Versions Compared

Version Old Version 14 New Version Current
Changes made by

Amit Munwes

Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

DPOD includes an LDAP configuration script for easy configuration of DPOD to use an LDAP user registry.

Based on The script uses a properties file , this script verifies to verify the configuration and updates update the configuration file and System Parameters. It can also disable the LDAP configuration in order to rollback to the internal database registry.

...

Edit the properties file and set the following properties based on the information that was collected in Planning LDAP Configuration:

PropertyDescription
dpod_ldap_method

Should be "user_attribute" (for scenario A) or "group_attribute" (for scenario B).
e.g. "group_attribute"

test_userThe username of a user for testing
e,g, "adminford"
test_user_passwordThe password of a user for testing
e.g. "pass123"
connectionURLPrimary LDAP server URL. Use ldap:// prefix for non-SSL connection and ldaps:// prefix for SSL connection.
e.g. "ldap://192.168.110.15:389"
alternateURLAlternate LDAP server URL. Use ldap:// prefix for non-SSL connection and ldaps:// prefix for SSL connection.
e.g. "ldap://192.168.110.16:389"
referrals

Follow or ignore LDAP referrals (follow/ignore)
e.g. "ignore" 

connectionNameQuery user distinguished name (DN)
e.g. "cn=LDAP Query User,ou=people,dc=example,dc=org"
connectionPasswordQuery user password
This password will be encrypted in the configuration file
e.g. "pass123"
userBaseUser base entry
e.g. "ou=people,dc=example,dc=org" 
userSubtreeUser query sub-tree (true/false)
e.g. "true"
userSearchUser search filter
Operators (e.g. "&") are escaped (e.g. "&")
{0} - a placeholder for the user name entered in the login screen
e.g. "(&(objectClass=person)(sAMAccountName={0}))"
userRoleName

For scenario A only
User entry attribute name
e.g. "DPOD_Role"

roleBase

For scenario B only
Group base entry
e.g. "ou=groups,dc=example,dc=org" 

roleSubtreeFor scenario B only
Role query sub-tree (true/false)
e.g. "true"
roleSearchFor scenario B only
Group search filter
Operators (e.g. "&") are escaped (e.g. "&")
{0} - a placeholder for the full DN of the authenticated user
{1} - a placeholder for the user name of the authenticated user
e.g. "(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))"
roleNestedFor scenario B only
Nested groups (true/false)
e.g. "true"
roleName

For scenario B only
Group entry attribute name
e.g. "cn"

LDAPConnectionURL

Primary LDAP server URL. Use ldap:// prefix for non-SSL connection and ldaps:// prefix for SSL connection.
e.g. "ldap://192.168.110.15:389"
(identical to the connectionURL property)

LDAPReferral

Follow or ignore LDAP referrals (follow/ignore)
e.g. "ignore"
(identical to the referrals property)

LDAPConnectionNameQuery user distinguished name (DN)
e.g. "cn=LDAP Query User,ou=people,dc=example,dc=org"
(identical to the connectionName property)
LDAPConnectionPASSWORD

Query user password
This password will be used just for testing, and will not be stored in System Parameters
e.g. "pass123"
(identical to the connectionPassword property)

LDAPUserBaseEntryUser base entry
e.g. "ou=people,dc=example,dc=org"
(identical to the userBase property)
LDAPUserSearchFilter

User search filter
Operators (e.g. "&") are NOT escaped (e.g. "&")
{0} - a placeholder for the user name entered in the login screen
e.g. "(&(objectClass=person)(sAMAccountName={0}))"
NOTE: This property is similar to the userSearch property, but is NOT identical.

LDAPGroupBaseEntry

Group base entry
e.g. "ou=groups,dc=example,dc=org"
(identical to the roleBase property) 

LDAPGroupSearchFilter

Group search filter
Operators (e.g. "&") are NOT escaped (e.g. "&")
{0} - a placeholder for the user name of the authenticated user
{1} - a placeholder for the full DN of the authenticated user
e.g. "(&(objectClass=groupOfUniqueNames)(uniqueMember={1}))"
NOTE: This property is similar to roleSearch the roleSearch property, but is NOT identical. 

LDAPGroupNameAttribute

Group entry name attribute' name
e.g. "cn"
(identical to roleName property)NOTE: This property might be different than roleName property, depending on the chosen builtin roles scenario. 

Testing LDAP Configuration

Before using the LDAP configuration script for the first time, please issue the following command:

Code Block
languagebash
themeRDark
cp /app/utils/LDAPUtilitiesTrustStore.jks /app/utils/LDAPtestTrustStore.jks

In order to test LDAP configuration, use the following command:

Code Block
languagebash
themeRDark
cd /app/utils/
/app/scripts/app_ldap_utilities.sh -f /app/utils/LDAP_parameters.properties

In case the LDAP configuration is valid, the command For a valid LDAP configuration the command's output should be:

Code Block
languagebash
themeRDark
INFO: Testing LDAP configuration...
INFO: LDAP configuration tests finished successfully.
INFO: The operation completed successfully.

In case the For an invalid LDAP configuration is invalid, the command's output should be:

Code Block
languagebash
themeRDark
INFO: Testing LDAP configuration...
ERROR: LDAP parameters tests failed. Please check the log file, change the parameters and try again.
ERROR: The operation was aborted. See log file for more details.

Inspect the log file for detailed test failure messages of which test failed. The log files are located in /logs/ui/app_ldap_utilities.log-<timestamp>.log.

Change the LDAP configuration in the properties file and rerun the script until tests are successful.

Updating LDAP

...

Configuration

Once LDAP configuration has been tested and found valid, use the following command to perform the change in the configuration file and System Parameters:

Code Block
languagebash
themeRDark
cd /app/utils/
/app/scripts/app_ldap_utilities.sh -f /app/utils/LDAP_parameters.properties -u


Note

Make sure Ensure DPOD's services are up and running before updating the LDAP configuration.

...

Note

After running this script, the LDAP configuration has been updated, but has not been enabled.

Follow the steps below to enable LDAP configuration.

Enabling LDAP

...

Configuration

Enabling LDAP in

...

Configuration File (server.xml)

Edit the following server configuration file:

Code Block
languagebash
themeRDark
vi /app/ui/MonTier-UI/conf/server.xml

...

DPOD's internal database registry has to be disabled . To do that, comment by commenting out the DataSourceRealm element:

...

Restart DPOD's Web Console to make the LDAP configuration take LDAP configuration into effect.

Disabling LDAP Configuration

Use the following command to disable LDAP configuration in System Parameters:

Code Block
languagebash
themeRDark
/app/scripts/app_ldap_utilities.sh -d


Note

Ensure DPOD's services are up and running before disabling the LDAP configuration.


The command output should be:

Code Block
languagebash
themeRDark
INFO: LDAP configuration has been disabled in System Parameters only. To fully disable it:
INFO:   1. Manually edit server.xml, uncomment DataSourceRealm and comment LDAPRealm.
INFO:   2. Restart the UI service.
INFO: See the product documentation for more details.
INFO: The operation completed successfully.

Disabling LDAP in Configuration File (server.xml)

Edit the server configuration file:

Code Block
languagebash
themeRDark
vi /app/ui/MonTier-UI/conf/server.xml


DPOD's internal database registry has to be enabled. To do that, remove the comment that wraps the DataSourceRealm element:

Code Block
languagebash
themeRDark
<Realm className="org.apache.catalina.realm.DataSourceRealm"
...
/>


Comment out the LDAPRealm element:

Code Block
languagebash
themeRDark
<!--
<Realm className="org.montier.common.tomcat.LDAPRealm"
...
/>
-->

Restart DPOD's Web Console

Restart DPOD's Web Console to make the LDAP configuration take effect.

Manually Inspecting LDAP Configuration

Inspecting LDAP Configuration in

...

Configuration File (server.xml)

Edit the following server configuration file and look for for the LDAPRealm element. This element contains all the configuration set automatically by the script.

...