IBM DataPower Operations Dashboard v1.0.6.0

A newer version of this product documentation is available.

You are viewing an older version. View latest at IBM DPOD Documentation.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 13 Next »

DPOD includes an LDAP configuration script for easy configuration of DPOD to use an LDAP user registry.

Based on a properties file, this script verifies the configuration and updates the configuration file and System Parameters. It can also disable the LDAP configuration in order to rollback to the internal database registry.

Properties File

A template of the LDAP properties file is provided at /app/utils/LDAP_parameters.properties.

It is recommended to backup the file before modifying it:

cp /app/utils/LDAP_parameters.properties /app/utils/LDAP_parameters.properties.orig


Edit the properties file and set the following properties based on the information that was collected in Planning LDAP Configuration:

dpod_ldap_method

Should be "user_attribute" (for scenario A) or "group_attribute" (for scenario B).
e.g. "group_attribute"

test_userThe username of a user for testing
e,g, "adminford"
test_user_passwordThe password of a user for testing
e.g. "pass123"
connectionURLPrimary LDAP server URL. Use ldap:// prefix for non-SSL connection and ldaps:// prefix for SSL connection.
e.g. "ldap://192.168.110.15:389"
alternateURLAlternate LDAP server URL. Use ldap:// prefix for non-SSL connection and ldaps:// prefix for SSL connection.
e.g. "ldap://192.168.110.16:389"
referrals

Follow or ignore LDAP referrals (follow/ignore)
e.g. "ignore" 

connectionNameQuery user distinguished name (DN)
e.g. "cn=LDAP Query User,ou=people,dc=example,dc=org"
connectionPasswordQuery user password
e.g. "pass123"
userBaseUser base entry
e.g. "ou=people,dc=example,dc=org" 
userSubtreeUser query sub-tree (true/false)
e.g. "true"
userSearchUser search filter
Operators (e.g. "&") are escaped (e.g. "&")
{0} - a placeholder for the user name entered in the login screen
e.g. "(&(objectClass=person)(sAMAccountName={0}))"
userRoleName

For scenario A only
User entry attribute name
e.g. "DPOD_Role"

roleBase

For scenario B only
Group base entry
e.g. "ou=groups,dc=example,dc=org" 

roleSubtreeFor scenario B only
Role query sub-tree (true/false)
e.g. "true"
roleSearchFor scenario B only
Group search filter
Operators (e.g. "&") are escaped (e.g. "&")
{0} - a placeholder for the full DN of the authenticated user
{1} - a placeholder for the user name of the authenticated user
e.g. "(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))"
roleNestedFor scenario B only
Nested groups (true/false)
e.g. "true"
roleName

For scenario B only
Group entry attribute name
e.g. "cn"

LDAPConnectionURL

Primary LDAP server URL. Use ldap:// prefix for non-SSL connection and ldaps:// prefix for SSL connection.
e.g. "ldap://192.168.110.15:389"
(identical to connectionURL property)

LDAPReferral

Follow or ignore LDAP referrals (follow/ignore)
e.g. "ignore"
(identical to referrals property)

LDAPConnectionNameQuery user distinguished name (DN)
e.g. "cn=LDAP Query User,ou=people,dc=example,dc=org"
(identical to connectionName property)
LDAPConnectionPASSWORD

Query user password
e.g. "pass123"
(identical to connectionPassword property)

LDAPUserBaseEntryUser base entry
e.g. "ou=people,dc=example,dc=org"
(identical to userBase property)
LDAPUserSearchFilter

User search filter
Operators (e.g. "&") are NOT escaped (e.g. "&")
{0} - a placeholder for the user name entered in the login screen
e.g. "(&(objectClass=person)(sAMAccountName={0}))"
NOTE: This property is similar to userSearch property, but is NOT identical.

LDAPGroupBaseEntry

Group base entry
e.g. "ou=groups,dc=example,dc=org"
(identical to roleBase property) 

LDAPGroupSearchFilter

Group search filter
Operators (e.g. "&") are NOT escaped (e.g. "&")
{0} - a placeholder for the user name of the authenticated user
{1} - a placeholder for the full DN of the authenticated user
e.g. "(&(objectClass=groupOfUniqueNames)(uniqueMember={1}))"
NOTE: This property is similar to roleSearch property, but is NOT identical. 

LDAPGroupNameAttribute

Group entry attribute name
e.g. "cn"
(identical to roleName property) 






DPOD is deployed on an application server, which is responsible for authenticating the user and assigning authenticated user with the built-in roles.
To configure LDAP for the application server, edit the following file:

vi /app/ui/MonTier-UI/conf/server.xml

Disabling DB registry

DPOD is set up by default with the internal database user management option. To use LDAP, you will first have to disable the DB registry
To do that, comment out the DataSourceRealm element (see below)

<!--
<Realm className="org.apache.catalina.realm.DataSourceRealm"
...
/>
-->

Scenario A - An attribute of the user directory entry

When your installation scenario matches Scenario A in the Concepts Section - add the following XML element right after the DataSourceRealm element you've commented out in the previous step.

<Realm className="org.apache.catalina.realm.JNDIRealm"
   connectionURL="ldap://<LDAP Server Host>:389"
   alternateURL="ldap://<LDAP Server Host>:389"
   referrals="ignore"
   connectionName="CN=...,OU=...,DC=..."
   connectionPassword="pass"
   userBase="OU=...,DC=..."
   userSubtree="true"
   userSearch="(&amp;(objectClass=Person)(sAMAccountName={0}))"
   userRoleName="some_role"
/>

Consult the following table when deciding which values to use:

Parameter NameDescription
connectionURLAn LDAP URL specifying the domain name of the directory server, the port number and DN of the root naming context.
alternateURLAn LDAP URL specifying an alternate directory server to connect to (if any). This should follow the same format as connectionURL
referralsState how you want LDAP referrals to be handled. Valid values are "follow" or "ignore"
connectionName

The connection username/DN for the directory server, which is used to retrieve user and groups.

connectionPasswordThe connection password for the directory server, which is used to retrieve user and groups.
Note: Do not enter the password in plain text. The value here must be a hash digest (See Encrypting Connection Password below)
userBaseThe base entry for the user search. If not specified, the search base defaults to the top-level directory context
userSubtreeWhether to search the entire subtree rooted at the userBase entry, or limit it to a single-level. Valid values are "true" and "false"
userSearchAn LDAP search filter to find the user. {0} will be replaced with the authenticating username, '&' and '|' should be escaped.
userRoleNameThe name of the attribute in the user's directory entry containing the name of the role

Scenario B - An attribute of the group directory entry

When your installation scenario matches Scenario B in the Concepts Section - add the following XML element right after the DataSourceRealm element you've commented out in the previous step.

<Realm className="org.apache.catalina.realm.JNDIRealm"
   connectionURL="ldap://<LDAP Server Host>:389"
   alternateURL="ldap://<LDAP Server Host>:389"
   referrals="ignore"
   connectionName="CN=...,OU=...,DC=..."
   connectionPassword="pass"
   userBase="OU=...,DC=..."
   userSubtree="true"
   userSearch="(&amp;(objectClass=Person)(sAMAccountName={0}))"
   roleBase="OU=...,DC=..."
   roleSubtree="true"
   roleSearch="(&amp;(objectClass=group)(member={0}))"
   roleName="some_role"
   roleNested ="true"
/>

Consult the following table when deciding which values to use:

Parameter NameDescription
connectionURLAn LDAP URL specifying the domain name of the directory server, the port number and DN of the root naming context.
alternateURLAn LDAP URL specifying an alternate directory server to connect to (if any). This should follow the same format as connectionURL
referralsState how you want LDAP referrals to be handled. Valid values are "follow" or "ignore"
connectionName

The connection username/DN for the directory server, which is used to retrieve user and groups.

connectionPasswordThe connection password for the directory server, which is used to retrieve user and groups.
Note: Do not enter the password in plain text. The value here must be a hash digest (See Encrypting Connection Password below)
userBaseThe base entry for the user search. If not specified, the search base defaults to the top-level directory context
userSubtreeWhether to search the entire subtree rooted at the userBase entry, or limit it to a single-level. Valid values are "true" and "false"
userSearchAn LDAP search filter to find the user.
  • {0} will be replaced with the authenticating username
  • '&' and '|' should be escaped.
roleBaseThe base entry for the group search. If not specified, the search base defaults to the top-level directory context
roleSubtree

Whether to search the entire subtree rooted at the roleBase entry, or limit it to a single-level. Valid values are "true" and "false"

roleSearchAn LDAP search filter to find the groups.
  • {0} will be replaced with the authenticated DN
  • {1} will be replaced with the authenticated username
  • {2} will be replaced with the value of a custom attribute specified in userRoleAttribute parameter (if specified)
  • '&' and '|' should be escaped
userRoleAttributeThe name of the attribute that provides the value for {2} on roleSearch, if required
roleNameThe name of the attribute in the group's directory entry containing the name of the role
roleNestedWhether roles are nested in roles.
If configured, then every newly found roleName and distinguished name will be recursively tried for a new role search
Valid values are "true" and "false" 

Encrypting connection password

As noted above, you should not enter the clear-text password in server.xml. Instead, you provide a hash digest of the password. Use the following command to generate an encrypted password

  1. Run the following command (Replace <CLEAR-TEXT-PASSWORD> with your password): 

     java -cp "/app/ui/MonTier-UI/lib/*:/app/ui/MonTier-UI/bin/*" org.apache.catalina.realm.RealmBase -a SHA1 <CLEAR-TEXT-PASSWORD>  
    or
      
    /app/ui/MonTier-UI/bin/digest.sh -a SHA1 <CLEAR-TEXT-PASSWORD>

    The system will create an encrypted password and display the result in the following format:

    <CLEAR-TEXT-PASSWORD>:<ENCRYPTED-PASSWORD>

     

  2. Modify the JNDIRealm XML element (this is the element discussed above)

    <Realm className="org.apache.catalina.realm.JNDIRealm"
       ...
       connectionPassword="<ENCRYPTED-PASSWORD>"
       digest="MD5"
       ...
    />

 

Connect to LDAP over SSL

In order to connect to the LDAP server over SSL (LDAPS ) perform the following steps:

  1. The default password for the JVM TrustStore is “changeit”, and you should change it to a new password

    Keytool -storepasswd -keystore /app/java/jre/lib/security/cacerts 
    
    Enter keystore password:  <old password>
    New keystore password: <new password>
    Re-enter new keystore password: <new password>
                            
  2. Import the LDAP / CA certificate to the JVM trustStore. You can either import a self signed certificate, or the CA certificate that signed the LDAP certificate.

    Keytool -import -v -noprompt -trustcacerts -file <certificate file location > -keystore /app/java/jre/lib/security/cacerts -storepass <key store password>
                            
  3.  Change the LDAP URL in both UI application server and DPOD system parameters (via DPOD Console)
    1. Edit server.xml to use the SSL port (The default SSL port for Active directory is 686). todo:hk montier-ui

       vi /app/ui/MonTier-UI/conf/server.xml

      and then

      <Realm className="org.apache.catalina.realm.JNDIRealm"
       connectionURL="ldaps://<LDAP Server Host>:686"
       alternateURL="ldaps://<LDAP Server Host>:389"
       referrals="ignore"
       connectionName="CN=...,OU=...,DC=..."
    2. Change LDAP Connection URL in DPOD's Web Console to use LDAPS. Use the SSL port (The default for Active directory for Global catalog is 3269).
      example : ldaps://ldap-server:3269
       
  4. Restart the DPOD Console
    DPOD Console must be restarted so LDAP configuration becomes effective.

    stop_services.sh -o ui
    start_services.sh -o ui

 

  • No labels