8.1.6. Integration with LDAP

CUBA application can be integrated with LDAP to provide the following benefits:

  1. Keep and manage user passwords centrally in the LDAP database.

  2. For Windows domain users, enable logging in through Single Sign-On without having to specify the username and password.

A user account with all the required properties and permissions must be created in the application. It is recommended to leave the password empty, so that the user could log in using the password from LDAP only. The first authentication attempt is made via LDAP, followed by the standard way of using the password hash from the database. As a result, a user can log in to the system with this password even if the user is not registered in LDAP or has a different LDAP password.

A CUBA-based application interacts with LDAP via the CubaAuthProvider interface. The platform includes a single implementation of this interface, LdapAuthProvider, which supports LDAP authentication without Single Sign-On. In order to enable advanced Active Directory integration and Single Sign-On, the Jespa library can be used with the corresponding CubaAuthProvider implementation, as described in Setting Up Authentication Using Jespa. A custom CubaAuthProvider implementation class can also be used by setting the following application properties:

cuba.web.externalAuthentication = true
cuba.web.externalAuthenticationProviderClass = com.company.sample.web.MyAuthProvider