Versions Compared

Version Old Version 19 New Version Current
Changes made by

Avi Falah

Assaf Cohen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

DPOD includes an LDAP configuration script for easy configuration of DPOD to use an LDAP user registry.
The script uses a properties file to verify the configuration and update the configuration file and System Parameters. user-provided parameters file with the desired configuration. It verifies the configuration, updates the configuration database and files and restarts the necessary services.

It can also disable the LDAP configuration in order to rollback to the internal database registry.

Please make sure to gather all the information listed in Planning LDAP Configuration, which includes detailed explanation on all the parameters.

...

Parameters File

A template of the LDAP properties parameters file is provided at /app/utils/LDAP_parameters.properties.

...

Code Block
languagebash
themeRDark
cp /app/utils/LDAP_parameters.properties /app/utils/LDAP_parameters.properties.orig


Edit the properties parameters file and set the following properties parameters based on the information that was collected in Planning LDAP Configuration:

Primary LDAP server URL. Use ldap:// prefix for non-SSL connection and ldaps:// prefix for SSL connection. "ldap://192.168.110.15:389"Alternate Group name attribute' cn"
NOTE: This property might be different than roleName property, depending on the chosen builtin roles scenario. 
PropertyParameterDescription
dpodLdapMethod

builtinRoleMethod

Should be "user_attribute" (for scenario A) or "group_attribute" (for scenario B).
e.g. " group_attribute"

testUsertestUserNameThe username user name of a user for testing
e,.g, ". adminford"
testUserPassword

The password of a user for testing

e.g. "pass123"		connectionURL

Note: This password is used only for testing and is not stored in the configuration database and files
e.g.

alternateURL

pass123

connectionUrlLDAP server URL including port. Use ldap:// prefix for non-SSL connection and ldaps:// prefix for SSL connection.
e.g. " ldap://192.168.110.1615:389"
referrals

Follow or ignore Whether LDAP referrals should be followed or ignored (follow/ignore)
e.g. " ignore

connectionNameQuery user distinguished name (DN)
e.g. " cn=LDAP Query User,ou=people,dc=example,dc=org"
connectionPasswordQuery user password
Note: This password will be encrypted and stored in the configuration filedatabase and files
e.g. " pass123"
userBase

userSearchBase

User search base entry
e.g.  " ou=people,dc=example,dc=org
userSubtreeuserSearchSubtreeUser query search sub-tree (true/false)
e.g. " true"
userSearchuserSearchFilterroleBase

User search filter

Operators (e.g. "&") are escaped (e.g. "&")

Use {0}

-

as a placeholder for the user name entered in the login screen
e.g.

"

(&

amp;

(objectClass=person)(sAMAccountName={0}))

"
userRoleName

For scenario A only
User entry attribute name
e.g. "DPOD_Role"

For scenario B only
Group

groupSearchBase

Group search base entry
e.g. " ou=groups,dc=example,dc=org

roleSubtreeFor scenario B only
Role query

groupSearchSubtree

Group search sub-tree (true/false)
e.g. " true"
roleSearch

groupSearchFilter

For scenario B only

Group search filter

Operators (e.g. "&") are escaped (e.g. "&")

Use {0}

-

as a placeholder for the full DN of the

authenticated user
{1} - a placeholder for the user name of the authenticated user

user found in the LDAP server
e.g.

"

(&

amp;

(objectClass=groupOfUniqueNames)(uniqueMember={0}))

"

roleNestedFor scenario B only
Nested groups

groupSearchNested

Group search nested (true/false)
e.g. " true"		roleNameFor scenario B only

groupRoleAttributeName

Group entry role attribute name
e.g. " cn"

LDAPConnectionURL

Primary LDAP server URL. Use ldap:// prefix for non-SSL connection and ldaps:// prefix for SSL connection.
e.g. "ldap://192.168.110.15:389"
(identical to the connectionURL property)

LDAPReferral

Follow or ignore LDAP referrals (follow/ignore)
e.g. "ignore"
(identical to the referrals property)

LDAPConnectionNameQuery user distinguished name (DN)
e.g. "cn=LDAP Query User,ou=people,dc=example,dc=org"
(identical to the connectionName property)
LDAPConnectionPASSWORD

Query user password
This password will be used just for testing, and will not be stored in System Parameters
e.g. "pass123"
(identical to the connectionPassword property)

LDAPUserBaseEntryUser base entry
e.g. "ou=people,dc=example,dc=org"
(identical to the userBase property)
LDAPUserSearchFilter

User search filter
Operators (e.g. "&") are NOT escaped (e.g. "&")
{0} - a placeholder for the user name entered in the login screen
e.g. "(&(objectClass=person)(sAMAccountName={0}))"
NOTE: This property is similar to the userSearch property, but is NOT identical.

LDAPGroupBaseEntry

Group base entry
e.g. "ou=groups,dc=example,dc=org"
(identical to the roleBase property) 

LDAPGroupSearchFilter

Group search filter
Operators (e.g. "&") are NOT escaped (e.g. "&")
{0} - a placeholder for the user name of the authenticated user
{1} - a placeholder for the full DN of the authenticated user
e.g. "(&(objectClass=groupOfUniqueNames)(uniqueMember={1}))"
NOTE: This property is similar to the roleSearch property, but is NOT identical. 

LDAPGroupNameAttributeuserRoleAttributeName

For scenario A only
User role attribute name
e.g. "

DPODRole"

Testing LDAP Configuration

Before using the LDAP configuration script for the first time, please issue the following command:

...

languagebash
themeRDark

...

In order to test LDAP configuration, use the following command:

Code Block
languagebash
themeRDark
cd /app/utils/
/app/scripts/app_ldap_utilities.sh -f /app/utils./LDAP_parameters.properties

For a valid LDAP configuration the command's output should be:

Code Block
languagebashtext
themeRDark
28/06/2018 15:24:04,283- INFO   Starting LDAP Utilities
28/06/2018 15: Testing LDAP configuration...
INFO: LDAP configuration tests finished successfully.
INFO: Updating LDAP configuration...
INFO: Original configuration file /app/ui/MonTier-UI/conf/server.xml was backed up to /app/ui/MonTier-UI/conf/server.xml_2018-04-15-162820
INFO:24:04,290- INFO   Reading user parameters file, path=./LDAP_parameters.properties

28/06/2018 15:24:04,293- INFO   This utility is about to connect to the LDAP registry to test the configuration.
28/06/2018 15:24:04,293- INFO   Please confirm connecting to the LDAP registry (y,n):
y
28/06/2018 15:24:05,310- INFO   Connecting to the LDAP sever, connectionUrl=ldap://ldap-server:10389
28/06/2018 15:24:05,329- INFO   Connected to LDAP server successfully
28/06/2018 15:24:05,330- INFO   Searching for test user, testUserName=test
28/06/2018 15:24:05,336- INFO   Test user found successfully, DN=cn=test,ou=people,dc=example,dc=org
28/06/2018 15:24:05,338- INFO   Connecting to the LDAP sever using test user DN and password
28/06/2018 15:24:05,344- INFO   Connected to LDAP server using test user DN and password successfully
28/06/2018 15:24:05,345- INFO   Searching for test user groups
28/06/2018 15:24:05,365- INFO   Found 3 test user groups with the group name attribute
28/06/2018 15:24:05,368- INFO   Searching for a groups attribute since builtin role method is group_attribute
28/06/2018 15:24:05,476- INFO   Tested LDAP configuration against LDAP registry successfully
28/06/2018 15:24:05,476- INFO   The operation completed successfully.

For an invalid LDAP configuration, the command's output should might be:

Code Block
languagebashtext
themeRDark
28/06/2018 15:28:02,902- INFO   Starting LDAP Utilities
28/06/2018 15:28: Testing LDAP configuration...
INFO: LDAP configuration tests finished successfully.
INFO: Updating LDAP configuration...
ERROR: LDAP parameters tests failed. Please check the log file, change the parameters and try again.
ERROR: The operation was aborted02,909- INFO   Reading user parameters file, path=./LDAP_parameters.properties

28/06/2018 15:28:02,912- INFO   This utility is about to connect to the LDAP registry to test the configuration.
28/06/2018 15:28:02,912- INFO   Please confirm connecting to the LDAP registry (y,n):
y
28/06/2018 15:28:03,638- INFO   Connecting to the LDAP sever, connectionUrl=ldap://wrong-server:10389
28/06/2018 15:28:06,663- ERROR   The operation failed. See log file for more details.

Inspect In case of failure, inspect the log file for detailed test failure messages. The log files are file is located in /logs/ui/app_ldap_utilities.log-<timestamp>.log.

Change the LDAP configuration in the properties file parameters and rerun the script until tests are successful.

...

Once LDAP configuration has been tested and found valid, use the following command to perform the change in the configuration file database and System Parametersfiles:

Code Block
languagebash
themeRDark
cd /app/utils/
/app/scripts/app_ldap_utilities.sh -f ./app/utils/LDAP_parameters.properties -u

...

The command output should be:

Code Block
languagebashtext
themeRDark
28/06/2018 15:30:50,085- INFO   Starting LDAP Utilities
28/06/2018 15: Testing LDAP configuration...
INFO: LDAP configuration tests finished successfully.
INFO: Updating LDAP configuration...
INFO: Original configuration file /app/ui/MonTier-UI/conf/server.xml was backed up to /app/ui/MonTier-UI/conf/server.xml_2018-04-15-162820
INFO: The operation completed successfully.
Note

After running this script, the LDAP configuration has been updated and enabled.

Please restart UI server from app-utils.sh menu in DPOD.

Enabling LDAP Configuration

Enabling LDAP in Configuration File (server.xml)

Edit the server configuration file:

Code Block
languagebash
themeRDark
vi 30:50,093- INFO   Reading user parameters file, path=./LDAP_parameters.properties

28/06/2018 15:30:50,097- INFO   This utility is about to connect to the LDAP registry to test the configuration.
28/06/2018 15:30:50,097- INFO   Please confirm connecting to the LDAP registry (y,n):
y
28/06/2018 15:30:51,915- INFO   Connecting to the LDAP sever, connectionUrl=ldap://ldap-server:10389
28/06/2018 15:30:51,932- INFO   Connected to LDAP server successfully
28/06/2018 15:30:51,933- INFO   Searching for test user, testUserName=test
28/06/2018 15:30:51,938- INFO   Test user found successfully, DN=cn=test,ou=people,dc=example,dc=org
28/06/2018 15:30:51,939- INFO   Connecting to the LDAP sever using test user DN and password
28/06/2018 15:30:51,944- INFO   Connected to LDAP server using test user DN and password successfully
28/06/2018 15:30:51,945- INFO   Searching for test user groups
28/06/2018 15:30:51,955- INFO   Found 3 test user groups with the group name attribute
28/06/2018 15:30:51,956- INFO   Searching for a groups attribute since builtin role method is group_attribute
28/06/2018 15:30:52,006- INFO   Tested LDAP configuration against LDAP registry successfully

28/06/2018 15:30:52,006- INFO   This utility is about to update the UI service configuration to work with LDAP registry.
28/06/2018 15:30:52,007- INFO   To apply the new configuration, the UI service will be restarted afterwards.
28/06/2018 15:30:52,008- INFO   Please confirm the configuration update (y,n):
y
28/06/2018 15:30:53,586- INFO   Enabling LDAP configuration in database
28/06/2018 15:30:53,949- INFO   Enabled LDAP configuration in database successfully
28/06/2018 15:30:53,951- INFO   Creating a backup of UI server configuration file server.xml, backupFilePath=/app/ui/MonTier-UI/conf/server.xml

DPOD's internal database registry has to be disabled by commenting out the DataSourceRealm element:

Code Block
languagebash
themeRDark
<!--
<Realm className="org.apache.catalina.realm.DataSourceRealm"
...
/>
-->

Remove the comment that wraps the LDAPRealm element:

Code Block
languagebash
themeRDark
<Realm className="org.montier.common.tomcat.LDAPRealm"
...
/>

Enabling LDAP in System Parameters

Open the Web Console and navigate to System Parameters page [Manage→ System → System Parameters].

Manually set 'LDAP Connection Password' System Parameter with the query user password. In future versions this parameter will be automatically set by the LDAP configuration script.

Manually set 'Enable LDAP' System Parameter to 'true'.

Restart DPOD's Web Console

...

.2018-06-28-153053
28/06/2018 15:30:53,957- INFO   Created a backup of UI server configuration file server.xml successfully
28/06/2018 15:30:53,958- INFO   Enabling LDAP configuration in UI server configuration file server.xml
28/06/2018 15:30:54,036- INFO   Enabled LDAP configuration in UI server configuration file server.xml successfully

28/06/2018 15:30:54,037- INFO   To apply the new configuration, the UI service needs to be restarted.
28/06/2018 15:30:54,037- INFO   Please confirm the UI service restart (y,n):
y
28/06/2018 15:30:56,345- INFO   Restarting UI server
28/06/2018 15:30:56,630- INFO   Restarted UI server successfully
28/06/2018 15:30:56,630- INFO   The operation completed successfully

Disabling LDAP Configuration

...

Code Block
languagebash
themeRDark
cd /app/utils/
/app/scripts/app_ldap_utilities.sh -d

...

The command output should be:

Code Block
languagebashtext
themeRDark
INFO:28/06/2018 15:36:08,878- INFO   Starting LDAP configurationUtilities
has
been disabled in System Parameters only. To fully disable it:
INFO:   1. Manually edit server.xml, uncomment DataSourceRealm and comment LDAPRealm.
INFO:   2. Restart28/06/2018 15:36:08,897- INFO   This utility is about to update the UI service configuration to work with its local user registry.
28/06/2018 15:36:08,897- INFO   To apply the new configuration, the UI service will be restarted afterwards.
28/06/2018 15:36:08,897- INFO: See   Please confirm the configuration product documentation for more details.
INFO: The operation completed successfully.

Disabling LDAP in Configuration File (server.xml)

Edit the server configuration file:

Code Block
languagebash
themeRDark
vi update (y,n):
y
28/06/2018 15:36:12,465- INFO   Disabling LDAP configuration in database
28/06/2018 15:36:12,711- INFO   Disabled LDAP configuration in database successfully
28/06/2018 15:36:12,713- INFO   Creating a backup of UI server configuration file server.xml, backupFilePath=/app/ui/MonTier-UI/conf/server.xml

DPOD's internal database registry has to be enabled. To do that, remove the comment that wraps the DataSourceRealm element:

Code Block
languagebash
themeRDark
<Realm className="org.apache.catalina.realm.DataSourceRealm"
...
/>

Comment out the LDAPRealm element:

Code Block
languagebash
themeRDark
<!--
<Realm className="org.montier.common.tomcat.LDAPRealm"
...
/>
-->

Restart DPOD's Web Console

...

.2018-06-28-153612
28/06/2018 15:36:12,725- INFO   Created a backup of UI server configuration file server.xml successfully
28/06/2018 15:36:12,726- INFO   Disabling LDAP configuration in UI server configuration file server.xml
28/06/2018 15:36:12,808- INFO   Disabled LDAP configuration in UI server configuration file server.xml successfully

28/06/2018 15:36:12,808- INFO   To apply the new configuration, the UI service needs to be restarted.
28/06/2018 15:36:12,810- INFO   Please confirm the UI service restart (y,n):
y
28/06/2018 15:36:13,625- INFO   Restarting UI server
28/06/2018 15:36:16,792- INFO   Restarted UI server successfully
28/06/2018 15:36:16,793- INFO   The operation completed successfully

Manually Inspecting LDAP Configuration

...