Versions Compared

Version Old Version 13 New Version 14
Changes made by

Amit Munwes

Amit Munwes

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

dpod_ldap_method

Should be "user_attribute" (for scenario A) or "group_attribute" (for scenario B).
e.g. "group_attribute"

test_userThe username of a user for testing
e,g, "adminford"
test_user_passwordThe password of a user for testing
e.g. "pass123"
connectionURLPrimary LDAP server URL. Use ldap:// prefix for non-SSL connection and ldaps:// prefix for SSL connection.
e.g. "ldap://192.168.110.15:389"
alternateURLAlternate LDAP server URL. Use ldap:// prefix for non-SSL connection and ldaps:// prefix for SSL connection.
e.g. "ldap://192.168.110.16:389"
referrals

Follow or ignore LDAP referrals (follow/ignore)
e.g. "ignore" 

connectionNameQuery user distinguished name (DN)
e.g. "cn=LDAP Query User,ou=people,dc=example,dc=org"
connectionPasswordQuery user password
This password will be encrypted in the configuration file
e.g. "pass123"
userBaseUser base entry
e.g. "ou=people,dc=example,dc=org" 
userSubtreeUser query sub-tree (true/false)
e.g. "true"
userSearchUser search filter
Operators (e.g. "&") are escaped (e.g. "&")
{0} - a placeholder for the user name entered in the login screen
e.g. "(&(objectClass=person)(sAMAccountName={0}))"
userRoleName

For scenario A only
User entry attribute name
e.g. "DPOD_Role"

roleBase

For scenario B only
Group base entry
e.g. "ou=groups,dc=example,dc=org" 

roleSubtreeFor scenario B only
Role query sub-tree (true/false)
e.g. "true"
roleSearchFor scenario B only
Group search filter
Operators (e.g. "&") are escaped (e.g. "&")
{0} - a placeholder for the full DN of the authenticated user
{1} - a placeholder for the user name of the authenticated user
e.g. "(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))"
roleNestedFor scenario B only
Nested groups (true/false)
e.g. "true"
roleName

For scenario B only
Group entry attribute name
e.g. "cn"

LDAPConnectionURL

Primary LDAP server URL. Use ldap:// prefix for non-SSL connection and ldaps:// prefix for SSL connection.
e.g. "ldap://192.168.110.15:389"
(identical to connectionURL property)

LDAPReferral

Follow or ignore LDAP referrals (follow/ignore)
e.g. "ignore"
(identical to referrals property)

LDAPConnectionNameQuery user distinguished name (DN)
e.g. "cn=LDAP Query User,ou=people,dc=example,dc=org"
(identical to connectionName property)
LDAPConnectionPASSWORD

Query user password
This password will be used just for testing, and will not be stored in System Parameters
e.g. "pass123"
(identical to connectionPassword property)

LDAPUserBaseEntryUser base entry
e.g. "ou=people,dc=example,dc=org"
(identical to userBase property)
LDAPUserSearchFilter

User search filter
Operators (e.g. "&") are NOT escaped (e.g. "&")
{0} - a placeholder for the user name entered in the login screen
e.g. "(&(objectClass=person)(sAMAccountName={0}))"
NOTE: This property is similar to userSearch property, but is NOT identical.

LDAPGroupBaseEntry

Group base entry
e.g. "ou=groups,dc=example,dc=org"
(identical to roleBase property) 

LDAPGroupSearchFilter

Group search filter
Operators (e.g. "&") are NOT escaped (e.g. "&")
{0} - a placeholder for the user name of the authenticated user
{1} - a placeholder for the full DN of the authenticated user
e.g. "(&(objectClass=groupOfUniqueNames)(uniqueMember={1}))"
NOTE: This property is similar to roleSearch property, but is NOT identical. 

LDAPGroupNameAttribute

Group entry attribute name
e.g. "cn"
(identical to roleName property) 

...

Testing LDAP Configuration

In order to test LDAP configuration, use the following command:

Code Block
languagebash
themeRDark
vi /app/ui/MonTier-UI/conf/server.xml

Disabling DB registry

...

scripts/app_ldap_utilities.sh -f /app/utils/LDAP_parameters.properties

In case the LDAP configuration is valid, the command output should be:

Code Block
languagebash
themeRDark
<!--
<Realm className="org.apache.catalina.realm.DataSourceRealm"
...
/>
-->

Scenario A - An attribute of the user directory entry

When your installation scenario matches Scenario A in the Concepts Section - add the following XML element right after the DataSourceRealm element you've commented out in the previous step.

Code Block
languagebash
themeRDark
<Realm className="org.apache.catalina.realm.JNDIRealm"
   connectionURL="ldap://<LDAP Server Host>:389"
   alternateURL="ldap://<LDAP Server Host>:389"
   referrals="ignore"
   connectionName="CN=...,OU=...,DC=..."
   connectionPassword="pass"
   userBase="OU=...,DC=..."
   userSubtree="true"
   userSearch="(&amp;(objectClass=Person)(sAMAccountName={0}))"
   userRoleName="some_role"
/>

Consult the following table when deciding which values to use:

...

The connection username/DN for the directory server, which is used to retrieve user and groups.

...

Scenario B - An attribute of the group directory entry

When your installation scenario matches Scenario B in the Concepts Section - add the following XML element right after the DataSourceRealm element you've commented out in the previous step.

INFO: Testing LDAP configuration...
INFO: LDAP configuration tests finished successfully.
INFO: The operation completed successfully.

In case the LDAP configuration is invalid, the command output should be:

Code Block
languagebash
themeRDark
<Realm className="org.apache.catalina.realm.JNDIRealm"
   connectionURL="ldap://<LDAP Server Host>:389"
   alternateURL="ldap://<LDAP Server Host>:389"
   referrals="ignore"
   connectionName="CN=...,OU=...,DC=..."
   connectionPassword="pass"
   userBase="OU=...,DC=..."
   userSubtree="true"
   userSearch="(&amp;(objectClass=Person)(sAMAccountName={0}))"
   roleBase="OU=...,DC=..."
   roleSubtree="true"
   roleSearch="(&amp;(objectClass=group)(member={0}))"
   roleName="some_role"
   roleNested ="true"
/>

Consult the following table when deciding which values to use:

...

The connection username/DN for the directory server, which is used to retrieve user and groups.

...

  • {0} will be replaced with the authenticating username
  • '&' and '|' should be escaped.

...

Whether to search the entire subtree rooted at the roleBase entry, or limit it to a single-level. Valid values are "true" and "false"

...

  • {0} will be replaced with the authenticated DN
  • {1} will be replaced with the authenticated username
  • {2} will be replaced with the value of a custom attribute specified in userRoleAttribute parameter (if specified)
  • '&' and '|' should be escaped

...

Encrypting connection password

As noted above, you should not enter the clear-text password in server.xml. Instead, you provide a hash digest of the password. Use the following command to generate an encrypted password

...

INFO: Testing LDAP configuration...
ERROR: LDAP parameters tests failed. Please check the log file, change the parameters and try again.
ERROR: The operation was aborted. See log file for more details.

Inspect the log file for detailed messages of which test failed. The log files are located in /logs/ui/app_ldap_utilities.log-<timestamp>.log.

Change the LDAP configuration in the properties file and rerun the script until tests are successful.

Updating LDAP configuration

Once LDAP configuration has been tested and found valid, use the following command to perform the change in the configuration file and System Parameters:

Code Block
languagebash
themeRDark
/app/scripts/app_ldap_utilities.sh -f /app/utils/LDAP_parameters.properties -u


Note

Make sure DPOD services are up and running before updating the LDAP configuration.


The command output should be:

Code Block
languagebash
themeRDark

...

INFO: Testing LDAP configuration...
INFO: LDAP configuration tests finished successfully.
INFO: Updating LDAP configuration...
INFO: Original configuration file /app/ui/MonTier-UI/

...

conf/server.xml was backed up to /app/ui/MonTier-UI/

...

conf/

...

The system will create an encrypted password and display the result in the following format:

<CLEAR-TEXT-PASSWORD>:<ENCRYPTED-PASSWORD>

 

Modify the JNDIRealm XML element (this is the element discussed above)

Code Block
languagebash
themeRDark
<Realm className="org.apache.catalina.realm.JNDIRealm"
   ...
   connectionPassword="<ENCRYPTED-PASSWORD>"
   digest="MD5"
   ...
/>

 

Connect to LDAP over SSL

In order to connect to the LDAP server over SSL (LDAPS ) perform the following steps:

The default password for the JVM TrustStore is “changeit”, and you should change it to a new password

Code Block
languagebash
themeRDark
Keytool -storepasswd -keystore /app/java/jre/lib/security/cacerts 

Enter keystore password:  <old password>
New keystore password: <new password>
Re-enter new keystore password: <new password>
                       

Import the LDAP / CA certificate to the JVM trustStore. You can either import a self signed certificate, or the CA certificate that signed the LDAP certificate.

Code Block
languagebash
themeRDark
Keytool -import -v -noprompt -trustcacerts -file <certificate file location > -keystore /app/java/jre/lib/security/cacerts -storepass <key store password>
                       

...

server.xml_2017-04-17_13-12-28
INFO: LDAP configuration has been updated, but has NOT been enabled. To enable it:
INFO:   1. Manually edit server.xml, comment DataSourceRealm and uncomment LDAPRealm.
INFO:   2. Manually set 'LDAP Connection Password' System Parameter using the UI.
INFO:   3. Manually set 'Enable LDAP' System Parameter to 'true' using the UI.
INFO:   4. Restart the UI service.
INFO: See the product documentation for more details.
INFO: The operation completed successfully.


Note

After running this script, the LDAP configuration has been updated, but has not been enabled.

Follow the steps below to enable LDAP configuration.

Enabling LDAP configuration

Enabling LDAP in configuration file (server.xml)

Edit the following file:

Code Block
languagebash
themeRDark

...

vi /app/ui/MonTier-UI/conf/server.xml

...


DPOD's internal database registry has to be disabled. To do that, comment out the DataSourceRealm element:

Code Block
languagebash
themeRDark
<!--
<Realm className="org.apache.catalina.realm.

...

DataSourceRealm"

...

...
/>
-->


Remove the comment that wraps the LDAPRealm element:

Code Block
languagebash
themeRDark
<Realm className="org.montier.common.tomcat.LDAPRealm"
...
/>

Enabling LDAP in System Parameters

Open the Web Console and navigate to System Parameters page [Manage→ System → System Parameters].

Manually set 'LDAP Connection Password' System Parameter with the query user password. In future versions this parameter will be automatically set by the LDAP configuration script.

Manually set 'Enable LDAP' System Parameter to 'true'.

Restart DPOD's Web Console

Restart DPOD's Web Console to take LDAP configuration into effect.

Manually Inspecting LDAP Configuration

Inspecting LDAP Configuration in configuration file (server.xml)

Edit the following file and look for LDAPRealm element. This element contains all the configuration set automatically by the script.

...

Code Block
languagebash
themeRDark

...

stop_services.sh -o ui
start_services.sh -o ui
vi /app/ui/MonTier-UI/conf/server.xml

Inspecting LDAP Configuration in System Parameters

Open the Web Console and navigate to System Parameters page [Manage→ System → System Parameters].

The LDAP configuration system parameters are listed under "LDAP" category.