Introduction

LDAP authentication for the JOC Cockpit is offered from the JS7 - LDAP Identity Service and relies on a connection between the JS7 - REST Web Service API and the LDAP Server.

• Early JS7 releases make use of JS7 - Shiro Identity Service, for migration see JS7 - Shiro Identity Service Migration.
• The connection to the LDAP Server be secured, see JS7 - LDAP over TLS (STARTTLS) and LDAP over SSL (LDAPS).

This article describes the steps for configuration with an LDAP Directory Service:

• Step 1: LDAP Configuration
• Step 2: Authentication
• Step 3: Authorization
  • Define roles
  • Define groupRolesMapping
  • Define the LDAP attribute search for groups

Relevant Tools

• An LDAP Browser:
  • The screenshots used in this article were made with the Softerra LDAP Browser that was configured to use the relevant LDAP Directory Service.
• A command line utility:
  
  • The examples used in this article are executed with ldapSearch.

Proceeding

The following diagram provides an overview of the setup proceeding:

Step 1: Basic LDAP Configuration

The LDAP configuration can be managed from the Administration->Manage Identity Services view like this:

Add Identity Service

In a first step click the Add Identity Service button that brings up the following popup window.

• A Name has to be specified that identifies the LDAP Identity Service.
• The Identity Service Type gives a choice
  • LDAP: to map user/role assignments from security group membership in the LDAP Server,
  • LDAP-JOC: to manage user/role assignments from the Identity Service.
• Do not make the Identify Service Required before you are certain that the service configuration works fine.
• Select the single-factor Authentication Scheme.
  
  

Manage Identity Service Settings

In a next step set up the configuration of the service:

• Select the Manage Settings action menu item like this:
  
  

This brings forward a popup window with the following tabs:

• Simple Mode: The most frequently used settings are available.
• Expert Mode:: The full set of settings is available.
  
  

Specify General Settings 

The following table lists the general items used to configure an LDAP connection.

Step 2: LDAP Authentication

Specify Authentication Settings

The following table lists possible values for authentication with an LDAP Server:

The value {0} will be substituted with the account name.

Verify Authentication Settings

Verify by use of LDAP Browser

Possible values for the LDAP User DN Template can be derived from an account's properties. The below screenshot displays such properties from an LDAP Browser:

In a first step search with the value from the LDAP User DN Template in the Search DN input field. The query should return only one entry.

From the properties of the resulting entry the setting for the account is used and the uid value is replaced with: {0}.

Verify by use of ldapSearch

Users can check the value of the LDAP User DN Template setting by use of the ldapSearch utility:

ldapsearch -h localhost -p 389 -b "uid=ur,ou=People,dc=sos" -x

# This should return a result such as:

# ur, People, sos
dn: uid=ur,ou=People,dc=sos
mail: *********
uid: ur
givenName: Uwe
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Risse
cn: Uwe Risse
preferredLanguage: de
# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Example for use of a public LDAP Directory Service

The following example uses a publicly available LDAP Server. To our experience this server provides a good example to make an initial LDAP configuration work.

ldapsearch -h ldap.forumsys.com -p 389 -b "uid=gauss,dc=example,dc=com" -x

# This should return a result such as:

# extended LDIF
#
# LDAPv3
# base <uid=gauss,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
 
# gauss, example.com
dn: uid=gauss,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Carl Friedrich Gauss
sn: Gauss
uid: gauss
mail: gauss@ldap.forumsys.com
 
# search result
search: 2
result: 0 Success
 
# numResponses: 2
# numEntries: 1

Note: 

The option -x is used in the ldapSearch examples in this article. It is possible that an LDAP Directory Service does not allow this option and instead an account and a password have to be specified. In this case the command would look like this:

ldapsearch -h ldap.forumsys.com -p 389 -b "uid=gauss,dc=example,dc=com" -W -D "uid=gauss,dc=example,dc=com"

Verify by use of JOC Cockpit

Try to login with an LDAP Account/Password combination. Use an Account  that you have verified to be correct by executing the ldapSearch command described above. If there are no Role(s) configured for the Account but the authentication works then you will see the following screen that complains about missing authorization after successful authentication:

Step 3: Authorization

Authorization includes the assignment of roles to user accounts. Roles, in turn, hold permissions. For details see JS7 - Manage Roles and Permissions.

There are two options for assignment of roles to user accounts depending on the Identity Service Type:

• LDAP: add a Group/Roles mapping: membership of a user account in a security group of the LDAP Server is mapped to a role in the Identity Service.
• LDAP-JOC: add a user account and assign roles. Accounts are managed with the Identity Service in parallel to the LDAP Server. No user passwords are managed with JOC Cockpit as authentication is performed with the LDAP Directory Service.

Assign Roles with Identity Service

For details see JS7 - Manage Roles and Permissions.

Map Roles from LDAP Security Groups

If the Roles are assigned with the JOC Cockpit Identity Service Management by using the Identity Serviced LDAP-JOC, then you can skip this chapter.

The group roles mapping defines a search for groups and a map that assigns these groups to a role.

The search for groups can be executed with one of these options

• The Account has a memberOf attribute. Then you can retrieve the list of groups with the User Search. Then proceed with Using memberOf with User Search.
• The Account does not have a memberOf attribute. The group contains the Accounts that are members of the group, Then proceed with Using Group Search.

These options cannot be mixed!

With the founded groups a map is defined, that maps the groups to roles.

In both searches the account can be substituted

How substitutions will be done

In the groupSearchFilter and the userSearchFilter you can specify %s e.g. 

(uid=%s)

The %s will be substituted with the account from the login. If you login with domain\account oder account@domain the value for the user is account.

You can specify ^s e.g.

(uid=^s)

The placeholder ^s will be substituted with the original value from the login e.g. account@domain.

Usersearch

This approach looks for the Account entry and reads the memberOf attribute. This attribute is often used when, for example, configuring Microsoft Active Directory^® LDAP servers. 

Define a userSearchFilter and a searchBase that will find the account .

Microsoft Active Directory^® that supports memberOff attribute

General

Groupsearch

Microsoft Active Directory^® that supports memberOff attribute

General

Group Roles Mapping

The mapping is defined in the expert tab of the LDAP Identity Service Manage Settings view.

Note that the value of the group depends on the result of the group search. It is the value of the attribute that you have specified with the groupNameAttribute. Default for the groupNameAttribute is memberOf. This indicates that if you are retrieving group memberships by use of the memberOf attribute of an account then you have to specify the complete value of the memberOf attribute value, i.e. the distinguished names of group hits.

Example for Group Mapping with Microsoft Active Directory by memberOf Attribute

A typical mapping when using Microsoft Active Directory with the memberOf attribute for group memberships includes to specify group hts by their distinguished name like this:

• CN=Group1,OU=SpecialGroups,OU=Groups,OU=Company,DC=sos-berlin,DC=com ==>  all
• CN=AnotherGroup,OU=SpecialGroups,OU=Groups,OU=CompanyDC=sos-berlin,DC=com ==>  adminitrator
• CN=Beginners,OU=SecurityGroups,OU=Groups,OU=Company,DC=sos-berlin,DC=com ==> business_user

Example for Group Mapping by cn Attribute

A mapping that is based on group search would identify group hits by the value of their common name like this:

• sos ==> it_operator
• apl ==> administrator,application_manage

An LDAP Browser can be used to get the correct values for the searchBase and the userSearchFilter. Perform a directory search with the values. You should find only one entry. 

The searchBase is the value of the base DN (or ParentDN in the screenshot above).

Hint: if the attribute name in your environment is not the default memberOf then you can specify the name of the attribute with the groupNameAttribute key as described in the next section.

If the Account entries have the memberOf attribute then you can skip this section and proceed with Using memberOf with User Search. Settings: 

• ldapRealm.groupSearchBase 
• ldapRealm.groupNameAttribute
• ldapRealm.groupSearchFilter

When the memberOf attribute is not available for the Account then you can use the Group Search.

Define the groupSearchBase and the groupSearchFilter. For example:

• ldapRealm.groupSearchBase = ou=Groups,dc=sos
• ldapRealm.groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos)

Getting the value for the groupSearchBase

Identify the location where the groups are stored. This is your groupSearchBase.

Getting the value for the groupSearchFilter

Click one group Entry (in the screenshot, cn=apl) and see how the members are stored there.

The groupSearchFilter is configured with attr=val where attr is name of the attribute and val is the content. In this example, the attr is uniqueMember and the val uid=%s,ou=People,dc=sos, where the userid is replaced with %s. This results in:

• ldapRealm.groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos)

Verifing the groupSearchFilter with the ldapSearch command

 ldapsearch -h localhost -p 389 -b "ou=Groups,dc=sos" -s sub "uniqueMember=uid=ur,ou=People,dc=sos" -x

This search should return the group entries the Account is a member of. Identify the attribute containing the group name that is to be used in the user roles mapping. This can be seen in the next listing

# extended LDIF
#
# LDAPv3
# base <ou=Groups,dc=sos> with scope subtree
# filter: uniqueMember=uid=ur,ou=People,dc=sos
# requesting: ALL
#
 
# sos, Groups, sos
dn: cn=sos,ou=Groups,dc=sos
description: Employees of SOS GmbH
objectClass: top
objectClass: groupofuniquenames
cn: sos
uniqueMember: uid=ur,ou=People,dc=sos
uniqueMember: uid=fTester,ou=People,dc=sos

# apl, Groups, sos
dn: cn=apl,ou=Groups,dc=sos
objectClass: top
objectClass: groupofuniquenames
cn: apl
uniqueMember: uid=ur,ou=People,dc=sos
uniqueMember: uid=fTester,ou=People,dc=sos
 
# search result
search: 2
result: 0 Success
 
# numResponses: 3
# numEntries: 2

Verifing the groupSearchBase and groupSearchFilter with an LDAP Browser

Now set the groupNameAttribute to the name of the attribute that contains the group name.

• ldapRealm.groupNameAttribute = cn

Hint: The complete content of this attribute must be used in the groupRolesMap attribute. Typical content of the attribute could be ou=Groups,dc=sos,cn=groupname .

Substitution of the account name

If the roles are assigned with the JOC Account Manager using the Identity Service LDAP-JOC you can skip this chapter.

If the value of the member of the groups contains the Account name from the login then you can skip this chapter

Sometimes the values of the member do not contain the Account Name from the login but, for example, the cn of the Account. In this case you have to search for the Account first and then specify the name of the attribute that should be used instead of the Account name from the login .

To achieve this, specify a searchBase, a userSearchFilter and a userNameAttribute.

ldapRealm.searchBase = ou=People,dc=sos
ldapRealm.userSearchFilter = (uid=%s)

Verify by use of ldapSearch

ldapsearch -h localhost -p 389 -b "ou=People,dc=sos" -s sub "uid=fTester" -x

# This should return the following result

# extended LDIF
#
# LDAPv3
# base <ou=People,dc=sos> with scope subtree
# filter: uid=fTester
# requesting: ALL
#

# fTester, People, sos
dn: uid=fTester,ou=People,dc=sos
mail: info@sos-berlin.com
uid: fTester
givenName: Fritz
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Tester
cn: Fritz Tester

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Verification by use of LDAP Browser

Perform a directory search with your LDAP client to check the User Search configuration. You should find only one Account entry with the given Account name.

Then identify the name of the attribute that contains the value for substitution. For example:

• ldapRealm.userNameAttribute = cn

The configuration will look like this:

Examples and special configurations

A public LDAP Server for testing the connection

An online public LDAP server which can be accessed using a relatively simple configuration is available from Forum Systems. This server can be used to set up a test environment with LDAP authentication. In this article we will refer to the authentication of two user accounts on this server - gauss and newton - that are each members of a different LDAP group as shown in the following table:

 Logging

References

• JS7 - Logging
  
  • JS7 - Log Files and Locations
  • JS7 - Log Levels and Debug Options

Use Cases

For debugging of LDAP Server connections