Versions Compared

Version Old Version 9 New Version 10
Changes made by

Hanan Kenan

Hanan Kenan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagebash
themeRDark
vi /app/ui/MonTier-UI/conf/server.xml

Disabling DB registry

DPOD is set up by default with the internal database user management option. To use LDAP, you will first have to disable the DB registry
To do that, comment out the DataSourceRealm element (see below)

Code Block
languagebash
themeRDark
<!--
<Realm className="org.apache.catalina.realm.DataSourceRealm"
...
/>
-->

Scenario A - An attribute of the user directory entry

When your installation scenario matches Scenario A in the Concepts Section - add the following XML element right after the DataSourceRealm element you've commented out in the previous step.

...

Parameter NameDescription
connectionURLAn LDAP URL specifying the domain name of the directory server, the port number and DN of the root naming context.
alternateURLAn LDAP URL specifying an alternate directory server to connect to (if any). This should follow the same format as connectionURL
referralsState how you want LDAP referrals to be handled. Valid values are "follow" or "ignore"
connectionName

The connection username/DN for the directory server, which is used to retrieve user and groups.

connectionPasswordThe connection password for the directory server, which is used to retrieve user and groups.
Note: Do not enter the password in plain text. The value here must be a hash digest (See Encrypting Connection Password below)
userBaseThe base entry for the user search. If not specified, the search base defaults to the top-level directory context
userSubtreeWhether to search the entire subtree rooted at the userBase entry, or limit it to a single-level. Valid values are "true" and "false"
userSearchAn LDAP search filter to find the user. {0} will be replaced with the authenticating username, '&' and '|' should be escaped.
userRoleNameThe name of the attribute in the user's directory entry containing the name of the role

Scenario B - An attribute of the group directory entry

When your installation scenario matches Scenario B in the Concepts Section - add the following XML element right after the DataSourceRealm element you've commented out in the previous step.

...

Parameter NameDescription
connectionURLAn LDAP URL specifying the domain name of the directory server, the port number and DN of the root naming context.
alternateURLAn LDAP URL specifying an alternate directory server to connect to (if any). This should follow the same format as connectionURL
referralsState how you want LDAP referrals to be handled. Valid values are "follow" or "ignore"
connectionName

The connection username/DN for the directory server, which is used to retrieve user and groups.

connectionPasswordThe connection password for the directory server, which is used to retrieve user and groups.
Note: Do not enter the password in plain text. The value here must be a hash digest (See Encrypting Connection Password below)
userBaseThe base entry for the user search. If not specified, the search base defaults to the top-level directory context
userSubtreeWhether to search the entire subtree rooted at the userBase entry, or limit it to a single-level. Valid values are "true" and "false"
userSearchAn LDAP search filter to find the user.
  • {0} will be replaced with the authenticating username
  • '&' and '|' should be escaped.
roleBaseThe base entry for the group search. If not specified, the search base defaults to the top-level directory context
roleSubtree

Whether to search the entire subtree rooted at the roleBase entry, or limit it to a single-level. Valid values are "true" and "false"

roleSearchAn LDAP search filter to find the groups.
  • {0} will be replaced with the authenticated DN
  • {1} will be replaced with the authenticated username
  • {2} will be replaced with the value of a custom attribute specified in userRoleAttribute parameter (if specified)
  • '&' and '|' should be escaped
userRoleAttributeThe name of the attribute that provides the value for {2} on roleSearch, if required
roleNameThe name of the attribute in the group's directory entry containing the name of the role
roleNestedWhether roles are nested in roles.
If configured, then every newly found roleName and distinguished name will be recursively tried for a new role search
Valid values are "true" and "false" 

Encrypting connection password

As noted above, you should not enter the clear-text password in server.xml. Instead, you provide a hash digest of the password. Use the following command to generate an encrypted password

  1. Run the following command (Replace <CLEAR-TEXT-PASSWORD> with your password): 

    Code Block
    languagebash
    themeRDark
     java -cp "/app/ui/MonTier-UI/lib/*:/app/ui/MonTier-UI/bin/*" org.apache.catalina.realm.RealmBase -a SHA1 <CLEAR-TEXT-PASSWORD>  
or
  
/app/ui/MonTier-UI/bin/digest.sh -a SHA1 <CLEAR-TEXT-PASSWORD>

    The system will create an encrypted password and display the result in the following format:

    <CLEAR-TEXT-PASSWORD>:<ENCRYPTED-PASSWORD>

     

  2. Modify the JNDIRealm XML element (this is the element discussed above)

    Code Block
    languagebash
    themeRDark
    <Realm className="org.apache.catalina.realm.JNDIRealm"
   ...
   connectionPassword="<ENCRYPTED-PASSWORD>"
   digest="MD5"
   ...
/>


 

Connect to LDAP over SSL

In order to connect to the LDAP server over SSL (LDAPS ) perform the following steps:

...