Topic: Configuring your Ephesoft Installation to Authenticate with AD using the Global Catalog port.

By using Global Catalog service you are able to simply use root domain (Domain components DC only) as user base and role base for authentication using LDAP/MS Active directory.

This makes it so you simply have to use a single and convenient realm configuration to handle all authentication and authorization requests.

All that is required is knowledge of root domain only.
MS Active directory:

MS Active Directory works on various ports for different purposes.

Port 3268 is for Global catalog working of MS Active Directory.

MS Active directory working as simple LDAP service cannot handle root domain search requests. This is Because Searching a root domain in Active directory returns referrals to the root components which can only be handled by Global catalog service and not by normal LDAP service.

 

Applicable Ephesoft versions:

Ephesoft v3.1, and v4.0

 

Instructions:

 

1. Modify the user-connectivity.properties file located in:

Epehesoft Install Directory\Application\WEB-INF\classes\META-INF\dcma-user-connectivity


a.   Set the following Settings with the correct Domain and Connection information:

 

# LDAP/MS Active Directory

user.connectivity_url=ldap://<Servername/IP>:3268
user.connectivity_config=com.sun.jndi.ldap.LdapCtxFactory
user.connectivity_domain_component_name=test,dc=ephesoft
user.connectivity_domain_component_organization=com
user.connectivity_username=cn=User,dc=test,dc=ephesoft,dc=com
user.connectivity_password=P@ssw0rd
# This Property defines which type of connectivity is used

 

Note: If your configuration involves a Sub Domain then you will need to write out the description in the following format,  user.connectivity_domain_component_name=sub,dc=domainname

b.   Enable the Active Directory Authentication Feature by changing the following settings:

# This Property defines which type of connectivity is used
# 0 = LDAP
# 1 = MS Active Directory
# 2 = Tomcat
user.connection=1

 

c.   Setting changes to LDAP: Normal LDAP service allows us to search on root domain without any further configuration. So there is not much change to be made in order to make LDAP work with root domain chosen as base.

Following are the changes:

– Set the “user.ldap_user_base” to empty.
– Set the “user.ldap_group_base” to empty.

  Note: These properties are added in the Installer version 3.0.2.0 onwards. Please update your properties file with the Changes mentioned if running versions prior to 3.0.2.0.

 

d.   Set the “user.msactivedirectory_context_path” to empty

e.   Set the “user.msactivedirectory_group_search_filter” to a single filter value.

This setting will be in sync with the setting the Server.xml.

 

 

Example Configuration for User-connectivity.properties file:

 

# LDAP/MS Active Directory

user.connectivity_url=ldap://<Servername/IP>:3268
user.connectivity_config=com.sun.jndi.ldap.LdapCtxFactory
user.connectivity_domain_component_name=test,dc=ephesoft
user.connectivity_domain_component_organization=com
user.connectivity_username=cn=User,dc=test,dc=ephesoft,dc=com
user.connectivity_password=P@ssw0rd
# This Property defines which type of connectivity is used
# 0 = LDAP
# 1 = MS Active Directory
# 2 = Tomcat
user.connection=1
# Set this for LDAP Connectivity
user.ldap_user_base=
user.ldap_group_base=
#This Attribute is added so as to make search of groups in LDAP/AD configurable,by default its cn(commonName) is returned
user.connectivity_groupSearchAttributeFilter=cn
#This Attribute is added to make search of Users (Organisational Unit) in LDAP/AD configurable,by default its cn
user.connectivity_userSearchAttributeFilter=cn
#Set this for MS Active Directory
user.msactivedirectory_context_path=
# filter can have |(OR), &(AND) and !(NOT)
# | (|(cn=a*))
# & (&(cn=a*))
# ! (!(cn=a*))
# complex example ((!(cn=a*))(|(cn=ephesoft*)(&(cn=b*)))
user.msactivedirectory_group_search_filter=(cn=ephesoft*)
# Tomcat Connectivity
user.tomcatUserXmlPath=C:\\Ephesoft\\JavaAppServer/conf/tomcat-users.xml
#Switch To display user’s Full name on the apptication UI.
# Default value is OFF.
# 1 = ON.
fullname.display=1

 

Configuration that need to be modified:

user.connectivity_url – This is the url to the AD/LDAP server

user.msactivedirectory_context_path – path to root OU where groups reside. Multiple locations can be specified with a “;;” delimiter (eg. OU=Internal Groups;;OU=Contractors)

user.connectivity_domain_component_name – component value for AD is DC below the root DC. There can only one value here such as ‘ephesoft’. ‘cn=na,cn=ephesoft’ or ‘cn=ephsesft’ is not allowed.

user.connectivity_domain_component_organization – root DC of the AD store (typically “com”)

user.connectivity_username – User name to connect to the AD server.

user.connectivity_password – User password to connect to the AD server.

user.msactivedirectory_group_search_filter – Display only the groups that meets the filter value

user.connection – value should be set between 0-2 in order to enable the AD, LDAP or Tomcat configuration in order to authenticate users.

 

 

2.  Next you will need to modify the Realm settings in the Server.XML file located in:

Epehesoft Install Directory\JavaAppServer\conf

<Realm className=”org.apache.catalina.realm.JNDIRealm”
connectionURL=”ldap://<Server-Name/IP>:3268″
connectionName=”<Authenticated-User-Name>”
connectionPassword=”<Authenticated-User-Password>”
userBase=”<Any Chosen User Base>”
userSearch=”<Unique Parameter for user search Suggested: (sAMAccountName={0})>”
userSubtree=”true”
referrals=”follow”
roleBase=”<Any Chosen User Base>”
roleName=”cn”
roleSubtree=”true”
roleSearch=”(member={0})”

/>

Example Realm Configuration:

 

  
         connectionURL="ldap://192.1.0.2:3268"
         connectionName="cn=User1,dc=test,dc=ephesoft,dc=com"
	 connectionPassword="P@ssw0rd"
           userBase="DC=test,DC=ephesoft,DC=com"
	   userSearch="(sAMAccountName={0})"
	   userSubtree="true"
	   referrals="follow"
	   roleBase="DC=test,DC=ephesoft,DC=com"
	   roleName="cn"
	   roleSubtree="true"
	   roleSearch="(member={0})"
   

Note: The default Realm settings in the server.xml file are not the same as the Realm configuration mentioned above. Please make sure to copy the above example to your server.xml and modify accordingly.

Attributes in Realm element that need to be modified:

connectionURL – This is the url to the LDAP server

connectionName – User name to connect to the AD server.

connectionPassword – User password to connect to the AD server.

userPattern – path and pattern to the users

roleBase – path to root where groups reside. Groups must have a common OU to be included in the role base but can be is sub directories under this specified root

roleSubtree – attribute to enable searches in sub groups

roleName – attribute in AD of the Groups that should be included

roleSearch – attribute in the groups specifying the user. The {0} is used as a wild card to indicate all users in those groups

Limitations of this Solution

Issue: Choosing the below authentication may run into ambiguity. That is in case we have multiple users by same “name”(the user distinguishing parameter in realm). This will lead to a point where we cannot handle the client log in request as it will depend on LDAP/MS Active Directory implementations. It depends on how the concerned server will choose the user. Please see example:

Three users:

  • CN=admin, OU=sales, DC=ephesoft, DC=com
  • CN=admin, OU=java, OU=tech, DC=ephesoft, DC=com
  • CN=admin, OU=management, DC=ephesoft, DC=com
  • Realm “user base” set to domain components (DC=ephesoft, DC=com).
  • Realm “user search” set to “cn={0}”. (Checks for common name = <Value used for login>)
  • Intended user to log in CN=admin, OU=sales, DC=ephesoft, DC=com.

In the above scenario, the realm searches all child entries of DC=ephesoft, DC=com in LDAP/MS AD server with username(“admin”) to be equal to common name value of any user entry lying under “DC=ephesoft, DC=com”. In this case it will find the first matching entry and will authenticate against it. This chosen entry might not be the desired one. The point of concern here is choosing “user search” parameter carefully.

Solution:

  • Keep the “user search” value in realm in way that it can identify your user uniquely. That is the parameter used for searching a user must uniquely identify each of the user entries in LDAP/ MS AD.
  • Make the user enter the its value for that unique parameter into username while logging in to the application.
  • Keeping cn(common name), first name, last name as “user search” parameter may cause such scenario.

 

 

3. You will also want to modify the application.properties file located in your \Ephesoft\Application\WEB-INF\classes\META-INF directory

 

Update the following settings in this file:

update_super_admin_group=true

Then, we need to clarify that the value here is the AD group name . 
 
user.super_admin=Administrators
 
The group name you provide for user.super_admin= will have super admin privileges i.e. access to all the functionality of Ephesoft. The users in the group will be called super admin users and they can assign the user roles from the Ephesoft UI -> System Configuration -> Access Manager screen to the other users who belong to different groups and are not part of the super admin group.
Make sure your user (super admin user) is present in the correct group that you have defined in the application.properties file in user.super_admin group. If this is not the case then the user will give you authorization issues such as the screenshot below:
image.png

 More Info:

If the Active directory user that you are using for the user-connectivity.properties and the server.xml has a different CN from the sAMAccountName in the AD user configuration, then you will need to set the value for user.connectivity_userSearchAttributeFilter= to sAMAccountName like so: user.connectivity_userSearchAttributeFilter=sAMAccountName

 

< Back | How To Main Page| Next How To Article – Using the default LDAP Service Port >

Was this article helpful to you?

wikiadmin

Comments are closed.