Versions Compared

Old Version 19

changes.mady.by.user Avi Falah

Saved on

compared with

New Version Current

changes.mady.by.user Amit Munwes

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Info

Please make sure to gather all the information listed in Planning LDAP Configuration, which includes detailed explanation on all the parameters as well as the recommended configuration.


DPOD includes an LDAP configuration script for easy configuration of DPOD to use an LDAP user registry.

The script uses a properties file to verify the configuration and update the configuration file and System Parameters. user-provided parameters file with the desired configuration. It verifies the configuration, updates the configuration database and files and restarts the necessary services.

It can also disable the LDAP configuration in order to rollback to using the internal database registry.

...

Parameters File

A template of the LDAP properties parameters file is provided at /app/utils/LDAP_parameters.properties.

...

Code Block
languagebash
themeRDark
cp /app/utils/ldap/LDAP_parameters.properties /app/utils/ldap/LDAP_parameters.properties.orig


Edit the properties parameters file and set the following properties parameters based on the information that was collected in Planning LDAP Configuration:

Primary LDAP server URL
PropertyParameterDescription
dpodLdapMethod

builtinRoleMethod

Should be "usergroup_attribute" (for scenario A) or "groupuser_attribute" (for scenario B).
e.g. "group_attribute"

testUserThe username of a user for testing
e,g, "adminford"

, according to the recommended or advanced configurations listed in Planning LDAP Configuration.

testUserNameThe user name of a real user defined in the LDAP registry who will be using DPOD - will be used to verify that the configuration is valid.
This user name is used only for testing and is not stored in the configuration database and files once configuration is complete.
You should remove it from the parameters file once configuration is complete.
testUserPassword

The password of

a user for testing
e.g. "pass123"		connectionURL

a real user defined in the LDAP registry who will be using DPOD - will be used to verify that the configuration is valid.
This password is used only for testing and is not stored in the configuration database and files once configuration is complete.
You should remove it from the parameters file once configuration is complete.

connectionUrlsLDAP server address(es), separated by commas. Use ldap:// prefix for non-SSL secure connection and ldaps:// prefix for SSL Secure LDAP connection.
e.g. "ldap://192.168.110.15:389"
alternateURLAlternate LDAP server URL. Use ldap:// prefix for non-SSL connection and ldaps:// prefix for SSL connection.
e.g. "ldap://192.168.110.16:389"
referrals

Follow or ignore LDAP referrals (follow/ignore)
e.g. "ignore" 

connectionNameQuery user distinguished name (DN)
e.g. "cn=LDAP Query User,ou=people,dc=example,dc=org"
connectionPasswordQuery user passwordSee "LDAP servers IP addresses" and "LDAP servers ports" in Planning LDAP Configuration.
enableLdapsHostNameVerificationSee "LDAPS host name verification" in Planning LDAP Configuration. Should be true or false.
referrals

See "Referrals" in Planning LDAP Configuration. Should be ignore or follow.

connectionNameThe DN of a user that is used to connect to the LDAP server and perform queries.
connectionPasswordThe password of a user that is used to connect to the LDAP server and perform queries.
This password will be encrypted and stored in the configuration file
e.g. "pass123"
userBaseUser base entry
e.g. "ou=people,dc=example,dc=org" 
userSubtreeUser query sub-tree (true/false)
e.g. "true"
userSearchUser search filter
Operators (e.g. "&") are escaped (e.g. "&")
{0} - a placeholder for the user name entered in the login screen
e.g. "(&(objectClass=person)(sAMAccountName={0}))"
userRoleName

For scenario A only
User entry attribute name
e.g. "DPOD_Role"

roleBase

For scenario B only
Group base entry
e.g. "ou=groups,dc=example,dc=org" 

roleSubtreeFor scenario B only
Role query sub-tree (true/false)
e.g. "true"
roleSearchFor scenario B only
Group search filter
Operators (e.g. "&") are escaped (e.g. "&")
{0} - a placeholder for the full DN of the authenticated user
{1} - a placeholder for the user name of the authenticated user
e.g. "(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))"
roleNestedFor scenario B only
Nested groups (true/false)
e.g. "true"
roleName

For scenario B only
Group entry attribute name
e.g. "cn"

LDAPConnectionURL

Primary LDAP server URL. Use ldap:// prefix for non-SSL connection and ldaps:// prefix for SSL connection.
e.g. "ldap://192.168.110.15:389"
(identical to the connectionURL property)

LDAPReferral

Follow or ignore LDAP referrals (follow/ignore)
e.g. "ignore"
(identical to the referrals property)

LDAPConnectionNameQuery user distinguished name (DN)
e.g. "cn=LDAP Query User,ou=people,dc=example,dc=org"
(identical to the connectionName property)
LDAPConnectionPASSWORD

Query user password
This password will be used just for testing, and will not be stored in System Parameters
e.g. "pass123"
(identical to the connectionPassword property)

LDAPUserBaseEntryUser base entry
e.g. "ou=people,dc=example,dc=org"
(identical to the userBase property)
LDAPUserSearchFilter

User search filter
Operators (e.g. "&") are NOT escaped (e.g. "&")
{0} - a placeholder for the user name entered in the login screen
e.g. "(&(objectClass=person)(sAMAccountName={0}))"
NOTE: This property is similar to the userSearch property, but is NOT identical.

LDAPGroupBaseEntry

Group base entry
e.g. "ou=groups,dc=example,dc=org"
(identical to the roleBase property) 

LDAPGroupSearchFilter

Group search filter
Operators (e.g. "&") are NOT escaped (e.g. "&")
{0} - a placeholder for the user name of the authenticated user
{1} - a placeholder for the full DN of the authenticated user
e.g. "(&(objectClass=groupOfUniqueNames)(uniqueMember={1}))"
NOTE: This property is similar to the roleSearch property, but is NOT identical. 

LDAPGroupNameAttribute

Group name attribute' name
e.g. "cn"
NOTE: This property might be different than roleName property, depending on the chosen builtin roles scenario. 

Testing LDAP Configuration

Before using the LDAP configuration script for the first time, please issue the following command:

...

languagebash
themeRDark

...

database and files.
You should remove it from the parameters file once configuration is complete.

userSearchBase

See "User search base entry" in Planning LDAP Configuration.

userSearchFilter

See "User search filter" in Planning LDAP Configuration.

userNameAttributeNameSee "User name attribute" in Planning LDAP Configuration.
groupSearchBase

See "Group search base entry " in Planning LDAP Configuration.

groupMembershipSearchFilter

See "Group membership search filter" in Planning LDAP Configuration.

groupMembershipSearchNested

See "Group membership search nested" in Planning LDAP Configuration. Should be true or false.
groupNameSearchFilterSee "Group name search filter" in Planning LDAP Configuration.
groupNameAttributeNameSee "Group name attribute" in Planning LDAP Configuration.
roleAttributeValuesSeparatorIn case there are several values for each role mapping, a separator must be specified. By default, no separator is defined.
See "Mapping Built-in Roles" in Planning LDAP Configuration.

adminRoleAttributeValues
powerUserRoleAttributeValues
operatorRoleAttributeValues
investigatorRoleAttributeValues
appAdminRoleAttributeValues

See "Mapping Built-in Roles" in Planning LDAP Configuration.

groupRoleAttributeName

See "Recommended Configuration" and "Advanced Configuration - Scenario B" in Planning LDAP Configuration.

userRoleAttributeName

See "Advanced Configuration - Scenario A" in Planning LDAP Configuration.

Testing LDAP Configuration

In order to test LDAP configuration, use the following command:

Code Block
languagebash
themeRDark
cd /app/utils/ldap
/app/scripts/app_ldap_utilities.sh -f /app/utils./LDAP_parameters.properties

For a valid LDAP configuration the command's output should be:

Code Block
languagebash
themeRDark
INFO: Testing LDAP configuration...
INFO: LDAP configuration tests finished successfully.
INFO: Updating LDAP configuration...
INFO: Original configuration file /app/ui/MonTier-UI/conf/server.xml was backed up to /app/ui/MonTier-UI/conf/server.xml_2018-04-15-162820
INFO: The operation completed successfully.

For an invalid LDAP configuration, the command's output should be:

Code Block
languagebash
themeRDark
INFO: Testing LDAP configuration...
INFO: LDAP configuration tests finished successfully.
INFO: Updating LDAP configuration...
ERROR: LDAP parameters tests failed. Please check the log file, change the parameters and try again.
ERROR: The operation was aborted. See log file for more details.

Inspect the log file for detailed test failure messages. The log files are Note:

  • Add "-y" or "--assume-yes" to run the test without prompting for confirmation.
  • In case of failure, inspect the log file for detailed failure messages. The log file is located in /logs/ui/app_ldap_utilities

...

  • .log.
  • Change the LDAP configuration

...

  • parameters and rerun the script until tests are successful.

Updating LDAP Configuration

Note

Ensure DPOD's services are up and running before updating the LDAP configuration.

Once LDAP configuration has been tested and found valid, use the following command to perform the change in the configuration file database and System Parametersfiles:

Code Block
languagebash
themeRDark
cd /app/utils/ldap
/app/scripts/app_ldap_utilities.sh -f /app/utils./LDAP_parameters.properties -u
Note

Ensure DPOD's services are up and running before updating the LDAP configuration.

The command output should be:

Code Block
languagebash
themeRDark
INFO: Testing LDAP configuration...
INFO: LDAP configuration tests finished successfully.
INFO: Updating LDAP configuration...
INFO: Original configuration file /app/ui/MonTier-UI/conf/server.xml was backed up to /app/ui/MonTier-UI/conf/server.xml_2018-04-15-162820
INFO: The operation completed successfully.
Note

After running this script, the LDAP configuration has been updated and enabled.

Please restart UI server from app-utils.sh menu in DPOD.

Enabling LDAP Configuration

Enabling LDAP in Configuration File (server.xml)

Edit the server configuration file:

Code Block
languagebash
themeRDark
vi /app/ui/MonTier-UI/conf/server.xml

DPOD's internal database registry has to be disabled by commenting out the DataSourceRealm element:

Code Block
languagebash
themeRDark
<!--
<Realm className="org.apache.catalina.realm.DataSourceRealm"
...
/>
-->

Remove the comment that wraps the LDAPRealm element:

Code Block
languagebash
themeRDark
<Realm className="org.montier.common.tomcat.LDAPRealm"
...
/>

Enabling LDAP in System Parameters

Open the Web Console and navigate to System Parameters page [Manage→ System → System Parameters].

Manually set 'LDAP Connection Password' System Parameter with the query user password. In future versions this parameter will be automatically set by the LDAP configuration script.

Manually set 'Enable LDAP' System Parameter to 'true'.

Restart DPOD's Web Console

Restart DPOD's Web Console to make the LDAP configuration take effect.

...

Note:

  • Add "-y" or "--assume-yes" to run the update without prompting for confirmation.

Disabling LDAP Configuration

Note

Ensure DPOD's services are up and running before disabling the LDAP configuration.

Use the following command to disable LDAP configuration in System Parameters:

Code Block
languagebash
themeRDark
cd /app/utils/ldap
/app/scripts/app_ldap_utilities.sh -d
Note

Ensure DPOD's services are up and running before disabling the LDAP configuration.

The command output should be:

Code Block
languagebash
themeRDark
INFO: LDAP configuration has been disabled in System Parameters only. To fully disable it:
INFO:   1. Manually edit server.xml, uncomment DataSourceRealm and comment LDAPRealm.
INFO:   2. Restart the UI service.
INFO: See the product documentation for more details.
INFO: The operation completed successfully.

Disabling LDAP in Configuration File (server.xml)

Edit the server configuration file:

...

languagebash
themeRDark

...

Note:

  • Add "-y" or "--assume-yes" to run the update without prompting for confirmation.

LDAP Configuration Locations

LDAP configuration is stored in /app/ui/MonTier-UI/conf/server.xml

...

DPOD's internal database registry has to be enabled. To do that, remove the comment that wraps the DataSourceRealm element:

Code Block
languagebash
themeRDark
<Realm className="org.apache.catalina.realm.DataSourceRealm"
...
/>

Comment out the LDAPRealm element:

Code Block
languagebash
themeRDark
<!--
<Realm className="org.montier.common.tomcat.LDAPRealm"
...
/>
-->

Restart DPOD's Web Console

Restart DPOD's Web Console to make the LDAP configuration take effect.

Manually Inspecting LDAP Configuration

...

in

...

Edit the server configuration file and look for the LDAPRealm element. This element contains all the configuration set automatically by the script.

...

languagebash
themeRDark

...

/app/

...

appadmin/MonTier-

...

AppAdmin/conf/server.xml

...

Inspecting LDAP Configuration in System Parameters

Open the Web Console and navigate to and in System Parameters page [Manage→ System Manage → Customize → System Parameters].The LDAP configuration system parameters are listed under "LDAP" category under "LDAP" category.

Do not try to change these files or the system parameters manually. Instead, use the LDAP configuration script described above.