DPOD includes an LDAP configuration script for easy configuration of DPOD to use an LDAP user registry.
Based on The script uses a properties file , this script verifies to verify the configuration and updates update the configuration file and System Parameters. It can also disable the LDAP configuration in order to rollback to the internal database registry.
...
Edit the properties file and set the following properties based on the information that was collected in Planning LDAP Configuration:
Property | Description |
---|---|
dpod_ldap_method | Should be "user_attribute" (for scenario A) or "group_attribute" (for scenario B). |
test_user | The username of a user for testing e,g, "adminford" |
test_user_password | The password of a user for testing e.g. "pass123" |
connectionURL | Primary LDAP server URL. Use ldap:// prefix for non-SSL connection and ldaps:// prefix for SSL connection. e.g. "ldap://192.168.110.15:389" |
alternateURL | Alternate LDAP server URL. Use ldap:// prefix for non-SSL connection and ldaps:// prefix for SSL connection. e.g. "ldap://192.168.110.16:389" |
referrals | Follow or ignore LDAP referrals (follow/ignore) |
connectionName | Query user distinguished name (DN) e.g. "cn=LDAP Query User,ou=people,dc=example,dc=org" |
connectionPassword | Query user password This password will be encrypted in the configuration file e.g. "pass123" |
userBase | User base entry e.g. "ou=people,dc=example,dc=org" |
userSubtree | User query sub-tree (true/false) e.g. "true" |
userSearch | User search filter Operators (e.g. "&") are escaped (e.g. "&") {0} - a placeholder for the user name entered in the login screen e.g. "(&(objectClass=person)(sAMAccountName={0}))" |
userRoleName | For scenario A only |
roleBase | For scenario B only |
roleSubtree | For scenario B only Role query sub-tree (true/false) e.g. "true" |
roleSearch | For scenario B only Group search filter Operators (e.g. "&") are escaped (e.g. "&") {0} - a placeholder for the full DN of the authenticated user {1} - a placeholder for the user name of the authenticated user e.g. "(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))" |
roleNested | For scenario B only Nested groups (true/false) e.g. "true" |
roleName | For scenario B only |
LDAPConnectionURL | Primary LDAP server URL. Use ldap:// prefix for non-SSL connection and ldaps:// prefix for SSL connection. |
LDAPReferral | Follow or ignore LDAP referrals (follow/ignore) |
LDAPConnectionName | Query user distinguished name (DN) e.g. "cn=LDAP Query User,ou=people,dc=example,dc=org" (identical to the connectionName property) |
LDAPConnectionPASSWORD | Query user password |
LDAPUserBaseEntry | User base entry e.g. "ou=people,dc=example,dc=org" (identical to the userBase property) |
LDAPUserSearchFilter | User search filter |
LDAPGroupBaseEntry | Group base entry |
LDAPGroupSearchFilter | Group search filter |
LDAPGroupNameAttribute | Group entry name attribute' name |
...
NOTE: This property might be different than roleName property, depending on the chosen builtin roles scenario. |
Testing LDAP Configuration
Before using the LDAP configuration script for the first time, please issue the following command:
Code Block | ||||
---|---|---|---|---|
| ||||
vicp /app/ui/MonTier-UI/conf/server.xml |
Disabling DB registry
...
/utils/LDAPUtilitiesTrustStore.jks /app/utils/LDAPtestTrustStore.jks |
In order to test LDAP configuration, use the following command:
Code Block | ||||
---|---|---|---|---|
| ||||
<!--
<Realm className="org.apache.catalina.realm.DataSourceRealm"
...
/>
--> |
Scenario A - An attribute of the user directory entry
...
cd /app/utils/
/app/scripts/app_ldap_utilities.sh -f /app/utils/LDAP_parameters.properties |
For a valid LDAP configuration the command's output should be:
Code Block | ||||
---|---|---|---|---|
| ||||
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://<LDAP Server Host>:389"
alternateURL="ldap://<LDAP Server Host>:389"
referrals="ignore"
connectionName="CN=...,OU=...,DC=..."
connectionPassword="pass"
userBase="OU=...,DC=..."
userSubtree="true"
userSearch="(&(objectClass=Person)(sAMAccountName={0}))"
userRoleName="some_role"
/> |
Consult the following table when deciding which values to use:
...
The connection username/DN for the directory server, which is used to retrieve user and groups.
...
Scenario B - An attribute of the group directory entry
...
INFO: Testing LDAP configuration...
INFO: LDAP configuration tests finished successfully.
INFO: The operation completed successfully. |
For an invalid LDAP configuration, the command's output should be:
Code Block | ||||
---|---|---|---|---|
| ||||
INFO: Testing LDAP configuration...
ERROR: LDAP parameters tests failed. Please check the log file, change the parameters and try again.
ERROR: The operation was aborted. See log file for more details. |
Inspect the log file for detailed test failure messages. The log files are located in /logs/ui/app_ldap_utilities.log-<timestamp>.log.
Change the LDAP configuration in the properties file and rerun the script until tests are successful.
Updating LDAP Configuration
Once LDAP configuration has been tested and found valid, use the following command to perform the change in the configuration file and System Parameters:
Code Block | ||||
---|---|---|---|---|
| ||||
cd /app/utils/
/app/scripts/app_ldap_utilities.sh -f /app/utils/LDAP_parameters.properties -u |
Note |
---|
Ensure DPOD's services are up and running before updating the LDAP configuration. |
The command output should be:
Code Block | ||||
---|---|---|---|---|
| ||||
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://<LDAP Server Host>:389"
alternateURL="ldap://<LDAP Server Host>:389"
referrals="ignore"
connectionName="CN=...,OU=...,DC=..."
connectionPassword="pass"
userBase="OU=...,DC=..."
userSubtree="true"
userSearch="(&(objectClass=Person)(sAMAccountName={0}))"
roleBase="OU=...,DC=..."
roleSubtree="true"
roleSearch="(&(objectClass=group)(member={0}))"
roleName="some_role"
roleNested ="true"
/> |
Consult the following table when deciding which values to use:
...
The connection username/DN for the directory server, which is used to retrieve user and groups.
...
- {0} will be replaced with the authenticating username
- '&' and '|' should be escaped.
...
Whether to search the entire subtree rooted at the roleBase entry, or limit it to a single-level. Valid values are "true" and "false"
...
- {0} will be replaced with the authenticated DN
- {1} will be replaced with the authenticated username
- {2} will be replaced with the value of a custom attribute specified in userRoleAttribute parameter (if specified)
- '&' and '|' should be escaped
...
Encrypting connection password
As noted above, you should not enter the clear-text password in server.xml. Instead, you provide a hash digest of the password. Use the following command to generate an encrypted password
...
INFO: Testing LDAP configuration...
INFO: LDAP configuration tests finished successfully.
INFO: Updating LDAP configuration...
INFO: Original configuration file /app/ui/MonTier-UI/conf/server.xml was backed up to /app/ui/MonTier-UI/conf/server.xml_2017-04-17_13-12-28
INFO: LDAP configuration has been updated, but has NOT been enabled. To enable it:
INFO: 1. Manually edit server.xml, comment DataSourceRealm and uncomment LDAPRealm.
INFO: 2. Manually set 'LDAP Connection Password' System Parameter using the UI.
INFO: 3. Manually set 'Enable LDAP' System Parameter to 'true' using the UI.
INFO: 4. Restart the UI service.
INFO: See the product documentation for more details.
INFO: The operation completed successfully. |
Note |
---|
After running this script, the LDAP configuration has been updated, but has not been enabled. Follow the steps below to enable LDAP configuration. |
Enabling LDAP Configuration
Enabling LDAP in Configuration File (server.xml)
Edit the server configuration file:
Code Block | ||||
---|---|---|---|---|
|
...
vi |
...
/app/ui/MonTier-UI/ |
...
conf/server.xml |
DPOD's internal database registry has to be disabled by commenting out the DataSourceRealm element:
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- <Realm className="org.apache.catalina.realm. |
...
The system will create an encrypted password and display the result in the following format:
<CLEAR-TEXT-PASSWORD>:<ENCRYPTED-PASSWORD>
...
DataSourceRealm"
...
/>
--> |
Remove the comment that wraps the LDAPRealm element:
Code Block | ||||
---|---|---|---|---|
| ||||
<Realm className="org. |
...
montier. |
...
common. |
...
tomcat. |
...
LDAPRealm" |
...
|
...
...
|
...
/> |
Connect to LDAP over SSL
In order to connect to the LDAP server over SSL (LDAPS ) perform the following steps:
...
Enabling LDAP in System Parameters
Open the Web Console and navigate to System Parameters page [Manage→ System → System Parameters].
Manually set 'LDAP Connection Password' System Parameter with the query user password. In future versions this parameter will be automatically set by the LDAP configuration script.
Manually set 'Enable LDAP' System Parameter to 'true'.
Restart DPOD's Web Console
Restart DPOD's Web Console to make the LDAP configuration take effect.
Disabling LDAP Configuration
Use the following command to disable LDAP configuration in System Parameters:
Code Block | ||||
---|---|---|---|---|
| ||||
/app/scripts/app_ldap_utilities.sh -d |
Note |
---|
Ensure DPOD's services are up and running before disabling the LDAP configuration. |
The command output should be:
Code Block | ||||
---|---|---|---|---|
|
...
INFO: |
...
LDAP |
...
Import the LDAP / CA certificate to the JVM trustStore. You can either import a self signed certificate, or the CA certificate that signed the LDAP certificate.
Code Block | ||||
---|---|---|---|---|
| ||||
Keytool -import -v -noprompt -trustcacerts -file <certificate file location > -keystore /app/java/jre/lib/security/cacerts -storepass <key store password>
|
...
configuration has been disabled in System Parameters only. To fully disable it:
INFO: 1. Manually edit server.xml, uncomment DataSourceRealm and comment LDAPRealm.
INFO: 2. Restart the UI service.
INFO: See the product documentation for more details.
INFO: The operation completed successfully. |
Disabling LDAP in Configuration File (server.xml)
Edit the server configuration file:
Code Block | ||||
---|---|---|---|---|
|
...
vi /app/ui/MonTier-UI/conf/server.xml |
...
DPOD's internal database registry has to be enabled. To do that, remove the comment that wraps the DataSourceRealm element:
Code Block | ||||
---|---|---|---|---|
| ||||
<Realm className="org.apache.catalina.realm. |
...
DataSourceRealm" |
...
...
/> |
Comment out the LDAPRealm element:
Code Block | ||||
---|---|---|---|---|
| ||||
<!--
<Realm className="org.montier.common.tomcat.LDAPRealm"
...
/>
--> |
Restart DPOD's Web Console
Restart DPOD's Web Console to make the LDAP configuration take effect.
Manually Inspecting LDAP Configuration
Inspecting LDAP Configuration in Configuration File (server.xml)
Edit the server configuration file and look for the LDAPRealm element. This element contains all the configuration set automatically by the script.
...
Code Block | ||||
---|---|---|---|---|
|
...
stop_services.sh -o ui
start_services.sh -o ui
vi /app/ui/MonTier-UI/conf/server.xml |
Inspecting LDAP Configuration in System Parameters
Open the Web Console and navigate to System Parameters page [Manage→ System → System Parameters].
The LDAP configuration system parameters are listed under "LDAP" category.