider Stacking and Configuration SharingLocate this document in the navigation structure

LDAP login and attribution modules can sometimes share a common configuration. LDAPAttributer can share the configuration properties from the configured LDAP login modules only if no configuration properties are explicitly configured for LDAPAttributer.

When stacking these modules, be aware that authorizers do not inherit configuration properties from the login modules you configure. Configurations must be explicit. In the case where both LDAPLoginModule and LDAPAuthorizer are separately configured in a :
  • Matching configuration, then LDAPAuthorizer simply skips the role retrieval.
  • Differing configuration, then LDAPAuthorizer proceeds with the role retrieval from the configured back-end, and performs the authorization checks using the complete list of roles (from both the login module and itself).
Only one attributer instance needs to be configured even when multiple login module instances are present in the security configuration. The LDAPAttributer attributes an authenticated subject using the LDAP configuration that was used to authenticate the subject. However, the list of available roles is computed by the LDAPAttributer by iterating through all available LDAP configurations.
When using LDAPAttributer stacking and configuration, keep in mind:
  • LDAPAttributer has maximum functionality when combined with the LDAP authentication provider; the LDAPAttributer can be configured completely standalone or with alternate authentication providers.
  • If you do not configure an LDAPLoginModule, you must define the configure all properties in the attributer.
  • If explicit configuration properties are specified for the attributer, then the properties from the login module are not used for attributer functionality, including retrieving attributes for authenticated subjects, listing roles, and more. SAP recommends that you share configurations rather than trying to maintain separate configurations.