JS7 JobScheduler

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 17 Next »

Introduction

The JS7 - LDAP Identity Service offers authentication from an LDAP Directory Service and is available from JS7 - REST Web Service API.

This article explains the steps for configuration of an LDAP Directory Service:

Relevant Tools

  • LDAP Browser:
    • The screenshots used in this article were made with the Softerra LDAP Browser that was configured to use the relevant LDAP Directory Service.
  • Command Line Client:
    • The examples used in this article are executed with ldapSearch.

Preceding

The following diagram provides an overview of the steps to set up LDAP connections:

Step 1: Basic LDAP Configuration

The LDAP configuration can be managed from the Administration->Manage Identity Services view like this:

Add Identity Service

In a first step click the Add Identity Service button that brings up the following popup window.

  • A Name has to be specified that identifies the LDAP Identity Service.
  • The Identity Service Type gives a choice
    • LDAP: to map user/role assignments from security group membership in the LDAP Server,
    • LDAP-JOC: to manage user/role assignments for the Identity Service with JOC Cockpit.
  • Do not make the Identify Service Required before you are certain that the service configuration works fine.
  • Select the single-factor Authentication Scheme.

Manage Identity Service Settings

In a next step set up the configuration of the service:

  • Select the Manage Settings action menu item like this:


This brings forward a popup window with the following tabs:

  • Simple Mode: The most frequently used settings are available.
  • Expert Mode:: The full set of settings is available.


Specify General Settings 

Find detailed explanations about general settings from JS7 - LDAP Identity Service, chapter: Identity Service Settings.

The following table lists the general items used to configure an LDAP connection.

NameValueDescription

LDAP Server URL

ldap://host:port

The host and the port of the LDAP Server. 

LDAP Start TLS

true|false

To enable Starttls set the value to true (Default is false)

See JS7 - LDAP over TLS (STARTTLS) and LDAP over SSL (LDAPS)

Host Name Verification

true|falseEnables host name verification for the server certificate. The default value is off.

LDAP Truststore Path


Should the LDAP Server be configured for TLS/SSL protocols then the indicated truststore has to include an X.509 certificate specified for the Extended Key Usage of Server Authentication.

LDAP Truststore Password


If an LDAP truststore is used and the LDAP truststore is protected by a password, then the password has to be specified.

LDAP Truststore Type


If an LDAP truststore is used then the type of the indicated truststore has to be specified being either PKCS12 or JKS (deprecated).

Step 2: LDAP Authentication

Specify Authentication Settings

The following table lists possible values for authentication with an LDAP Server:

The value {0} will be substituted with the account name.

NameValueDescription

LDAP User DN Template

{0}

Should work from scratch for Microsoft Active Directory®

For login use domain\account or account@domain where account is the value of the sAMAccountName attribute.


uid={0},ou=People,dc=sos

Use with Microsoft Active Directory® and other LDAP Servers.

Look up the sAMAccountName starting from the indicated hierarchy. This limits access to hierarchy levels.

For login use domain\account or account@domain where account is the value of the sAMAccountName attribute.


cn={0},ou=Users,dc=sos,dc=berlin,dc=com

Use with Microsoft Active Directory® and other LDAP Servers.

The Common Name cn attribute value of the account is used. This format requires the Common Name to be unique.

For login use domain\account or account@domain where account is the value of the sAMAccountName attribute.


uid={0},dc=example,dc=com

Use with Public LDAP Server.

For login use

Verify Authentication Settings


Verify by use of LDAP Browser

Possible values for the LDAP User DN Template can be derived from an account's properties. The below screenshot displays such properties from an LDAP Browser:

In a first step search with the value from the LDAP User DN Template in the Search DN input field. The query should return only one entry.


From the properties of the resulting entry the setting for the account is used and the uid value is replaced with: {0}.

Verify by use of ldapSearch

Users can check the value of the LDAP User DN Template setting by use of the ldapSearch utility:

Verify by use of ldapSearch 
ldapsearch -h localhost -p 389 -b "uid=ur,ou=People,dc=sos" -x

# This should return a result such as:

# ur, People, sos
dn: uid=ur,ou=People,dc=sos
mail: *********
uid: ur
givenName: Uwe
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Risse
cn: Uwe Risse
preferredLanguage: de
# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


Example for use of a public LDAP Directory Service

The following example uses a publicly available LDAP Server. To our experience this server provides a good example to make an initial LDAP configuration work.

Verify by use of ldapSearch 
ldapsearch -h ldap.forumsys.com -p 389 -b "uid=gauss,dc=example,dc=com" -x

# This should return a result such as:

# extended LDIF
#
# LDAPv3
# base <uid=gauss,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
 
# gauss, example.com
dn: uid=gauss,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Carl Friedrich Gauss
sn: Gauss
uid: gauss
mail: gauss@ldap.forumsys.com
 
# search result
search: 2
result: 0 Success
 
# numResponses: 2
# numEntries: 1


Note: 

The option -x is used in the ldapSearch examples in this article. It is possible that an LDAP Directory Service does not allow this option and instead an account and a password have to be specified. In this case the command will look like this:

Verify by use of ldapSearch with public LDAP Server
ldapsearch -h ldap.forumsys.com -p 389 -b "uid=gauss,dc=example,dc=com" -W -D "uid=gauss,dc=example,dc=com"

Verify by use of JOC Cockpit

Try to login with an LDAP Account/Password combination. Use an Account  that you have verified to be correct by executing the ldapSearch command described above. If there are no Role(s) configured for the Account but the authentication works then you will see the following screen that complains about missing authorization after successful authentication:

Step 3: Authorization

Authorization includes the assignment of roles to user accounts. Roles, in turn, hold permissions. For details see JS7 - Manage Roles and Permissions.

There are two options for assignment of roles to user accounts depending on the Identity Service Type:

  • LDAP: add a Group/Roles mapping. Membership of a user account in security groups of the LDAP Server is mapped to roles in the Identity Service.
  • LDAP-JOC: add a user account and assign roles. Accounts are managed with the Identity Service in parallel to the LDAP Server. No user passwords are managed with JOC Cockpit as authentication is performed with the LDAP Directory Service.

Assign Roles with Identity Service

For details see JS7 - Manage Roles and Permissions.

Map Roles from LDAP Security Groups

If roles are assigned with JOC Cockpit by use of the Identity Service Type LDAP-JOC then you can skip this chapter.

The group/roles mapping defines a search for groups and a maps resulting groups to roles.

The search for groups can be executed with one of the following options:

  • The LDAP Server makes use a memberOf attribute. In this case users can retrieve the list of groups with the User Search and should proceed with chapter Using memberOf with User Search.
  • The LDAP Server does not make use of a memberOf attribute. In this case the group contains the Accounts that are members of the group. Users should proceed with chapter Using Group Search.

Substitution of the account value

In both searches with groupSearchFilter and with userSearchFilter users can specify placeholders:

  • In the groupSearchFilter and in the userSearchFilter users can specify the placeholder %s, for example: (uid=%s)
    • The placeholder %s will be substituted with the account from the login. Users can login with domain\account or account@domain.
  • Users can specify the placeholder ^s, for example: (uid=^s)
    • The placeholder ^s will be substituted with the original value from the login, for example: account@domain.

Approach 1: Using User Search to look up the memberOf Attribute

This approach looks up the account entry and reads the memberOf attribute. This attribute frequently is available from Microsoft Active Directory® LDAP Servers.

Define a userSearchFilter and a searchBase to look up the account.

Microsoft Active Directory® supporting the memberOf attribute

NameValueDescription

LDAP Search Base

Example: ou=People,dc=sos

The search base for the LDAP search
LDAP User Search FilterDefault: (sAMAccountName=%s)

General

NameValueDescription

LDAP Search Base

Example: ou=People,dc=sos

The search base for the LDAP search
LDAP User Search FilterExample: (uid=%s)


An LDAP Browser can be used to identify the suitable values for the searchBase and the userSearchFilter. Users can perform a directory search with the value and should find a single resulting entry. 


The searchBase is the value of the base DN (or ParentDN in the screenshot above).

Hint:

  • If the attribute name in a user's environment does not match the default name memberOf then users can specify the name of the attribute with the groupNameAttribute as explained below.

Approach 2: Using Group Search to look up groups that an account is a member of

If the LDAP Server makes use of the memberOf attribute then users can skip this section and proceed with chapter Using memberOf with User Search.

To specify a group search the following settings have to be specified

  • LDAP Group Search Base
  • LDAP Group Search Filter
  • LDAP Group Name Attribute

The groupSearchBase and groupSearchFilter for example can be configured like this:

  • groupSearchBase = ou=Groups,dc=sos
  • groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos)

Looking up the value for the groupSearchBase

Identify the location where groups are stored in the LDAP Server, this should identify the groupSearchBase:


Looking up the value for the groupSearchFilter

When clicking a group entry (in the screenshot, cn=apl the members included should become visible:


The groupSearchFilter is configured with attr=val where attr is the name of the attribute and val is the value. In this example, the attribute is uniqueMember and the value is valuid=%s,ou=People,dc=sos, where the userid is replaced with %s. This results in:

  • groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos)


Verifing the groupSearchFilter with the ldapSearch command

 ldapsearch -h localhost -p 389 -b "ou=Groups,dc=sos" -s sub "uniqueMember=uid=ur,ou=People,dc=sos" -x

This search should return the group entries the Account is a member of. Identify the attribute containing the group name that is to be used in the user roles mapping. This can be seen in the next listing


# extended LDIF
#
# LDAPv3
# base <ou=Groups,dc=sos> with scope subtree
# filter: uniqueMember=uid=ur,ou=People,dc=sos
# requesting: ALL
#
 
# sos, Groups, sos
dn: cn=sos,ou=Groups,dc=sos
description: Employees of SOS GmbH
objectClass: top
objectClass: groupofuniquenames
cn: sos
uniqueMember: uid=ur,ou=People,dc=sos
uniqueMember: uid=fTester,ou=People,dc=sos

# apl, Groups, sos
dn: cn=apl,ou=Groups,dc=sos
objectClass: top
objectClass: groupofuniquenames
cn: apl
uniqueMember: uid=ur,ou=People,dc=sos
uniqueMember: uid=fTester,ou=People,dc=sos
 
# search result
search: 2
result: 0 Success
 
# numResponses: 3
# numEntries: 2


Verifing the groupSearchBase and groupSearchFilter with an LDAP Browser


Users can verify the groupSearchBase and groupSearchFilter attribute values by performing a directory search. The result should display all groups the account is a member of.


The groupNameAttribute is the name of the attribute that holds the group name.

  • groupNameAttribute = cn

Hint: The value of this attribute has to be used with the groupRolesMap attribute. Typical values of the attribute could be cn=groupname,ou=Groups,dc=sos .

Substitution of the account name

If roles are assigned by JOC Cockpit using the Identity Service Type LDAP-JOC you can skip this chapter.

If the value of the member of the groups contains the Account name from the login then you can skip this chapter

Sometimes the values of the member do not contain the Account Name from the login but, for example, the cn of the Account. In this case users have to search for the account first and then to specify the name of the attribute that should be used instead of the account name from the login .

To achieve this, the searchBase, userSearchFilter and userNameAttribute attributes can be specified:

searchBase = ou=People,dc=sos
userSearchFilter = (uid=%s)


Verify by use of ldapSearch

This search should return the Account with the given Account name. Identify the attribute that should be used for substitution in the Group Search base if it is not the Account name from the login.

Username Substitution 
ldapsearch -h localhost -p 389 -b "ou=People,dc=sos" -s sub "uid=fTester" -x

# This should return the following result

# extended LDIF
#
# LDAPv3
# base <ou=People,dc=sos> with scope subtree
# filter: uid=fTester
# requesting: ALL
#

# fTester, People, sos
dn: uid=fTester,ou=People,dc=sos
mail: info@sos-berlin.com
uid: fTester
givenName: Fritz
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Tester
cn: Fritz Tester

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


Verification by use of LDAP Browser

Users can perform a directory search with their LDAP Browser to check the User Search configuration. The result should present one account entry only.


Then identify the name of the attribute that contains the value for substitution. For example:

  • userNameAttribute = cn

Group Roles Mapping

The mapping is configured with the "Expert Mode" of the LDAP Identity Service Settings.

Note that the value of the group depends on the result of the group search. It is the value of the attribute that has been specified with the groupNameAttribute attribute. This attribute defaults to memberOf. In case that group memberships are looked up by use of the memberOf attribute of an account then the value of the memberOf attribute has to be specified, i.e. the Distinguished Names of group hits.

Example for Group Mapping with Microsoft Active Directory® and memberOf Attribute

A typical mapping when using Microsoft Active Directory® and the memberOf attribute includes to specify each group by its Distinguished Name like this:

  • CN=Group1,OU=SpecialGroups,OU=Groups,OU=Company,DC=sos-berlin,DC=com ==>  all
  • CN=AnotherGroup,OU=SpecialGroups,OU=Groups,OU=CompanyDC=sos-berlin,DC=com ==>  adminitrator
  • CN=Beginners,OU=SecurityGroups,OU=Groups,OU=Company,DC=sos-berlin,DC=com ==> business_user
Example for Group Mapping with cn Attribute

A mapping that is based on Group Search would apply resulting groups from the value of their Common Name like this:

  • sos ==> it_operator
  • apl ==> administrator,application_manage

The configuration will look like this:

Examples and special configurations



userDnTemplategroupSearchBasegroupNameAttributegroupSearchFiltersearchBaseuserNameAttributeuserSearchFilter

Group Search 

uid={0},ou=People,dc=sosou=Groups,dc=soscn(uniqueMember=uid=%s,ou=People,dc=sos)


Group Search where the member attribute does not contain the account name but the common name

uid={0},ou=People,dc=sosou=Groups,dc=soscn(uniqueMember=uid=%s,ou=People,dc=sos)ou=People,dc=soscn(uniqueMember=uid=%s,dc=example,dc=com)

memberOf in the account record

uid={0},ou=People,dc=sos


ou=People,dc=sos
(uid=%s)

public LDAP Server

uid={0},dc=example,dc=com
ou
dc=example,dc=comuid(uniqueMember=uid=%s,dc=example,dc=com)


A public LDAP Server for testing the connection

An online public LDAP server which can be accessed using a relatively simple configuration is available from Forum Systems. This server can be used to set up a test environment with LDAP authentication. In this article we will refer to the authentication of two user accounts on this server - gauss and newton - that are each members of a different LDAP group as shown in the following table:

Account NamePasswordLDAP GroupRole
gausspasswordmathematicians

all

newtonpasswordscientistsit_operator


 Logging

References

Use Cases

For debugging of LDAP Server connections





  • No labels