JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 15

changes.mady.by.user Uwe Risse

Saved on

compared with

New Version 16

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Introduction

The JS7 - LDAP authentication for the JOC Cockpit is offered from the JS7 - LDAP Identity Service and relies on a connection between the Identity Service offers authentication from an LDAP Directory Service and is available from JS7 - REST Web Service API and the LDAP Server.

This article describes explains the steps for configuration with of an LDAP Directory Service:

Relevant Tools

  • An LDAP Browser:
    • The screenshots used in this article were made with the Softerra LDAP Browser that was configured to use the relevant LDAP Directory Service.
  • A command line utilityCommand Line Client:
    • The examples used in this article are executed with ldapSearch.

...

Preceding

The following diagram provides an overview of the setup proceedingsteps to set up LDAP connections:

Flowchart
1 [label="1. Set up basic LDAP configuration\n(URL, etc.)"]
1 -> 2 [weight=5, len=0.5]
2 [label="2. Set up Authentication\n(userDnTemplate)"]
2 -> 3
3 [label="3. Set up Authorization\n/Roles, Assignments/Mappings"]
3 -> 4
4 [shape="diamond", label="Should roles be assigned from LDAP\nby security group memberships?",fillcolor="lightblue"]
4 -> 5 [label="Yes"]
5 [label="Define Group/Roles Mapping"]
4 -> 10 [label="No"]
10 [label="Create accounts and assign roles"]
10 -> E2
E2 [shape="circle", style="filled", label="End", color="pink"]
5 -> 6
6 [shape="diamond", label="Does the user account object include a\nmemberOf attribute?",fillcolor="lightblue"]
6 -> 20 [label="Yes"]
20 [label="Specify User Search\l - searchBase\l - userSearchFilter"]
20 -> E3
E3 [shape="circle", style="filled", label="End", color="pink"]
6 -> 7 [label="No"]
7 [label="Specify Group Search\l - groupSearchBase\l - groupSearchFilter\l - groupNameAttribute"]
7 -> 8
8 [shape="diamond", label="Does the member attribute contain\nthe account name from the login?",fillcolor="lightblue"]
8 -> E4 [label="Yes"]
E4 [shape="circle", style="filled", label="End", color="pink"]
8 -> 9 [label="No"]
9 [label="Specify User Search\l - searchBase\l - userSearchFilter"] 
9 -> E5
E5 [shape="circle", style="filled", label="End", color="pink"]

...

  • A Name has to be specified that identifies the LDAP Identity Service.
  • The Identity Service Type gives a choice
    • LDAP: to map user/role assignments from security group membership in the LDAP Server,
    • LDAP-JOC: to manage user/role assignments from for the Identity Service with JOC Cockpit.
  • Do not make the Identify Service Required before you are certain that the service configuration works fine.
  • Select the single-factor Authentication Scheme.

...

Specify General Settings 

Find detailed explanations about general settings from JS7 - LDAP Identity Service, chapter: Identity Service Settings.

The The following table lists the general items used to configure an LDAP connection.

NameValueDescription

LDAP Server URL

ldap://host:port

The host and the port of the LDAP Server. 

LDAP Start TLS

true|false

To enable Starttls set the value to true (Default is false)

See JS7 - LDAP over TLS (STARTTLS) and LDAP over SSL (LDAPS)

Please note that the server must be prepared to serve with StartTls. To check this, you can use an LDAP browser. Configure your LDAP Server there and click the "Enable Starttls Button"

On client side you will need the certificate and you have to add the certificate to your truststore. The path to your truststore is defined in the joc.properties configuration file.

truststore_path = path to your truststore.

Example values:

  • C:/Program Files/Java/jdk1.8.0_131/jre/lib/security/cacerts or 
  • ../../etc/joc.jks

See Documentation LDAP With SSL

Note:

we habe had difficulties when using Starttls with the JRE 1.8.0_151 and have overcome these by installing the corresponding JDK.

Host Name Verification

true|falseEnables the host name verification of the certificate. The default value is off.

Host Name Verification

true|falseEnables host name verification for the server certificate. The default value is off.

LDAP Truststore Path


Should the LDAP Server be configured for TLS/SSL protocols then the indicated truststore has to include an X.509 certificate specified for the Extended Key Usage of Server Authentication.

LDAP Truststore Password


If an LDAP truststore is used and the LDAP truststore is protected by a password, then the password has to be specified.

LDAP Truststore Type


If an LDAP truststore is used then the type of the indicated truststore has to be specified being either PKCS12 or JKS (deprecated).

LDAP Truststore Path

LDAP Truststore Password

LDAP Truststore Type

Anchor
authentication
authentication
Step 2: LDAP Authentication

...

NameValueDescription

LDAP User DN Template

{0}

Should work from scratch for Microsoft Active Directory®

For login use domain\account or account@domain where account is the value of the sAMAccountName attribute.


uid={0},ou=People,dc=sos

Use with Microsoft Active Directory® and other LDAP Servers.

Look up the sAMAccountName starting from the indicated hierarchy. This limits access to hierarchy levels.

For login use domain\account or account@domain where account is the value of the sAMAccountName attribute.


cn={0},ou=Users,dc=sos,dc=berlin,dc=com

Use with Microsoft Active Directory® and other LDAP Servers.

The Common Name cn attribute value of the account is used. This format requires the Common Name to be unique.

For login use domain\account or account@domain where account is the value of the sAMAccountName attribute.


uid={0},dc=example,dc=com

Use with Public LDAP Server.

For login use

Verify Authentication Settings


Expand
titleVerify Authentication Settings

Verify

Authentication Settings

Verify by use of LDAP Browser

Possible values for the LDAP User DN Template can be derived from an account's properties. The below screenshot displays such properties from an LDAP Browser:

In a first step search with the value from the LDAP User DN Template in the Search DN input field. The query should return only one entry.


From the properties of the resulting entry the setting for the account is used and the uid value is replaced with: {0}.

Verify by use of ldapSearch

Users can check the value of the LDAP User DN Template setting by use of the ldapSearch utility:

Code Block
languagetext
titleVerify by use of ldapSearch
linenumberstrue
collapsetrue
ldapsearch -h localhost -p 389 -b "uid=ur,ou=People,dc=sos" -x

# This should return a result such as:

# ur, People, sos
dn: uid=ur,ou=People,dc=sos
mail: *********
uid: ur
givenName: Uwe
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Risse
cn: Uwe Risse
preferredLanguage: de
# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


Example for use of a public LDAP Directory Service

The following example uses a publicly available LDAP Server. To our experience this server provides a good example to make an initial LDAP configuration work.

Code Block
languagetext
titleVerify by use of ldapSearch
linenumberstrue
collapsetrue
ldapsearch -h ldap.forumsys.com -p 389 -b "uid=gauss,dc=example,dc=com" -x

# This should return a result such as:

# extended LDIF
#
# LDAPv3
# base <uid=gauss,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
 
# gauss, example.com
dn: uid=gauss,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Carl Friedrich Gauss
sn: Gauss
uid: gauss
mail: gauss@ldap.forumsys.com
 
# search result
search: 2
result: 0 Success
 
# numResponses: 2
# numEntries: 1


Note: 

The option -x is used in the ldapSearch examples in this article. It is possible that an LDAP Directory Service does not allow this option and instead an account and a password have to be specified. In this case the command would will look like this:

Code Block
languagebash
titleVerify by use of ldapSearch with public LDAP Server
linenumberstrue
ldapsearch -h ldap.forumsys.com -p 389 -b "uid=gauss,dc=example,dc=com" -W -D "uid=gauss,dc=example,dc=com"

Verify by use of JOC Cockpit

Try to login with an LDAP Account/Password combination. Use an Account  that you have verified to be correct by executing the ldapSearch command described above. If there are no Role(s) configured for the Account but the authentication works then you will see the following screen that complains about missing authorization after successful authentication:

...

  • LDAP: add a Group/Roles mapping: membership . Membership of a user account in a security group groups of the LDAP Server is mapped to a role roles in the Identity Service.
  • LDAP-JOC: add a user account and assign roles. Accounts are managed with the Identity Service in parallel to the LDAP Server. No user passwords are managed with JOC Cockpit as authentication is performed with the LDAP Directory Service.

...

For details see JS7 - Manage Roles and Permissions.

Anchor
assigning_roles_from_ldap_groups
assigning_roles_from_ldap_groups
Map Roles from LDAP Security Groups

Anchor
grouprolesmapping
grouprolesmapping

If the Roles roles are assigned with the JOC Cockpit Identity Service Management by using use of the Identity Serviced Service Type LDAP-JOC, then  then you can skip this chapter.

The group/roles mapping defines a search for groups and a map that assigns these maps resulting groups to a roleroles.

The search for groups can be executed with one of these the following options:

  • The Account has LDAP Server makes use a memberOf attribute. Then you In this case users can retrieve the list of groups with the User Search . Proceed and should proceed with chapter Using memberOf with User Search.
  • The Account LDAP Server does not have make use of a memberOf attribute. The In this case the group contains the Accounts that are members of the group, Then . Users should proceed with chapter Using Group Search.

These options cannot be mixed!

With the founded groups a map is defined in the LDAP Settings, that maps the groups to roles.

Substitution of the account value

In both searches the account can be substitutedwith groupSearchFilter and with userSearchFilter users can specify placeholders:

  • In the groupSearchFilter and in the userSearchFilter

...

  • users can specify

...

  • the placeholder %s, for example: (uid=%s)
    • The placeholder %s will be substituted with the account from the login.

...

    • Users can login with domain\account or account@domain

...

    • .

...

  • Users can specify

...

  • the placeholder ^s, for example: (uid=^s)
    • The placeholder ^s will be substituted with the original value from the login

...

    • , for example: account@domain.

Anchor
using_member_of_with_user_search
using_member_of_with_user_search
Approach 1: Using

...

User Search to look up the memberOf Attribute

This approach looks for up the Account account entry and reads the memberOf attribute. This attribute is often used when, for example, configuring frequently is available from Microsoft Active Directory® LDAP serversServers. 

Define a userSearchFilter and a searchBase that will find to look up the account.

Microsoft Active Directory® that supports memberOff  supporting the memberOf attribute

NameValueDescription

LDAP Search Base

Example: ou=People,dc=sos

The search base for the ldap LDAP search
LDAP User Search FilterDefault: (sAMAccountName=%s)

...

NameValueDescription

LDAP Search Base

Example: ou=People,dc=sos

The search base for the ldap LDAP search
LDAP User Search FilterExample: (uid=%s)

...

An LDAP Browser can be used to get identify the correct suitable values for the searchBase and the userSearchFilter. Perform Users can perform a directory search with the values. You value and should find only one a single resulting entry. 


The searchBase is the value of the base DN (or ParentDN in the screenshot above).

Hint: if

  • If the attribute name in

...

  • a user's environment does not match the default name memberOf then

...

  • users can specify the name of the attribute with the groupNameAttribute

...

  •  as explained below.

Approach 2: Using

...

Group Search to

...

look up groups that an account is a member of

If the Account entries have LDAP Server makes use of the memberOf attribute then you users can skip this section and proceed with with chapter Using memberOf with User Search.

To specify the a group search the following settings have to be specified

  • LDAP Group Search Base
  • LDAP Group Search Filter
  • LDAP Group Name Attribute

Define the The groupSearchBase and the groupSearchFilter. For example for example can be configured like this:

  • groupSearchBase = ou=Groups,dc=sos
  • groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos)

Anchor
groupsearchbase
groupsearchbase
Getting the value for the groupSearchBase

Identify the location where the groups are stored. This is your groupSearchBase.


Getting the value for the groupSearchFilter

Click one group Entry (in the screenshot, cn=apl) and see how the members are stored there.


The groupSearchFilter is configured with attr=val where attr is name of the attribute and val is the content. In this example, the attr is uniqueMember and the val uid=%s,ou=People,dc=sos, where the userid is replaced with %s. This results in:

...