Created by Amine Benarbia on Feb 12, 2022
Purpose

This page provides steps to validate Authentication.

Applicable in CAST Version
Release
Yes/No
8.3.x(tick)
8.2.x(tick)
8.1.x(tick)
8.0.x(tick)
Applicable RDBMS
RDBMS
Yes/No
Oracle ServerN/A
Microsoft SQL ServerN/A
CSS3N/A
CSS2N/A
Action Plan

In order to check the Authentication you need to compare the parameter between security.properties and the attribute LDAP. For this you need to open the file %CATALINA_HOME%\webapps\CAST-AICPortal\WEB-INF\security.properties and to open the LDAP connection with Apache Directory Studio then do the following:

  1. Login to Apache Directory Studio using the service account name and password to verify that this information can be used to properly access LDAP information (security.ldap.account.password, security.ldap)

  2. Compare the security.ldap.url retrieved from the file application-security.xml with the Hostname of LDAP connection:

    1. Search for the string security.ldap.url under security.properties > Observe the string value affected to security.ldap.url

    2. Right click on Connection > Click on properties > Click on Network Parameter > Observe the string value representing the Hostname

      Figure 1

    3. In some LDAP implementations, the URL of the LDAP server used in the security.ldap.url field needs to be associated with a Global Catalog Server (GCS) vs. the standard LDAP ports.  The default standard LDAP ports are 389 for LDAP and 636 for LDAPS.  The default GCS ports are 3268 for LDAP and 3269 for LDAPS.  Changing this from the standard LDAP port to the GCS port may resolve issues in some environments.

    4. If the 2 strings are identical then go to the next step, else it is normal that the authentication is not valid

  3. Get the DN (Distinguished Name) of the user by referring to Health Dashboard - Information - LDAP connection - How to get the Distinguished name (This is the current way of authorizing, but CN (common Name) will be used in 8.3.x.)

  4. Compare the security.ldap.account.dn from the file security.properties with the Distinguished name of the user

    1. Search for the string value "security.ldap.account.dn" under security.properties > Observe the string value attached to the string value "security.ldap.account.dn"

    2. Observe the Distinguished name of the user
      Figure 2

    3. If the 2 strings are not identical then it is normal that the authentication is not valid.

  5. Compare the security.ldap.usersearch.base retrieved from the file security.properties with the Distinguished name of the user

    1. Search for the string value "security.ldap.usersearch.base" under security.properties > Observe the string value attached to the string value "security.ldap.usersearch.base" 

    2. Observe the Distinguished name of the user

      Figure 3

    3. If the string value attached to the string value "security.ldap.usersearch.base" is not a right sub string of the Distinguished name then its normal that the authentication is not valid

  6. Search for the string value "security.ldap.usersearch.filter" under security.properties > Observe the string value affected to the string value "security.ldap.usersearch.filter"

    Figure 4

    1. If the value that is attached to "security.ldap.usersearch.filter" is an "uid":

      1. Check if there is an attribute description "uid" under attribute description:

        Figure 5

        If not then its normal that the authentication is not valid
      2. Check that the value corresponding to the "uid" in the LDAP is the same used to access to AIC Portal or Dashboards

        Figure 6

        If not then its normal that the authentication is not valid

    2. Else if the value that is attached to "security.ldap.usersearch.filter" is a "sAMAccountName":

      Figure 7

      If not then its normal that the authentication is not valid

      1. Check that the value corresponding to the "sAMAccountName" in the LDAP is the same used to access AIC Portal or Dashboards

        Figure 8

    3. Else there needs to be verification of the field that is being used for the user and the filter should be appropriately modified and validated in the LDAP information for this filter (such as if userprincipalname is used - this case is covered in AIC Portal but not on the AxD dashboards). If the user is not able to be authenticated, then it would be normal for this authentication to be not valid.

  7. The groupsearch fields in the security.properties file are mandatory for connection, so make sure these are correct similar to the verification done for user above but on the group entity in the LDAP information.

  8. The access of each group is controlled by the ldap_roles.xml and user.properties files in 8.2.x and in roles.xml in 8.3.x. So check that the users are defined in the file of Roles configuration as per the official documentation User roles

Notes/comments

Ticket # 12098

Related Pages