Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Current »

This page describes how to configure the O3 Server to use LDAP or Active Directory as the authentication mechanism.

Basic knowledge of LDAP is required to understand these instructions, as well as basic experience regarding the configuration of the LDAP and Active Directory servers of your choice.

This description includes some examples that serve only as a guide since the strcture of directories may differ depending on the selected LDAP server.

These instructions apply to versions 4.0.400 o higher

O3 Server security

O3 Server Security is based on a module usually known as RBAC (Role Based Access Control).

This module defines a set of repositories that store all elements involved in the security mechanisms of the server (users, roles, attributes, relationships between all of them, etc.).

It is possible to choose among different repository implementations thus allowing data to be stored and retrieved from different servers and using various technologies.

O3 includes an implementation that allows RBAC to connect to directory servers such as LDAP and Active Directory.

Configuring the O3 Server

The specific implementation of RBAC repositories is declared in a file called GServer.properties. This file is located in the folder <O3>/jboss/server/default/ideasoft-o3

This file defines a set of properties that describe the repository and how to access it.

#RBAC Repositories Configuration
#rbac.roleRepository         = com.ideasoft.rbac.repository.impl.jndi.JndiRoleRepository
#rbac.userRepository         = com.ideasoft.rbac.repository.impl.jndi.JndiUserRepository
#rbac.raAssignmentRepository = com.ideasoft.rbac.repository.impl.jndi.JndiRAAssignmentRepository
#rbac.loginService           = com.ideasoft.rbac.repository.impl.jndi.JndiLoginService

O3's distribution includes all of these properties commented out, as they can be seen in the previous section with all the lines starting with the hash mark (#). In order to activate the use of LDAP or Active Directory, these characters need to be deleted to look like this:

#RBAC Repositories Configuration
rbac.roleRepository         = com.ideasoft.rbac.repository.impl.jndi.JndiRoleRepository
rbac.userRepository         = com.ideasoft.rbac.repository.impl.jndi.JndiUserRepository
rbac.raAssignmentRepository = com.ideasoft.rbac.repository.impl.jndi.JndiRAAssignmentRepository
rbac.loginService           = com.ideasoft.rbac.repository.impl.jndi.JndiLoginService

(warning) Note
If only users are to be validated against LDAP or Active Directory, with roles defined in the default database, only the lines identified as rbac.loginService and rbac.userRepository need to be uncommented. If the rbac.userRepository is not specified, all users will have to be stored both in the default database and the LDAP server.

Apart from enabling the use if these alternative implementations for the RBAC repositories, it is necesary to configure a set of parameters required specifically for LDAP or Active Directory.

These specifics are indicated in a separate file located in the folder <O3>/jboss/server/default/ideasoft-o3/config/rbac

The name of this file is indicated in the GServer.properties file using the property:

jndi.cfg.filename = JndiConfiguration-SunONE.properties

O3's distribution includes two sample files called JndiConfiguration-MS.properties and JndiConfiguration-SunONE.properties for Microsoft Active Directory and SunONE Directory Server respectively. These examples are shown below as a reference.

These files are structured as follows:

Parameter

Description

java.naming.provider.url

Indicates the URL to the server where the repositories are stored.
This URL has the form ldap://<host>:<port>

java.naming.factory.initial

Indicates the name of the Java Class that implements the Initial Context. This system parameter should not be modified unless indicated otherwise.
The default value for this property is "com.sun.jndi.ldap.LdapCtxFactory"

java.naming.security.authentication

Indicates the authentication method used. This system parameter should not be modified unless indicated otherwise.
The default value for this property is "simple"

browseUserDN

User's Distinguished Name that is used by the server to retrieve the list of users, roles, etc.

browseUserPassword.plain

Password of the user indicated in the browseUserDN property. The value of this property should be typed as plain text. As soon as the server is restarted and the file read, it will automatically be replaced with the browseUserPassword property with the encrypted version of the password

roleDefAttributeID

Indicates the name of the attribute that entries must include to be considered roles

roleDefValueAttributeID

Indicates the value of the attribute that entries must have to be considered roles

roleNameAttributeID

Attribute used as the role's name

roleSearchBaseDN

DN that indicates the search sub tree for roles

userDefAttributeID

Indicates the name of the attribute that entries must include to be considered users

userDefValueAttributeID

Indicates the value of the attribute that entries must have to be considered users

userNameAttributeID

Attribute used as the user's name

userSearchBaseDN

DN that indicates the search sub tree for users

userRolesAttributeID

Name of the multi-valuued attribute that contains the list of roles assigned to a user

(warning) Note
If the list of roles indicated by the userRolesAttributeID attribute is a list of DNs (Distinguished Names) instead of the roles names directly, it is necesary to specify the dereferenceRoleAttribute attribute, which indicates the attribute that contains the name of the role.

In this case the value of the dereferenceRoleAttribute and roleNameAttributeID attributes must be the same for user-role assignment to work correctly.

(warning) Note
Entries representing Users need to specify the "dn" for authentication to be successful

Sample Configuration Files

Sample Configuration File for Microsoft Active Directory
#Microsoft - Active Directoy Configuation file

java.naming.provider.url  = ldap://dataserver:389
userRolesAttributeID      = memberOf
dereferenceRoleAttribute  = cn

#Browse user's  DN (used to bind to the Directory)

#Option 1: User Principal Name (username@domain)
#browseUserDN             = o3user@radiusserver.ideasoft.com
#browseUserPassword.plain = ????????

#Option 2: DN (Distinguished Name)
browseUserDN              = CN=O3User, OU=People, DC=radiusserver, DC=ideasoft, DC=com
browseUserPassword.plain  = ????????

#Roles's Entry definition
roleDefAttributeID        = objectclass
roleDefValueAttributeID   = group
roleNameAttributeID       = cn
roleSearchBaseDN          = ou=Roles, dc=radiusserver, dc=ideasoft, dc=com

#User's Entry definition
userDefAttributeID        = objectclass
userDefValueAttributeID   = user
userNameAttributeID       = sAMAccountName
userSearchBaseDN          = ou=People, dc=radiusserver, dc=ideasoft, dc=com
Sample Configuration File for SunONE Directory Server
#Sun ONE Directory Server Configuation file

java.naming.provider.url  = ldap://dataserver:51685
userRolesAttributeID      = nsrole
dereferenceRoleAttribute  = cn

#Browse user's  DN (used to bind to the Directory)
browseUserDN              = uid=admin, cn=directory administrators, dc=ideasoft
browseUserPassword.plain  = ????????

#Roles's Entry definition
roleDefAttributeID        = objectclass
roleDefValueAttributeID   = ldapsubentry
roleNameAttributeID       = cn
roleSearchBaseDN          = ou=People, dc=ideasoft

#User's Entry definition
userDefAttributeID        = objectclass
userDefValueAttributeID   = person
userNameAttributeID       = uid
userSearchBaseDN          = ou=People, dc=ideasoft
Sample Configuration File for Apache DS
java.naming.provider.url    = ldap://localhost:10389
userRolesAttributeID        = memberOf

#Browse user's  DN (used to bind to the Directory)
browseUserDN                = uid=admin,ou=users,o=ideasoft,dc=ideasoft,dc=com
browseUserPassword.plain    = ????????

#Role's Entry definition
roleDefAttributeID          = objectclass
roleDefValueAttributeID     = group
roleNameAttributeID         = cn
roleSearchBaseDN            = ou=Roles, o=ideasoft, dc=ideasoft, dc=com

#User's Entry definition
userDefAttributeID          = objectClass
userDefValueAttributeID     = person
uderNameAttributeIs         = uid
userSearchBaseDN            = ou=users,o=ideasoft,dc=ideasoft,dc=com
  • No labels