DPOD is deployed on an application server, which is responsible for authenticating the user and assigning authenticated user with the built-in roles.
To configure LDAP for the application server, edit the following file:
todo: HK montier-ui?
Disabling DB registry
DPOD is set up by default with the internal database user management option. To use LDAP, you will first have to disable the DB registry
To do that, comment out the DataSourceRealm element (see below)
<!-- <Realm className="org.apache.catalina.realm.DataSourceRealm" ... /> -->
Scenario A - An attribute of the user directory entry
When your installation scenario matches Scenario A in the Concepts Section - add the following XML element right after the DataSourceRealm element you've commented out in the previous step.
TODO:hk montier_role
<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://<LDAP Server Host>:389" alternateURL="ldap://<LDAP Server Host>:389" referrals="ignore" connectionName="CN=...,OU=...,DC=..." connectionPassword="pass" userBase="OU=...,DC=..." userSubtree="true" userSearch="(&(objectClass=Person)(sAMAccountName={0}))" userRoleName="montier_role" />
Consult the following table when deciding which values to use:
Parameter Name | Description |
---|---|
connectionURL | An LDAP URL specifying the domain name of the directory server, the port number and DN of the root naming context. |
alternateURL | An LDAP URL specifying an alternate directory server to connect to (if any). This should follow the same format as connectionURL |
referrals | State how you want LDAP referrals to be handled. Valid values are "follow" or "ignore" |
connectionName | The connection username/DN for the directory server, which is used to retrieve user and groups. |
connectionPassword | The connection password for the directory server, which is used to retrieve user and groups. Note: Do not enter the password in plain text. The value here must be a hash digest (See Encrypting Connection Password below) |
userBase | The base entry for the user search. If not specified, the search base defaults to the top-level directory context |
userSubtree | Whether to search the entire subtree rooted at the userBase entry, or limit it to a single-level. Valid values are "true" and "false" |
userSearch | An LDAP search filter to find the user. {0} will be replaced with the authenticating username, '&' and '|' should be escaped. |
userRoleName | The name of the attribute in the user's directory entry containing the name of the role |
Scenario B - An attribute of the group directory entry
When your installation scenario matches Scenario B in the Concepts Section - add the following XML element right after the DataSourceRealm element you've commented out in the previous step.
<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://<LDAP Server Host>:389" alternateURL="ldap://<LDAP Server Host>:389" referrals="ignore" connectionName="CN=...,OU=...,DC=..." connectionPassword="pass" userBase="OU=...,DC=..." userSubtree="true" userSearch="(&(objectClass=Person)(sAMAccountName={0}))" roleBase="OU=...,DC=..." roleSubtree="true" roleSearch="(&(objectClass=group)(member={0}))" roleName="montier_role" roleNested ="true" />
Consult the following table when deciding which values to use:
Parameter Name | Description |
---|---|
connectionURL | An LDAP URL specifying the domain name of the directory server, the port number and DN of the root naming context. |
alternateURL | An LDAP URL specifying an alternate directory server to connect to (if any). This should follow the same format as connectionURL |
referrals | State how you want LDAP referrals to be handled. Valid values are "follow" or "ignore" |
connectionName | The connection username/DN for the directory server, which is used to retrieve user and groups. |
connectionPassword | The connection password for the directory server, which is used to retrieve user and groups. Note: Do not enter the password in plain text. The value here must be a hash digest (See Encrypting Connection Password below) |
userBase | The base entry for the user search. If not specified, the search base defaults to the top-level directory context |
userSubtree | Whether to search the entire subtree rooted at the userBase entry, or limit it to a single-level. Valid values are "true" and "false" |
userSearch | An LDAP search filter to find the user.
|
roleBase | The base entry for the group search. If not specified, the search base defaults to the top-level directory context |
roleSubtree | Whether to search the entire subtree rooted at the roleBase entry, or limit it to a single-level. Valid values are "true" and "false" |
roleSearch | An LDAP search filter to find the groups.
|
userRoleAttribute | The name of the attribute that provides the value for {2} on roleSearch, if required |
roleName | The name of the attribute in the group's directory entry containing the name of the role |
roleNested | Whether roles are nested in roles. If configured, then every newly found roleName and distinguished name will be recursively tried for a new role search Valid values are "true" and "false" |
Encrypting connection password
As noted above, you should not enter the clear-text password in server.xml. Instead, you provide a hash digest of the password. Use the following command to generate an encrypted password
Run the following command (Replace <CLEAR-TEXT-PASSWORD> with your password): todo:HK montier-ui
The system will create an encrypted password and display the result in the following format:
<CLEAR-TEXT-PASSWORD>:<ENCRYPTED-PASSWORD>
Modify the JNDIRealm XML element (this is the element discussed above)
<Realm className="org.apache.catalina.realm.JNDIRealm" ... connectionPassword="<ENCRYPTED-PASSWORD>" digest="MD5" ... />
Connect to LDAP over SSL
In order to connect to the LDAP server over SSL (LDAPS ) perform the following steps:
The default password for the JVM TrustStore is “changeit”, and you should change it to a new password
Keytool -storepasswd -keystore /app/java/jre/lib/security/cacerts Enter keystore password: <old password> New keystore password: <new password> Re-enter new keystore password: <new password>
Import the LDAP / CA certificate to the JVM trustStore. You can either import a self signed certificate, or the CA certificate that signed the LDAP certificate.
Keytool -import -v -noprompt -trustcacerts -file <certificate file location > -keystore /app/java/jre/lib/security/cacerts -storepass <key store password>
- Change the LDAP URL in both UI application server and DPOD system parameters (via DPOD Console)
Edit server.xml to use the SSL port (The default SSL port for Active directory is 686). todo:hk montier-ui
and then
<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldaps://<LDAP Server Host>:686" alternateURL="ldaps://<LDAP Server Host>:389" referrals="ignore" connectionName="CN=...,OU=...,DC=..."
- Change LDAP Connection URL in DPOD's UI Console to use LDAPS. Use the SSL port (The default for Active directory for Global catalog is 3269).
example : ldaps://ldap-server:3269
Restart the DPOD Console
DPOD Console must be restarted so LDAP configuration becomes effective.stop_services.sh -o ui start_services.sh -o ui