Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand


Info

Note that the configuration of the Standard LDAP mode requires detailed knowledge of your environment's LDAP implementation - i.e. an LDAP administrator should help with this.

This mode is not enabled by default "out of the box". It may be used with any LDAP compatible corporate directory. It allows users to login to the dashboard with their corporate LDAP credentials. LDAP groups can also be used for authorization assignments and for role assignments. CAST has provided place holder parameters, so you must change these before authentication will work correctly. To do so, modify the following configuration file within the web application:

Code Block
WAR 1.x
CATALINA_HOME\webapps\<dashboard>\WEB-INF\security.properties

WAR ≥ 2.x
CATALINA_HOME\webapps\<dashboard>\WEB-INF\classes\application.properties

ZIP ≥ 2.x
<unpacked_zip>\configurations\application.properties

This file contains the following section which defines the required parameters:

Code Block
WAR 1.x

# Parameters for ldap mode
# ------------------------
security.ldap.url=ldap://directory.example.com/
security.ldap.account.dn=cn=serviceaccount,dc=example,dc=com
security.ldap.account.password=password
security.ldap.account.key=
security.ldap.usersearch.base=dc=example,dc=com
security.ldap.usersearch.filter=(&(objectClass=user)(sAMAccountName={0}))
security.ldap.groupsearch.base=dc=example,dc=com
security.ldap.groupsearch.filter=(&(objectClass=group)(member={0}))

WAR ≥ 2.x and ZIP ≥ 2.x

## SPRING SECURITY LDAP CONFIG
# LDAP url, in the form ldap://HOST:PORT
security.ldap.url=ldap://directory.example.com/
# The ldap base where users and groups can be found
security.ldap.base=dc=example,dc=com
# The DN for accessing the LDAP repository
security.ldap.manager.dn=CN=serviceaccount,OU=RESOURCES,OU=FR,DC=example,DC=com
# The associated password. You can encrypt this using the aip encryption tool
security.ldap.manager.password=password
# The attribute containing the user's login
# NOTE: Unused, it might be useful later to map a DN to a user's full name
# security.ldap.user.nameattribute=sAMAccountName
# The base for the user search which can be left empty
# NOTE: No need to add the initial base, it will be taken into account
security.ldap.usersearch.base=OU=RESOURCES,OU=FR
# The Filter for user search
security.ldap.usersearch.filter=(&(objectClass=user)(sAMAccountName={0}))
# The attribute of a group entry to obtain the role name
security.ldap.groupsearch.roleAttribute=cn
# The base for the group search
# NOTE: No need to add the initial base, it will be taken into account
security.ldap.groupsearch.base=
# The filter to use for the group search
security.ldap.groupsearch.filter=(&(objectClass=group)(member={0}))
# Performance fix for nested groups on AD
#security.ldap.groupsearch.filter=(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={0}))
#security.ldap.groupsearch.maxSearchDepth=1

You first need to change the following parameters marked in red to match the URL and the service account required to connect to your LDAP directory:

WAR 1.x
  • security.ldap.url=ldap://directory.example.com/
  • security.ldap.account.dn=cn=serviceaccount,dc=example,dc=com
  • security.ldap.account.password=password
WAR ≥ 2.x and ZIP ≥ 2.x
  • security.ldap.url=ldap://directory.example.com/
  • security.ldap.base=dc=example,dc=com
  • security.ldap.manager.dn=cn=serviceaccount,ou=resources,ou=fr,dc=example,dc=com
  • security.ldap.account.password=password


Info

If using WAR 1.x it It is possible to encrypt the LDAP service account password to avoid entering values in clear text, please see Encrypt login and password for database and LDAP for more information about this. Encryption of the LDAP service account password is currently not supported when using WAR ≥ 2.x and ZIP ≥ 2.x.

You then need to change the following parameters marked in red related to searching the users/groups in your directory - specifically if you are leveraging groups to manage data authorization:

WAR 1.x
  • security.ldap.usersearch.base > The root tree node from which users should be searched
  • security.ldap.usersearch.filter > The criteria for searching users: you must change "user" and "sAMAccountName" to match your directory structure
  • security.ldap.groupsearch.base > The root tree node from which groups should be searched
  • security.ldap.groupsearch.filter > The criteria for searching users: you must change "group" and "member" to match your directory structure
WAR ≥ 2.x and ZIP ≥ 2.x
  • security.ldap.usersearch.base > The root tree node from which users should be searched
  • security.ldap.usersearch.filter > The criteria for searching users: you must change "user" and "sAMAccountName" to match your directory structure
  • security.ldap.groupsearch.roleAttribute > The attribute of a group entry to obtain the role name
  • security.ldap.groupsearch.base > The root tree node from which groups should be searched
  • security.ldap.groupsearch.filter > The criteria for searching users: you must change "group" and "member" to match your directory structure


Info

For some LDAP servers:

  • the security.ldap.usersearch.filter parameter may take the following form "security.ldap.usersearch.filter=(&(objectClass=inetOrgPerson)(uid={0}))"
  • the security.ldap.groupsearch.filter parameter may take the following form "security.ldap.groupsearch.filter=(&(objectClass=groupOfNames)(member={0]))"

Following any changes you make, save the .properties file and then restart your application server so that the changes are taken into account. Users should now be able to access the dashboard using their corporate LDAP login - authentication is therefore the responsibility of the corporate LDAP directory.

Info

Note that:

  • enabling Standard LDAP mode will disable the Default Authentication mode
  • By default, the log mechanism is not configured to provide any logging information to debug Active Directory authentication issues - if you have encountered issues activating Active Directory authentication, please enable DEBUG mode as described in Configuring the Log and Audit Trail.
  • by default LDAP users will initially not have access to any data - an error will be displayed when the user attempts to log in. You must therefore either:
    • configure an Authorization (see Data authorization) specific to the user (or to a group the user belongs to) to grant the user access to data
    • or grant the user (or the group the user belongs to) the ADMIN role which has access to all data and therefore does not require an authorization configuration (but you should use this role with caution!)

Notes about Groups

  • Users can be grouped together to facilitate authorization assignments (see Data authorization) - for example, a set of users can be assigned to a group and that group can then be authorized to view the required data instead of having to authorize individual users. In Standard LDAP mode, Groups are retrieved directly from the LDAP directory as configured in the .properties file.
  • Nested groups are supported, both for authorization assignments (see Data authorization) and for role assignments. For instance, if user jdoe is member of groupA, which is member of groupB which is used to define an authorization or role, then jdoe will be attributed the groupB authorizations/roles.

Using LDAPS (LDAP over SSL)

If your LDAP server requires that you use LDAPS (LDAP over SSL) then you must ensure that the following is done:

  • Use a ldaps:// URL in the security.ldap.url parameter in the .properties file.
  • The LDAP server's SSL certificate or a parent certificate (CA) also needs to be imported into the truststore for the default Java implementation (i.e. JRE) used by the web application server. To do this, you need to use the keytool command line utility (provided with the JRE - see https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html for more information) on the workstation on which the web application server is running. For example:
Code Block
languagetext
%JAVA_HOME%\bin\keytool -importcert -alias [alias] -keystore [path-to-jre/lib/security/cacerts] -file [path-to-certificate-file]


Info

Note that you may be prompted for the password of the keystore. By default this password is set to "changeit".


...