Page History
Table of Contents |
---|
Introduction
The JS7 - LDAP authentication for the JOC Cockpit is offered from the JS7 - LDAP Identity Service and relies on a connection between the Identity Service offers authentication from an LDAP Directory Service and is available from JS7 - REST Web Service API and the LDAP Server.
- Early JS7 releases make use of of the JS7 - Shiro Identity Service, for migration see JS7 - Shiro Identity Service Migration.
- The connection to the an LDAP Server can be secured, see JS7 - LDAP over TLS (STARTTLS) and LDAP over SSL (LDAPS).
This article describes explains the steps for configuration with of an LDAP Directory Service:
- Step 1: Basic LDAP Configuration
- Step 2: Authentication
- Step 3: Authorization
- Define roles
- Define groupRolesMapping
- Define the LDAP attribute attributes to search for groups
Relevant Tools
- An LDAP Browser:
- The screenshots used in this article were made with the Softerra LDAP Browser that was configured to use the relevant LDAP Directory Service.
- A command line utilityCommand Line Client:
- The examples used in this article are executed with ldapSearch.
...
Preceding
The following diagram provides an overview of the setup proceedingsteps to set up LDAP connections:
Flowchart |
---|
1 [label="1. Set up basic LDAP configuration\n(URL, etc.)"] 1 -> 2 [weight=5, len=0.5] 2 [label="2. Set up Authentication\n(userDnTemplate)"] 2 -> 3 3 [label="3. Set up Authorization\n/Roles, Assignments/Mappings"] 3 -> 4 4 [shape="diamond", label="Should roles be assigned from LDAP\nby security group memberships?",fillcolor="lightblue"] 4 -> 5 [label="Yes"] 5 [label="Define Group/Roles Mapping"] 4 -> 10 [label="No"] 10 [label="Create accounts and assign roles"] 10 -> E2 E2 [shape="circle", style="filled", label="End", color="pink"] 5 -> 6 6 [shape="diamond", label="Does the user account object include a\nmemberOf attribute?",fillcolor="lightblue"] 6 -> 20 [label="Yes"] 20 [label="Specify User Search\l - searchBase\l - userSearchFilter"] 20 -> E3 E3 [shape="circle", style="filled", label="End", color="pink"] 6 -> 7 [label="No"] 7 [label="Specify Group Search\l - groupSearchBase\l - groupSearchFilter\l - groupNameAttribute"] 7 -> 8 8 [shape="diamond", label="Does the member attribute contain\nthe account name from the login?",fillcolor="lightblue"] 8 -> E4 [label="Yes"] E4 [shape="circle", style="filled", label="End", color="pink"] 8 -> 9 [label="No"] 9 [label="Specify User Search\l - searchBase\l - userSearchFilter"] 9 -> E5 E5 [shape="circle", style="filled", label="End", color="pink"] |
...
- A Name has to be specified that identifies the LDAP Identity Service.
- The Identity Service Type gives a choice
LDAP
: to map user/role assignments from security group membership in the LDAP Server,LDAP-JOC
: to manage user/role assignments from for the Identity Service with JOC Cockpit.
- Do not make the Identify Service Required before you are certain that the service configuration works fine.
- Select the
single-factor
Authentication Scheme.
...
Specify General Settings
Find detailed explanations about general settings from JS7 - LDAP Identity Service, chapter: Identity Service Settings.
The The following table lists the general items used to configure an LDAP connection.
Name | Value | Description | |||
---|---|---|---|---|---|
LDAP Server URL |
| The host and the port of the LDAP Server. | |||
LDAP Start TLS | true|false | To enable Starttls set the value to See JS7 - LDAP over TLS (STARTTLS) and LDAP over SSL (LDAPS) Please note that the server must be prepared to serve with StartTls. To check this, you can use an LDAP browser. Configure your LDAP Server there and click the "Enable Starttls Button" On client side you will need the certificate and you have to add the certificate to your truststore. The path to your truststore is defined in the
Example values:
Note: we habe had difficulties when using Starttls with the JRE 1.8.0_151 and have overcome these by installing the corresponding JDK. | |||
Host Name Verification | true|false | Enables the host name verification of the certificate. The default value is off. | |||
Host Name Verification | true|false | Enables host name verification for the server certificate. The default value is off. | |||
LDAP Truststore Path | Should the LDAP Server be configured for TLS/SSL protocols then the indicated truststore has to include an X.509 certificate specified for the Extended Key Usage of Server Authentication. | ||||
LDAP Truststore Password | If an LDAP truststore is used and the LDAP truststore is protected by a password, then the password has to be specified. | ||||
LDAP Truststore Type | If an LDAP truststore is used then the type of the indicated truststore has to be specified being either | LDAP Truststore Path | LDAP Truststore Password | LDAP Truststore Type |
Anchor | ||||
---|---|---|---|---|
|
...
Name | Value | Description |
---|---|---|
LDAP User DN Template |
| Should work from scratch for Microsoft Active Directory®. For login use |
uid={0},ou=People,dc=sos | Use with Microsoft Active Directory® and other LDAP Servers. Look up the For login use | |
cn={0},ou=Users,dc=sos,dc=berlin,dc=com | Use with Microsoft Active Directory® and other LDAP Servers. The Common Name For login use | |
uid={0},dc=example,dc=com | Use with Public LDAP Server. For login use |
Verify Authentication Settings
Expand | |||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||||||||||||
VerifyAuthentication SettingsVerify by use of LDAP BrowserPossible values for the LDAP User DN Template can be derived from an account's properties. The below screenshot displays such properties from an LDAP Browser: In a first step search with the value from the LDAP User DN Template in the Search DN input field. The query should return only one entry. From the properties of the resulting entry the setting for the account is used and the Verify by use of ldapSearchUsers can check the value of the LDAP User DN Template setting by use of the ldapSearch utility:
Example for use of a public LDAP Directory Service The following example uses a publicly available LDAP Server. To our experience this server provides a good example to make an initial LDAP configuration work.
Note: The option
Verify by use of JOC CockpitTry to login with an LDAP Account/Password combination. Use an Account that you have verified to be correct by executing the ldapSearch command described above. If there are no Role(s) configured for the Account but the authentication works then you will see the following screen that complains about missing authorization after successful authentication: |
...
LDAP
: add a Group/Roles mapping: membership . Membership of a user account in a security group groups of the LDAP Server is mapped to a role roles in the Identity Service.LDAP-JOC
: add a user account and assign roles. Accounts are managed with the Identity Service in parallel to the LDAP Server. No user passwords are managed with JOC Cockpit as authentication is performed with the LDAP Directory Service.
...
For details see JS7 - Manage Roles and Permissions.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
If the Roles roles are assigned with the JOC Cockpit Identity Service Management by using use of the Identity Serviced Service Type LDAP-JOC
, then then you can skip this chapter.
The group/roles mapping defines a search for groups and a map that assigns these maps resulting groups to a roleroles.
The search for groups can be executed with one of these the following options:
- The Account has LDAP Server makes use a memberOf attribute. Then you In this case users can retrieve the list of groups with the User Search . Proceed and should proceed with chapter Using memberOf with User Search.
- The Account LDAP Server does not have make use of a memberOf attribute. The In this case the group contains the Accounts that are members of the group, Then . Users should proceed with chapter Using Group Search.
These options cannot be mixed!
With the founded groups a map is defined in the LDAP Settings, that maps the groups to roles.
Substitution of the account value
In both searches the account can be substitutedwith groupSearchFilter
and with userSearchFilter
users can specify placeholders:
- In the
groupSearchFilter
and in theuserSearchFilter
...
- users can specify
...
- the placeholder
%s
, for example:(uid=%s)
- The placeholder
%s
will be substituted with the account from the login.
- The placeholder
...
- Users can login with
domain\account
oraccount@domain
- Users can login with
...
- .
...
- Users can specify
...
- the placeholder
^s
, for example:(uid=^s)
- The placeholder
^s
will be substituted with the original value from the login
- The placeholder
...
- , for example:
account@domain
.
- , for example:
Anchor | ||||
---|---|---|---|---|
|
...
User Search to look up the memberOf Attribute
This approach looks for up the Account account entry and reads the memberOf attribute. This attribute is often used when, for example, configuring frequently is available from Microsoft Active Directory® LDAP serversServers.
Define a userSearchFilter
and a searchBase
that will find to look up the account.
Microsoft Active Directory® that supports memberOff supporting the memberOf attribute
Name | Value | Description |
---|---|---|
LDAP Search Base |
| The search base for the ldap LDAP search |
LDAP User Search Filter | Default: (sAMAccountName=%s) |
...
Name | Value | Description |
---|---|---|
LDAP Search Base |
| The search base for the ldap LDAP search |
LDAP User Search Filter | Example: (uid=%s) |
...
An LDAP Browser can be used to get identify the correct suitable values for the searchBase
and the userSearchFilter
. Perform Users can perform a directory search with the values. You value and should find only one a single resulting entry.
The searchBase
is the value of the base DN (or ParentDN in the screenshot above).
Hint: if
- If the attribute name in
...
- a user's environment does not match the default name memberOf then
...
- users can specify the name of the attribute with the
groupNameAttribute
...
- as explained below.
Approach 2: Using
...
Group Search to
...
look up groups that an account is a member of
If the Account entries have LDAP Server makes use of the memberOf attribute then you users can skip this section and proceed with with chapter Using memberOf with User Search.
To specify the a group search the following settings have to be specified
- LDAP Group Search Base
- LDAP Group Search Filter
- LDAP Group Name Attribute
Define the The groupSearchBase
and the groupSearchFilter
. For example for example can be configured like this:
groupSearchBase = ou=Groups,dc=sos
groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos)
Anchor | ||||
---|---|---|---|---|
|
Identify the location where the groups are stored. This is your groupSearchBase
.
Getting the value for the groupSearchFilter
Click one group Entry (in the screenshot, cn=apl
) and see how the members are stored there.
The groupSearchFilter is configured with attr=val
where attr
is name of the attribute and val
is the content. In this example, the attr
is uniqueMember
and the val
uid=%s,ou=People,dc=sos
, where the userid
is replaced with %s
. This results in:
...