Page History
...
- Early JS7 releases make use of the JS7 - Shiro Identity Service, for migration see JS7 - Shiro Identity Service Migration.
- The connection to an LDAP Server can be secured, see JS7 - LDAP over TLS (using STARTTLS ) and LDAP over SSL (using LDAPS).
This article explains the steps required for configuration of an LDAP Directory Service:
...
- Simple Mode: The most frequently used settings are available.
- Expert Mode:: The full set of settings is available.
Specify General Settings
...
Name | Value | Description |
---|---|---|
LDAP Server URL |
| The protcolprotocol, host and the port of the LDAP Server. |
LDAP Start TLS true|false | Checkbox checked or unchecked | To enable Starttls StartTls set the value to See JS7 - LDAP over TLS (using STARTTLS ) and LDAP over SSL (using LDAPS) |
Host Name Verification | trueon|falseoff | Enables host name verification for the server certificate. The default value is off. |
LDAP Truststore Path | If the LDAP Server is to be configured for TLS/SSL protocols then the indicated truststore has to include an X.509 certificate specified for the Extended Key Usage of Server Authentication. | |
LDAP Truststore Password | If an LDAP truststore is used and the LDAP truststore is protected by a password, then the password has to be specified. | |
LDAP Truststore Type | If an LDAP truststore is used then the type of the indicated truststore has to be specified being either |
...
- As Approach 2: Group Search for account membership is used the group's Common Name is specified.
...
group | sos-members |
---|
Examples and special configurations
...
Group Search
...
A public LDAP Server for Testing
An online LDAP Server is available for public access (managed by Forum Systems). This server can be used to test LDAP authentication and authorization.
- The LDAP Server offers two accounts:
gauss
: the user account is assigned theall
role which allows access to any operation in JOC Cockpit.newton
: the user account is assigned theapplication_manager
role which includes to manage scheduling object, but for example does not allow to restart a Controller.- The roles and permissions are described with the JS7 - Default Roles and Permissions article.
- The accounts are members in different LDAP groups that are mapped to respective roles in JOC Cockpit.
The LDAP settings are available for download: PublicLDAP.ldap.json
- The popup window to manage LDAP Server settings offers an Upload button to import downloaded settings.
- The popup window to manage LDAP Server settings offers an Upload button to import downloaded settings.
Both accounts gauss and newton make use of the same password:
User Account
...
Group Search where the member attribute does not contain the account name but the common name
...
memberOf in the account record
...
public LDAP Server
...
A public LDAP Server for testing the connection
An online public LDAP server which can be accessed using a relatively simple configuration is available from Forum Systems. This server can be used to set up a test environment with LDAP authentication. In this article we will refer to the authentication of two user accounts on this server - gauss and newton - that are each members of a different LDAP group as shown in the following table:
...
Password LDAP Group Role gauss password mathematicians all
newton password scientists
...
application_
...
manager
Logging
- JS7 - Logging
- For analysis of LDAP Server connections, authentication and authorization consider increasing the log level and checking the output of JOC Cockpit's
authentication-debug.log
file.
...