DPOD includes an LDAP configuration script for easy configuration of DPOD to use an LDAP user registry.
Based on a properties file, this script verifies the configuration and updates the configuration file and System Parameters. It can also disable the LDAP configuration in order to rollback to the internal database registry.
Properties File
A template of the LDAP properties file is provided at /app/utils/LDAP_parameters.properties.
It is recommended to backup the file before modifying it:
cp /app/utils/LDAP_parameters.properties /app/utils/LDAP_parameters.properties.orig
Edit the properties file and set the following properties based on the information that was collected in Planning LDAP Configuration:
| dpod_ldap_method | Should be "user_attribute" (for scenario A) or "group_attribute" (for scenario B). |
| test_user | The username of a real user defined in the LDAP user registry who will be using DPOD - will be used to verify that the configuration is valid. e,g, "adminford" |
| test_user_password | The password of a real user defined in the LDAP user registry who will be using DPOD - will be used to verify that the configuration is valid. e.g. "pass123" |
| connectionURL | Primary LDAP server URL e.g. "ldap://192.168.110.15:389" |
| alternateURL | Alternate LDAP server URL e.g. "ldap://192.168.110.15:389" |
| referrals | Whether LDAP referrals should be followed ("follow") or ignored ("ignore", usually used for better performance). |
| connectionName | The user distinguished name (DN) of a user used to connect to the LDAP server and can perform queries. e.g. "cn=LDAP Query User,ou=people,dc=example,dc=org" |
| connectionPassword | The password of a user used to connect to the LDAP server and can perform queries. e.g. "pass123" |
| userBase | User base entry e.g. "ou=people,dc=example,dc=org" |
| userSubtree | User query sub-tree (true/false) e.g. "true" |
| userSearch | User search query. Operators (e.g. "&") are escaped (e.g. "&") {0} - a placeholder for the user name entered in the login screen e.g. "(&(objectClass=person)(sAMAccountName={0}))" |
| userRoleName | For scenario A only. |
DPOD is deployed on an application server, which is responsible for authenticating the user and assigning authenticated user with the built-in roles.
To configure LDAP for the application server, edit the following file:
vi /app/ui/MonTier-UI/conf/server.xml
Disabling DB registry
DPOD is set up by default with the internal database user management option. To use LDAP, you will first have to disable the DB registry
To do that, comment out the DataSourceRealm element (see below)
<!-- <Realm className="org.apache.catalina.realm.DataSourceRealm" ... /> -->
Scenario A - An attribute of the user directory entry
When your installation scenario matches Scenario A in the Concepts Section - add the following XML element right after the DataSourceRealm element you've commented out in the previous step.
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://<LDAP Server Host>:389"
alternateURL="ldap://<LDAP Server Host>:389"
referrals="ignore"
connectionName="CN=...,OU=...,DC=..."
connectionPassword="pass"
userBase="OU=...,DC=..."
userSubtree="true"
userSearch="(&(objectClass=Person)(sAMAccountName={0}))"
userRoleName="some_role"
/>
Consult the following table when deciding which values to use:
| Parameter Name | Description |
|---|---|
| connectionURL | An LDAP URL specifying the domain name of the directory server, the port number and DN of the root naming context. |
| alternateURL | An LDAP URL specifying an alternate directory server to connect to (if any). This should follow the same format as connectionURL |
| referrals | State how you want LDAP referrals to be handled. Valid values are "follow" or "ignore" |
| connectionName | The connection username/DN for the directory server, which is used to retrieve user and groups. |
| connectionPassword | The connection password for the directory server, which is used to retrieve user and groups. Note: Do not enter the password in plain text. The value here must be a hash digest (See Encrypting Connection Password below) |
| userBase | The base entry for the user search. If not specified, the search base defaults to the top-level directory context |
| userSubtree | Whether to search the entire subtree rooted at the userBase entry, or limit it to a single-level. Valid values are "true" and "false" |
| userSearch | An LDAP search filter to find the user. {0} will be replaced with the authenticating username, '&' and '|' should be escaped. |
| userRoleName | The name of the attribute in the user's directory entry containing the name of the role |
Scenario B - An attribute of the group directory entry
When your installation scenario matches Scenario B in the Concepts Section - add the following XML element right after the DataSourceRealm element you've commented out in the previous step.
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://<LDAP Server Host>:389"
alternateURL="ldap://<LDAP Server Host>:389"
referrals="ignore"
connectionName="CN=...,OU=...,DC=..."
connectionPassword="pass"
userBase="OU=...,DC=..."
userSubtree="true"
userSearch="(&(objectClass=Person)(sAMAccountName={0}))"
roleBase="OU=...,DC=..."
roleSubtree="true"
roleSearch="(&(objectClass=group)(member={0}))"
roleName="some_role"
roleNested ="true"
/>
Consult the following table when deciding which values to use:
| Parameter Name | Description |
|---|---|
| connectionURL | An LDAP URL specifying the domain name of the directory server, the port number and DN of the root naming context. |
| alternateURL | An LDAP URL specifying an alternate directory server to connect to (if any). This should follow the same format as connectionURL |
| referrals | State how you want LDAP referrals to be handled. Valid values are "follow" or "ignore" |
| connectionName | The connection username/DN for the directory server, which is used to retrieve user and groups. |
| connectionPassword | The connection password for the directory server, which is used to retrieve user and groups. Note: Do not enter the password in plain text. The value here must be a hash digest (See Encrypting Connection Password below) |
| userBase | The base entry for the user search. If not specified, the search base defaults to the top-level directory context |
| userSubtree | Whether to search the entire subtree rooted at the userBase entry, or limit it to a single-level. Valid values are "true" and "false" |
| userSearch | An LDAP search filter to find the user.
|
| roleBase | The base entry for the group search. If not specified, the search base defaults to the top-level directory context |
| roleSubtree | Whether to search the entire subtree rooted at the roleBase entry, or limit it to a single-level. Valid values are "true" and "false" |
| roleSearch | An LDAP search filter to find the groups.
|
| userRoleAttribute | The name of the attribute that provides the value for {2} on roleSearch, if required |
| roleName | The name of the attribute in the group's directory entry containing the name of the role |
| roleNested | Whether roles are nested in roles. If configured, then every newly found roleName and distinguished name will be recursively tried for a new role search Valid values are "true" and "false" |
Encrypting connection password
As noted above, you should not enter the clear-text password in server.xml. Instead, you provide a hash digest of the password. Use the following command to generate an encrypted password
Run the following command (Replace <CLEAR-TEXT-PASSWORD> with your password):
java -cp "/app/ui/MonTier-UI/lib/*:/app/ui/MonTier-UI/bin/*" org.apache.catalina.realm.RealmBase -a SHA1 <CLEAR-TEXT-PASSWORD> or /app/ui/MonTier-UI/bin/digest.sh -a SHA1 <CLEAR-TEXT-PASSWORD>
The system will create an encrypted password and display the result in the following format:
<CLEAR-TEXT-PASSWORD>:<ENCRYPTED-PASSWORD>
Modify the JNDIRealm XML element (this is the element discussed above)
<Realm className="org.apache.catalina.realm.JNDIRealm" ... connectionPassword="<ENCRYPTED-PASSWORD>" digest="MD5" ... />
Connect to LDAP over SSL
In order to connect to the LDAP server over SSL (LDAPS ) perform the following steps:
The default password for the JVM TrustStore is “changeit”, and you should change it to a new password
Keytool -storepasswd -keystore /app/java/jre/lib/security/cacerts Enter keystore password: <old password> New keystore password: <new password> Re-enter new keystore password: <new password>
Import the LDAP / CA certificate to the JVM trustStore. You can either import a self signed certificate, or the CA certificate that signed the LDAP certificate.
Keytool -import -v -noprompt -trustcacerts -file <certificate file location > -keystore /app/java/jre/lib/security/cacerts -storepass <key store password>
- Change the LDAP URL in both UI application server and DPOD system parameters (via DPOD Console)
Edit server.xml to use the SSL port (The default SSL port for Active directory is 686). todo:hk montier-ui
vi /app/ui/MonTier-UI/conf/server.xml
and then
<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldaps://<LDAP Server Host>:686" alternateURL="ldaps://<LDAP Server Host>:389" referrals="ignore" connectionName="CN=...,OU=...,DC=..."
- Change LDAP Connection URL in DPOD's Web Console to use LDAPS. Use the SSL port (The default for Active directory for Global catalog is 3269).
example : ldaps://ldap-server:3269
Restart the DPOD Console
DPOD Console must be restarted so LDAP configuration becomes effective.stop_services.sh -o ui start_services.sh -o ui