Info |
---|
Please make sure to gather all the information listed in Planning LDAP Configuration, which includes detailed explanation on all the parameters as well as the recommended configuration. |
DPOD includes an LDAP configuration script for easy configuration of DPOD to use an LDAP user registry.
The script uses a user-provided parameters file with the desired configuration. It verifies the configuration, updates the configuration database and files and restarts the necessary services.
It can also disable the LDAP configuration in order to rollback to using the internal database registry.
Please make sure to gather all the information listed in Planning LDAP Configuration, which includes detailed explanation on all the parameters.
Parameters File
A template of the LDAP parameters file is provided at /app/utils/LDAP_parameters.properties.
...
Parameter | Description | ||
---|---|---|---|
builtinRoleMethod | Should be "usergroup_attribute" (for scenario A) or "groupuser_attribute" (for scenario B). | ||
testUserName | The user name of a user for testing e.g. adminforda real user defined in the LDAP registry who will be using DPOD - will be used to verify that the configuration is valid. This user name is used only for testing and is not stored in the configuration database and files once configuration is complete. You should remove it from the parameters file once configuration is complete. | ||
testUserPassword | The password of a user for testing | connectionUrl | LDAP server URL including portonce configuration is complete. |
connectionUrls | LDAP server address(es), separated by commas. Use ldap:// prefix for non-SSL secure connection and ldaps:// prefix for SSL Secure LDAP connection. e.g. ldap://192.168.110.15:389 | ||
referrals | Whether LDAP referrals should be followed or ignored (follow/ignore) | ||
connectionName | Query user distinguished name (DN) e.g. cn=LDAP Query User,ou=people,dc=example,dc=org | ||
connectionPassword | Query user password Note: See "LDAP servers IP addresses" and "LDAP servers ports" in Planning LDAP Configuration. | ||
enableLdapsHostNameVerification | See "LDAPS host name verification" in Planning LDAP Configuration. Should be true or false. | ||
referrals | See "Referrals" in Planning LDAP Configuration. Should be ignore or follow. | ||
connectionName | The DN of a user that is used to connect to the LDAP server and perform queries. | ||
connectionPassword | The password of a user that is used to connect to the LDAP server and perform queries. This password will be encrypted and stored in the configuration database and files e.g. pass123. You should remove it from the parameters file once configuration is complete. | ||
userSearchBase | userRoleAttributeName | For scenario A onlySee "User search base entry e.g. ou=people,dc=example,dc=org | |
userSearchSubtree | User search sub-tree (true/false) e.g. true | ||
userSearchFilter | User search filter | ||
groupSearchBase | Group search base entry | ||
groupSearchSubtree | Group search sub-tree (true/false) e.g. true | ||
groupSearchFilter | Group search filter | ||
groupSearchNested | Group search nested (true/false) e.g. true | ||
groupRoleAttributeName | Group role attribute name | ||
userSearchFilter | See "User search filter" in Planning LDAP Configuration. | ||
userNameAttributeName | See "User name attribute" in Planning LDAP Configuration. | ||
groupSearchBase | See "Group search base entry " in Planning LDAP Configuration. | ||
groupMembershipSearchFilter | See "Group membership search filter" in Planning LDAP Configuration. | ||
groupMembershipSearchNested | See "Group membership search nested" in Planning LDAP Configuration. Should be true or false. | ||
groupNameSearchFilter | See "Group name search filter" in Planning LDAP Configuration. | ||
groupNameAttributeName | See "Group name attribute" in Planning LDAP Configuration. | ||
roleAttributeValuesSeparator | In case there are several values for each role mapping, a separator must be specified. By default, no separator is defined. See "Mapping Built-in Roles" in Planning LDAP Configuration. | ||
adminRoleAttributeValues | See "Mapping Built-in Roles" in Planning LDAP Configuration. | ||
groupRoleAttributeName | See "Recommended Configuration" and "Advanced Configuration - Scenario B" in Planning LDAP Configuration. | ||
userRoleAttributeName | See "Advanced Configuration - Scenario A" in Planning LDAP Configuration. |
Testing LDAP Configuration
In order to test LDAP configuration, use the following command:
Code Block | ||||
---|---|---|---|---|
| ||||
cd /app/utils/ldap /app/scripts/app_ldap_utilities.sh -f ./LDAP_parameters.properties |
For a valid LDAP configuration the command's output should be:
Code Block | ||||
---|---|---|---|---|
| ||||
28/06/2018 15:24:04,283- INFO Starting LDAP Utilities
28/06/2018 15:24:04,290- INFO Reading user parameters file, path=./LDAP_parameters.properties
28/06/2018 15:24:04,293- INFO This utility is about to connect to the LDAP registry to test the configuration.
28/06/2018 15:24:04,293- INFO Please confirm connecting to the LDAP registry (y,n):
y
28/06/2018 15:24:05,310- INFO Connecting to the LDAP sever, connectionUrl=ldap://ldap-server:10389
28/06/2018 15:24:05,329- INFO Connected to LDAP server successfully
28/06/2018 15:24:05,330- INFO Searching for test user, testUserName=test
28/06/2018 15:24:05,336- INFO Test user found successfully, DN=cn=test,ou=people,dc=example,dc=org
28/06/2018 15:24:05,338- INFO Connecting to the LDAP sever using test user DN and password
28/06/2018 15:24:05,344- INFO Connected to LDAP server using test user DN and password successfully
28/06/2018 15:24:05,345- INFO Searching for test user groups
28/06/2018 15:24:05,365- INFO Found 3 test user groups with the group name attribute
28/06/2018 15:24:05,368- INFO Searching for a groups attribute since builtin role method is group_attribute
28/06/2018 15:24:05,476- INFO Tested LDAP configuration against LDAP registry successfully
28/06/2018 15:24:05,476- INFO The operation completed successfully |
For an invalid LDAP configuration, the command's output might be:
...
language | text |
---|---|
theme | RDark |
...
Note:
- Add "-y" or "--assume-yes" to run the test without prompting for confirmation.
- In case of failure, inspect the log file for detailed failure messages. The log file is located in /logs/ui/app_ldap_utilities.log.
- Change the LDAP configuration parameters and rerun the script until tests are successful.
Updating LDAP Configuration
Note |
---|
Ensure DPOD's services are up and running before updating the LDAP configuration. |
Once LDAP configuration has been tested and found valid, use the following command to perform the change in the configuration database and files:
Code Block | ||||
---|---|---|---|---|
| ||||
cd /app/utils/ldap /app/scripts/app_ldap_utilities.sh -f ./LDAP_parameters.properties -u |
Note:
- Add "-y" or "--assume-yes" to run the update without prompting for confirmation.
Disabling LDAP Configuration
Note |
---|
Ensure DPOD's services are up and running before updating the LDAP configuration. |
The command output should be:
Code Block | ||||
---|---|---|---|---|
| ||||
28/06/2018 15:30:50,085- INFO Starting LDAP Utilities
28/06/2018 15:30:50,093- INFO Reading user parameters file, path=./LDAP_parameters.properties
28/06/2018 15:30:50,097- INFO This utility is about to connect to the LDAP registry to test the configuration.
28/06/2018 15:30:50,097- INFO Please confirm connecting to the LDAP registry (y,n):
y
28/06/2018 15:30:51,915- INFO Connecting to the LDAP sever, connectionUrl=ldap://ldap-server:10389
28/06/2018 15:30:51,932- INFO Connected to LDAP server successfully
28/06/2018 15:30:51,933- INFO Searching for test user, testUserName=test
28/06/2018 15:30:51,938- INFO Test user found successfully, DN=cn=test,ou=people,dc=example,dc=org
28/06/2018 15:30:51,939- INFO Connecting to the LDAP sever using test user DN and password
28/06/2018 15:30:51,944- INFO Connected to LDAP server using test user DN and password successfully
28/06/2018 15:30:51,945- INFO Searching for test user groups
28/06/2018 15:30:51,955- INFO Found 3 test user groups with the group name attribute
28/06/2018 15:30:51,956- INFO Searching for a groups attribute since builtin role method is group_attribute
28/06/2018 15:30:52,006- INFO Tested LDAP configuration against LDAP registry successfully
28/06/2018 15:30:52,006- INFO This utility is about to update the UI service configuration to work with LDAP registry.
28/06/2018 15:30:52,007- INFO To apply the new configuration, the UI service will be restarted afterwards.
28/06/2018 15:30:52,008- INFO Please confirm the configuration update (y,n):
y
28/06/2018 15:30:53,586- INFO Enabling LDAP configuration in database
28/06/2018 15:30:53,949- INFO Enabled LDAP configuration in database successfully
28/06/2018 15:30:53,951- INFO Creating a backup of UI server configuration file server.xml, backupFilePath=/app/ui/MonTier-UI/conf/server.xml.2018-06-28-153053
28/06/2018 15:30:53,957- INFO Created a backup of UI server configuration file server.xml successfully
28/06/2018 15:30:53,958- INFO Enabling LDAP configuration in UI server configuration file server.xml
28/06/2018 15:30:54,036- INFO Enabled LDAP configuration in UI server configuration file server.xml successfully
28/06/2018 15:30:54,037- INFO To apply the new configuration, the UI service needs to be restarted.
28/06/2018 15:30:54,037- INFO Please confirm the UI service restart (y,n):
y
28/06/2018 15:30:56,345- INFO Restarting UI server
28/06/2018 15:30:56,630- INFO Restarted UI server successfully
28/06/2018 15:30:56,630- INFO The operation completed successfully |
Disabling LDAP Configuration
disabling the LDAP configuration. |
Use the following command to disable LDAP configuration in System Parameters:
Code Block | ||||
---|---|---|---|---|
| ||||
cd /app/utils/ldap /app/scripts/app_ldap_utilities.sh -d |
Note |
---|
Ensure DPOD's services are up and running before disabling the LDAP configuration. |
The command output should be:
...
language | text |
---|---|
theme | RDark |
...
Note:
- Add "-y" or "--assume-yes" to run the update without prompting for confirmation.
LDAP Configuration Locations
LDAP configuration is stored in /app/ui/MonTier-UI/conf/server.xml
...
,
...
Manually Inspecting LDAP Configuration
...
Edit the server configuration file and look for the LDAPRealm element. This element contains all the configuration set automatically by the script.
...
language | bash |
---|---|
theme | RDark |
...
in
...
/app/
...
appadmin/MonTier-
...
AppAdmin/conf/server.xml
...
Inspecting LDAP Configuration in System Parameters
Open the Web Console and navigate to and in System Parameters page [Manage→ System Manage → Customize → System Parameters].The LDAP configuration system parameters are listed under "LDAP" category under "LDAP" category.
Do not try to change these files or the system parameters manually. Instead, use the LDAP configuration script described above.