JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 16

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 17

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleVerify Authentication Settings

Verify by use of LDAP Browser

Possible values for the LDAP User DN Template can be derived from an account's properties. The below screenshot displays such properties from an LDAP Browser:

In a first step search with the value from the LDAP User DN Template in the Search DN input field. The query should return only one entry.


From the properties of the resulting entry the setting for the account is used and the uid value is replaced with: {0}.

Verify by use of ldapSearch

Users can check the value of the LDAP User DN Template setting by use of the ldapSearch utility:

Code Block
languagetext
titleVerify by use of ldapSearch
linenumberstrue
collapsetrue
ldapsearch -h localhost -p 389 -b "uid=ur,ou=People,dc=sos" -x

# This should return a result such as:

# ur, People, sos
dn: uid=ur,ou=People,dc=sos
mail: *********
uid: ur
givenName: Uwe
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Risse
cn: Uwe Risse
preferredLanguage: de
# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


Example for use of a public LDAP Directory Service

The following example uses a publicly available LDAP Server. To our experience this server provides a good example to make an initial LDAP configuration work.

Code Block
languagetext
titleVerify by use of ldapSearch
linenumberstrue
collapsetrue
ldapsearch -h ldap.forumsys.com -p 389 -b "uid=gauss,dc=example,dc=com" -x

# This should return a result such as:

# extended LDIF
#
# LDAPv3
# base <uid=gauss,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
 
# gauss, example.com
dn: uid=gauss,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Carl Friedrich Gauss
sn: Gauss
uid: gauss
mail: gauss@ldap.forumsys.com
 
# search result
search: 2
result: 0 Success
 
# numResponses: 2
# numEntries: 1


Note: 

The option -x is used in the ldapSearch examples in this article. It is possible that an LDAP Directory Service does not allow this option and instead an account and a password have to be specified. In this case the command will look like this:

Code Block
languagebash
titleVerify by use of ldapSearch with public LDAP Server
linenumberstrue
ldapsearch -h ldap.forumsys.com -p 389 -b "uid=gauss,dc=example,dc=com" -W -D "uid=gauss,dc=example,dc=com"

Verify by use of JOC Cockpit

Try to login with an LDAP Account/Password combination. Use an Account  that you have verified to be correct by executing the ldapSearch command described above. If there are no Role(s) configured for the Account but the authentication works then you will see the following screen that complains about missing authorization after successful authentication:

Image Modified

Anchor
authorization
authorization
Step 3: Authorization

...

An LDAP Browser can be used to identify the suitable values for the searchBase and the userSearchFilter. Users can perform a directory search with the value and should find a single resulting entry. 

Image Modified


The searchBase is the value of the base DN (or ParentDN in the screenshot above).

...

  • groupSearchBase = ou=Groups,dc=sos
  • groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos)

Anchor
groupsearchbase
groupsearchbase

...

Looking up the value for the groupSearchBase

Identify the location where the groups are stored . This is your groupSearchBase.in the LDAP Server, this should identify the groupSearchBase:

Image Modified


Image Modified

...

Anchor
groupsearchfilter
groupsearchfilter
Looking up the value for the groupSearchFilter

Click one group Entry When clicking a group entry (in the screenshot, cn=apl) and see how the members are stored there.apl the members included should become visible:

Image Modified


The groupSearchFilter is configured with attr=val where attr is the name of the attribute and val is the contentvalue. In this example, the attr is attribute is uniqueMember and the the value is valuid=%s,ou=People,dc=sos, where the userid is replaced with %s. This results in:

...

Expand
titleVerify Authorization Settings

Verifing the groupSearchFilter with the ldapSearch command

 ldapsearch -h localhost -p 389 -b "ou=Groups,dc=sos" -s sub "uniqueMember=uid=ur,ou=People,dc=sos" -x

This search should return the group entries the Account is a member of. Identify the attribute containing the group name that is to be used in the user roles mapping. This can be seen in the next listing


Code Block
collapsetrue
# extended LDIF
#
# LDAPv3
# base <ou=Groups,dc=sos> with scope subtree
# filter: uniqueMember=uid=ur,ou=People,dc=sos
# requesting: ALL
#
 
# sos, Groups, sos
dn: cn=sos,ou=Groups,dc=sos
description: Employees of SOS GmbH
objectClass: top
objectClass: groupofuniquenames
cn: sos
uniqueMember: uid=ur,ou=People,dc=sos
uniqueMember: uid=fTester,ou=People,dc=sos

# apl, Groups, sos
dn: cn=apl,ou=Groups,dc=sos
objectClass: top
objectClass: groupofuniquenames
cn: apl
uniqueMember: uid=ur,ou=People,dc=sos
uniqueMember: uid=fTester,ou=People,dc=sos
 
# search result
search: 2
result: 0 Success
 
# numResponses: 3
# numEntries: 2


Verifing the groupSearchBase and groupSearchFilter with an LDAP Browser


You Users can verify your the groupSearchBase and groupSearchFilter attribute values by using them to perform performing a directory search. The result should show display all groups the account is a member of.

Image Modified


Now set the The groupNameAttribute to is the name of the attribute that contains holds the group name.

  • groupNameAttribute = cn

Hint: The complete content value of this attribute must has to be used in with the groupRolesMap attribute. Typical content values of the attribute could be cn=groupname,ou=Groups,dc=sos,cn=groupname .

Anchor
substitution_of_the_username
substitution_of_the_username
Substitution of the account name

If the roles are assigned with the by JOC Account Manager Cockpit using the Identity Service Type LDAP-JOC you JOC you can skip this chapter.

If the value of the member of the groups contains the Account name from the login then you can skip this chapter

Sometimes the values of the member do not contain the Account Name from the login but, for example, the cn of the Account. In this case you users have to search for the Account account first and then to specify the name of the attribute that should be used instead of the Account account name from the login .

To achieve this, specify a the searchBase, a userSearchFilter and a userNameAttribute. and userNameAttribute attributes can be specified:

searchBase = ou=People,dc=sos
userSearchFilter = (uid=%s)

...

Expand
titleSubstitution of the account name
Verify by use of ldapSearch

This search should return the Account with the given Account name. Identify the attribute that should be used for substitution in the Group Search base if it is not the Account name from the login.

Code Block
languagetext
titleUsername Substitution
collapsetrue
ldapsearch -h localhost -p 389 -b "ou=People,dc=sos" -s sub "uid=fTester" -x

# This should return the following result

# extended LDIF
#
# LDAPv3
# base <ou=People,dc=sos> with scope subtree
# filter: uid=fTester
# requesting: ALL
#

# fTester, People, sos
dn: uid=fTester,ou=People,dc=sos
mail: info@sos-berlin.com
uid: fTester
givenName: Fritz
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Tester
cn: Fritz Tester

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


Verification by use of LDAP Browser

Perform Users can perform a directory search with your their LDAP client Browser to check the User Search configuration. You The result should find only present one Account entry with the given Account nameaccount entry only.

Image Modified


Then identify the name of the attribute that contains the value for substitution. For example:

...

Group Roles Mapping

The mapping is defined in the expert tab configured with the "Expert Mode" of the LDAP Identity Service Manage Settings view.

Note that the value of the group depends on the result of the group search. It is the value of the attribute that you have has been specified with the groupNameAttribute. Default for the groupNameAttribute is memberOf. This indicates that if you are retrieving group memberships  attribute. This attribute defaults to memberOf. In case that group memberships are looked up by use of the memberOf attribute of an account then you have to specify the complete value of the value of the memberOf attribute valuehas to be specified, i.e. the distinguished names Distinguished Names of group hits.

Example for Group Mapping with Microsoft Active Directory

...

® and memberOf Attribute

A typical mapping when using Microsoft Active Directory with ® and the memberOf attribute for group memberships includes to specify each group hts by their distinguished name by its Distinguished Name like this:

  • CN=Group1,OU=SpecialGroups,OU=Groups,OU=Company,DC=sos-berlin,DC=com ==>  all
  • CN=AnotherGroup,OU=SpecialGroups,OU=Groups,OU=CompanyDC=sos-berlin,DC=com ==>  adminitrator
  • CN=Beginners,OU=SecurityGroups,OU=Groups,OU=Company,DC=sos-berlin,DC=com ==> business_user
Example for Group Mapping

...

with cn Attribute

A mapping that is based on group search would identify group hits by Group Search would apply resulting groups from the value of their common name Common Name like this:

  • sos ==> it_operator
  • apl ==> administrator,application_manage

...

Account NamePasswordLDAP GroupShiro Role
gausspasswordmathematicians

all

newtonpasswordscientistsit_operator

...