Upgrading to 4.9 from an Earlier Version

If you have already set up LDAP authentication in version 4.8 or below and have now upgraded to version 4.9, some changes to the configuration are required.

Old/New Configuration Mapping

Section <dir-contexts>

Name in old configuration	Name in new configuration
`java.naming.provider.url`	`url`
`bindDN`	`principal`
`bindCredential`	`credential-reference`
`java.naming.security.principal`	Same as `bindDN`
`java.naming.security.credentials`	Same as `bindCredential`

Here is an example:

BASH

<dir-contexts>
	<dir-context name="ldap-connection" principal="..." url="...">
		<credential-reference clear-text="..."/>
	</dir-context>
</dir-contexts>

Section <ldap-realm>

Name in old configuration	Name in new configuration
`baseCtxDN`	`search-base-dn`
`baseFilter`	`rdn-identifier`
	`filter-name` (see the note below the table)
`rolesCtxDN`	`filter-base-dn`
`roleFilter`	`filter`
`roleAttributeID`	`from`

A note on filter-name

For a simple old baseFilter like (cn={0}) or (sAMAccountName{0}), the rdn-identifier is set to cn / sAMAccountName in the new configuration. The filter-name is not used in that case.

In case of a more complex old baseFilter like (userPrincipalName={0}@mydomain.local)(&(userPrincipalName={0}@mydomain.local)(|(memberof=cn=example_group1,OU=...,DC=mydomain,DC=local)(example_group2,OU=...,DC=mydomain,DC=local))), the configuration is translated as follows:

rdn-identifier is set to userPrincipalName;
the full old baseFilter goes into filter-name.

Here is an example:

BASH

<ldap-realm dir-context="ldap-connection" direct-verification="true" name="DataVirtualityRealm">
	<identity-mapping filter-name="..." rdn-identifier="..." search-base-dn="..." use-recursive-search="true">
		<attribute-mapping>
			<attribute filter="..." filter-base-dn="..." from="..." to="Roles"/>
		</attribute-mapping>
	</identity-mapping>
</ldap-realm>

Section <ldap>

For all other options, the actual names do not change. The containing element (<module-option> before 4.9) is now <property>.

Here is an example:

BASH

<ldap>
	<property name="roleRecursion" value="..."/>
	<property name="displayUserName" value="..."/>
	<property name="defaultAdminGroup" value="..."/>
	<property name="searchFilterUsers" value="..."/>
	<property name="searchFilterGroups" value="..."/>
	<property name="allowEmptyPasswords" value="false"/>
</ldap>

Deprecated Options

java.naming.security.protocol

This option is no longer needed to enable SSL. SSL will be used automatically if the protocol ldaps:// is used in url field.

dv.encrypted.credentials

This option is no longer needed to indicate that an encypted password is provided. Both cleartext and encrypted passwords can be provided as credential-reference.