Page History
...
- Service Type:
LDAP
- Management of user accounts and passwords is performed with the LDAP Server.
- In addition, an automated mapping of membership in LDAP Security Groups to JOC Cockpit roles takes place.
- JOC Cockpit does not know any user accounts, passwords an and role assignments as this information is managed with LDAP only.
- Service Type:
LDAP-JOC
- Management of user accounts and passwords is performed with the LDAP Server.
- The assignment of roles to user accounts is performed with JOC Cockpit and is stored with the JS7 database.
- JOC Cockpit knows user accounts and role assignments. JOC Cockpit does not know passwords as this information is managed with LDAP only
...
JOC Cockpit offers the Manage Identity Services view page from the user menu of an administrative account for configuration of Identity Services:
...
To add an Identity Service use the button Add Identity Service from the above list of page that lists available Identity Services:
The remaining input fields for the popup window look like this:
Explanation:
- The
Identity Service Name
is a unique identifier that can be freely chosen. - The
Identity Service Type
can be selected as available from the above matrix. - The
Ordering
specifies the sequence in which a login is performed with available Identity Services. - The
Required
attribute specifies if login with the respective Identity Service is required to be successful, for example if a number of Identity Services are triggered on login of a user account. - The
Identity Service Authentication Scheme
allows to selectsingle-factor
authentication: user account and password are specified for login with the LDAP Identity Service.two-factor
authentication: in addition to user account and password a Client Authentication Certificate is required, see JS7 - Certificate based Authentication.
It is possible to add more than one LDAP Identity Service, for example if different LDAP servers are used or if user accounts and Security Groups are stored in different hierarchy levels with the LDAP server.
Identity Service Settings
...
- the LDAP Server product has to be installed and has to be accessible for JOC Cockpit,
- settings are required for configuration in a Simple Mode and or Expert Mode.
Simple Mode Configuration
...
LDAP Server Host
: Expects the hostname or IP address of the LDAP Server host. If TLS/SSL protocols are used then the Fully Qualified Domain Name (FQDN) of the host has to be used for which the LDAP Server SSL certificate is issued.LDAP Protocol
: The LDAP Protocol can be Plain Text, TLS or SSL. Plain Text is not recommended as the user account and password will be sent through the network without encryption. TLS and SSL protocols are considered being secure as they encrypt the content/connection to the LDAP Server.LDAP Server Port
: The port that the LDAP Server is listening to. For Plain Text and TLS connections frequently port389
is used, for SSL connections port636
is a frequent option.LDAP Server is Active Directory
: This setting simplifies the configuration if the LDAP Server is implemented by Active Directory. A number of attributes for user search and group search are automatically assumed if Active Directory is used.LDAP Server offers sAMAccountName attribute
: ThesAMAccountName
attribute is the unique identifier of a user account. This attribute frequently is available with LDAP Servers of type Active Directory.LDAP Server offers memberOf attribute
: ThememberOf
attribute simplifies the search for Security Groups for which the user account has membership. This attribute frequently is available with LDAP Servers of type Active Directory, however, other LDAP products similarly can implement this attribute.LDAP Search Base
: TheSearch Base
for looking up user accounts in the hierarchy of LDAP Server entries, for exampleOU=Operations,O=IT,O=Users,DC=example,DC=com
.LDAP User Search Filter
: TheUser Search Filter
specifies an LDAP query that is used to identify the user account in the hierarchy of LDAP entries.
...
- General
LDAP Server URL
: The LDAP Server URL specifies the protocol, e.g.ldap://
for Plain Text and TLS connections,ldaps://
for SSL connections. The protocol is added the hostname (FQDN) and port of the LDAP Server.LDAP Start TLS
: This switch makes TLS the protocol for the connection to the LDAP Server.LDAP Host Name Verification
: This switch has to be active to check verify if hostnames in theLDAP Server URL
and in the LDAP Server certificate match.LDAP Truststore Path
: Should the LDAP Server be configured for TLS/SSL protocols then the indicated truststore has to include an X.509 certificate specified for the extended key usage Extended Key Usage of Server Authentication.- The truststore can include a self-signed certificate or a CA - signed certificate. Typically the Root CA certificate is used as otherwise the complete certificate chain involved in signing the Server Authentication certificate Certificate has to be available with the truststore.
- If the LDAP Server is operated for TLS/SSL connections and this setting is not specified then JOC Cockpit will use the truststore that is configured with the
JETTY_BASE/resources/joc/joc.properties
configuration file. This includes use of settings for the truststore password and truststore type. - The path to the truststore is specified relative to the
JETTY_BASE/resources/joc
directory. If the truststore is located in this directory then specify the file name only, typically with a .p12 extension. Other relative locations can be specified using e.g.../../joc-truststore.p12
if the truststore is located in theJETTY_BASE
directory. No absolute path can be specified and no path can be specified that lies before theJETTY_BASE
directory in the file system hierarchy.
LDAP Truststore Password
: If an LDAP truststore is used and the LDAP truststore is protected by a password, then the password has to be specified.LDAP Truststore Type
: If an LDAP truststore is used then the type of the indicated truststore has to be specified being eitherPKCS12
orJKS
(deprecated).
- Authentication
LDAP User DN Template
: The Distinguished Name (DN) identifies a user account. In case of Active Directory LDAP Servers the value{0}
can be used that is replaced by the user account specified during login. Alternatively an LDAP query can be specified, for exampleuid={0},OU=Operations,O=IT,O=Users,DC=example,DC=com
.
- Authorization
LDAP Search Base
: TheSearch Base
for looking up user accounts in the hierarchy of LDAP Server entries, for exampleOU=Operations,O=IT,O=Users,DC=example,DC=com
.LDAP Group Search Base
: Similarly to theSearch Base
theGroup Search Base
is used to find Security Groups that a user account has membership for. This setting specifies the hierarchy starting from which Security Groups are looked up.LDAP Group Search Filter
: This filter specifies an LDAP query that is used to identify Security Groups the user account is a member of. The filter is applied for to search results provided starting from theGroup Search Base
.LDAP User Search Filter
: This filter specifies an LDAP query that is used to identify the user account in the hierarchy of LDAP entries.LDAP Group Name Attribute
: This attribute provides the name of the Security Group that a user account is a member of, for example theCN
(Common Name) attribute.LDAP User Name Attribute
: This attribute provides the name of the user account, frequently theCN
(Common Name) attribute is used.
- Group/Roles Mapping
- The LDAP Group/Roles Mapping is in fact a mapping of Security Groups that the user account is a member of and JS7 roles. Security Groups have to be specified depending on the
LDAP Group Search Attribute
as Distinguished Names, e.g.CN=js7_admins,OU=Operations,O=IT,O=Groups,DC=example,DC=com
, or as Common Names, e.g.js7_admins
.
- The LDAP Group/Roles Mapping is in fact a mapping of Security Groups that the user account is a member of and JS7 roles. Security Groups have to be specified depending on the
...
Overview
Content Tools