HowTo O3 Security over LDAP and Active Directory
- Nicolás Palombo (Unlicensed)
This page describes how to configure the O3 Server to use LDAP or Active Directory as the authentication mechanism.
Basic knowledge of LDAP is required to understand these instructions, as well as basic experience regarding the configuration of the LDAP and Active Directory servers of your choice.
This description includes some examples that serve only as a guide since the strcture of directories may differ depending on the selected LDAP server.
These instructions apply to versions 4.0.400 o higher
O3 Server security
O3 Server Security is based on a module usually known as RBAC (Role Based Access Control).
This module defines a set of repositories that store all elements involved in the security mechanisms of the server (users, roles, attributes, relationships between all of them, etc.).
It is possible to choose among different repository implementations thus allowing data to be stored and retrieved from different servers and using various technologies.
O3 includes an implementation that allows RBAC to connect to directory servers such as LDAP and Active Directory.
Configuring the O3 Server
The specific implementation of RBAC repositories is declared in a file called GServer.properties. This file is located in the folder <O3>/jboss/server/default/ideasoft-o3
This file defines a set of properties that describe the repository and how to access it.
#RBAC Repositories Configuration #rbac.roleRepository = com.ideasoft.rbac.repository.impl.jndi.JndiRoleRepository #rbac.userRepository = com.ideasoft.rbac.repository.impl.jndi.JndiUserRepository #rbac.raAssignmentRepository = com.ideasoft.rbac.repository.impl.jndi.JndiRAAssignmentRepository #rbac.loginService = com.ideasoft.rbac.repository.impl.jndi.JndiLoginService
O3's distribution includes all of these properties commented out, as they can be seen in the previous section with all the lines starting with the hash mark (#). In order to activate the use of LDAP or Active Directory, these characters need to be deleted to look like this:
#RBAC Repositories Configuration rbac.roleRepository = com.ideasoft.rbac.repository.impl.jndi.JndiRoleRepository rbac.userRepository = com.ideasoft.rbac.repository.impl.jndi.JndiUserRepository rbac.raAssignmentRepository = com.ideasoft.rbac.repository.impl.jndi.JndiRAAssignmentRepository rbac.loginService = com.ideasoft.rbac.repository.impl.jndi.JndiLoginService
Note
If only users are to be validated against LDAP or Active Directory, with roles defined in the default database, only the lines identified as rbac.loginService and rbac.userRepository need to be uncommented. If the rbac.userRepository is not specified, all users will have to be stored both in the default database and the LDAP server.
Apart from enabling the use if these alternative implementations for the RBAC repositories, it is necesary to configure a set of parameters required specifically for LDAP or Active Directory.
These specifics are indicated in a separate file located in the folder <O3>/jboss/server/default/ideasoft-o3/config/rbac
The name of this file is indicated in the GServer.properties file using the property:
jndi.cfg.filename = JndiConfiguration-SunONE.properties
O3's distribution includes two sample files called JndiConfiguration-MS.properties and JndiConfiguration-SunONE.properties for Microsoft Active Directory and SunONE Directory Server respectively. These examples are shown below as a reference.
These files are structured as follows:
Parameter |
Description |
|---|---|
java.naming.provider.url |
Indicates the URL to the server where the repositories are stored. |
java.naming.factory.initial |
Indicates the name of the Java Class that implements the Initial Context. This system parameter should not be modified unless indicated otherwise. |
java.naming.security.authentication |
Indicates the authentication method used. This system parameter should not be modified unless indicated otherwise. |
browseUserDN |
User's Distinguished Name that is used by the server to retrieve the list of users, roles, etc. |
browseUserPassword.plain |
Password of the user indicated in the browseUserDN property. The value of this property should be typed as plain text. As soon as the server is restarted and the file read, it will automatically be replaced with the browseUserPassword property with the encrypted version of the password |
roleDefAttributeID |
Indicates the name of the attribute that entries must include to be considered roles |
roleDefValueAttributeID |
Indicates the value of the attribute that entries must have to be considered roles |
roleNameAttributeID |
Attribute used as the role's name |
roleSearchBaseDN |
DN that indicates the search sub tree for roles |
userDefAttributeID |
Indicates the name of the attribute that entries must include to be considered users |
userDefValueAttributeID |
Indicates the value of the attribute that entries must have to be considered users |
userNameAttributeID |
Attribute used as the user's name |
userSearchBaseDN |
DN that indicates the search sub tree for users |
userRolesAttributeID |
Name of the multi-valuued attribute that contains the list of roles assigned to a user |
If the list of roles indicated by the userRolesAttributeID attribute is a list of DNs (Distinguished Names) instead of the roles names directly, it is necesary to specify the dereferenceRoleAttribute attribute, which indicates the attribute that contains the name of the role.In this case the value of the dereferenceRoleAttribute and roleNameAttributeID attributes must be the same for user-role assignment to work correctly.
Entries representing Users need to specify the "dn" for authentication to be successful
Sample Configuration Files
Sample Configuration File for Microsoft Active Directory
#Microsoft - Active Directoy Configuation file java.naming.provider.url = ldap://dataserver:389 userRolesAttributeID = memberOf dereferenceRoleAttribute = cn #Browse user's DN (used to bind to the Directory) #Option 1: User Principal Name (username@domain) #browseUserDN = o3user@radiusserver.ideasoft.com #browseUserPassword.plain = ???????? #Option 2: DN (Distinguished Name) browseUserDN = CN=O3User, OU=People, DC=radiusserver, DC=ideasoft, DC=com browseUserPassword.plain = ???????? #Roles's Entry definition roleDefAttributeID = objectclass roleDefValueAttributeID = group roleNameAttributeID = cn roleSearchBaseDN = ou=Roles, dc=radiusserver, dc=ideasoft, dc=com #User's Entry definition userDefAttributeID = objectclass userDefValueAttributeID = user userNameAttributeID = sAMAccountName userSearchBaseDN = ou=People, dc=radiusserver, dc=ideasoft, dc=com
Sample Configuration File for SunONE Directory Server
#Sun ONE Directory Server Configuation file java.naming.provider.url = ldap://dataserver:51685 userRolesAttributeID = nsrole dereferenceRoleAttribute = cn #Browse user's DN (used to bind to the Directory) browseUserDN = uid=admin, cn=directory administrators, dc=ideasoft browseUserPassword.plain = ???????? #Roles's Entry definition roleDefAttributeID = objectclass roleDefValueAttributeID = ldapsubentry roleNameAttributeID = cn roleSearchBaseDN = ou=People, dc=ideasoft #User's Entry definition userDefAttributeID = objectclass userDefValueAttributeID = person userNameAttributeID = uid userSearchBaseDN = ou=People, dc=ideasoft
Sample Configuration File for Apache DS
java.naming.provider.url = ldap://localhost:10389 userRolesAttributeID = memberOf #Browse user's DN (used to bind to the Directory) browseUserDN = uid=admin,ou=users,o=ideasoft,dc=ideasoft,dc=com browseUserPassword.plain = ???????? #Role's Entry definition roleDefAttributeID = objectclass roleDefValueAttributeID = group roleNameAttributeID = cn roleSearchBaseDN = ou=Roles, o=ideasoft, dc=ideasoft, dc=com #User's Entry definition userDefAttributeID = objectClass userDefValueAttributeID = person uderNameAttributeIs = uid userSearchBaseDN = ou=users,o=ideasoft,dc=ideasoft,dc=com