Last Updated on

Integrating Ephesoft with LDAP

This wiki article focus on providing detailed explanation on how to integrate Ephesoft with LDAP. This article focuses on detailed explanation of each property used in order to successfully configure Ephesoft with LDAP.

In Ephesoft we basically have to focus on 3 properties file mentioned as below:

  • server.xml
  • user-connectivity.properties
  • application.properties

What is required to configure Ephesoft with LDAP ?

In order to successfully integrate Ephesoft with LDAP, it becomes essential to understand the directory structure first. If you do not have any knowledge on how your LDAP looks you will not able to configure the Ephesoft configuration files.

We expect that users are having at-least below knowledge of their LDAP:

  • A user which exist in the directory.
  • Password of the user as mentioned above.
  • Difference between domain controllers, Organizational Units, Groups and Users.
  • Information on where does Users exist in LDAP.
  • Information on where does Groups exist in LDAP.
  • Users are mapped with respective groups.

 


Sample Directory Structure Example to be used to Configure LDAP

In this section we will go through an example of directory structure which will help us to configure Ephesoft to integrate with LDAP.

After looking at the below LDAP structure we will understand the information required in order to configure Ephesoft with LDAP.

  • We have a domain controller with a name com.ephesoft where root domain name is “com” and it is having a sub-domain called “ephesoft”. These domains are denoted with abbreviation “dc”.
  • There can be more than 1 sub-domain as well like com.ephesoft.support or similar as per your organization structure.
  • In the below Directory Structure we have two OU called groups AND people.
  • groups OU consist of Groups / Roles in LDAP. We have 5 groups with the name admin, role1, role2, role3 and role4.
  • people OU consist of Users in the LDAP. We have 5 users with the name aj,ephesoft,user1,user2 and user4.
  • We know that user “ephesoft” is added to the group admin.

We now have all the required information in order to configure EPHESOFT WITH LDAP.


Understanding Roles in Ephesoft

In Ephesoft we distinguish roles on the basis of below:

  • Super Administrator : A super Administrator has complete access to the Ephesoft User Interface.
  • Administrator: An Administrator doesn’t have access to System Configuration User Interface
  • Operator: An Operator usually have access to Non-Admin User Interfaces like Batch List, Review Validate etc.

Configuring Ephesoft Server.xml

  • In server.xml file we define information about LDAP and configuration in this file helps to authenticate the users and fetch users and groups from LDAP.
  • Below is a sample screenshot of Realm Setting in server.xml which is used to connect to LDAP and tries to authenticate users.

 

  • className: This needs to be set to org.apache.catalina.realm.JNDIRealm. This refers to JNDIRealm class which in tomcat.
  • connectionURL: We need to define the URL of the LDAP Server. It is of the form of ldap://<IP,DNS,FQDN>:<PORT> where port in case of LDAP needs to be 389 or 636 (If we have LDAPS i.e. Secure LDAP).
  • connectionName: We need to define the Distinguished Name of any user who exist in the LDAP. In the screenshot above cn=Manager,dc=ephesoft,dc=com means that user with the name “Manager” exists under “ephesoft” sub-domain and “com” root-domain.
  • connectionPassword: We need to provide the password for the user defined in connectionName.
  • userBase: The relative path under which all the users’ information will be located. This attribute defines where to look for a user. In our example above we are looking for users directly under our sub-domain. Therefore it will look for user under the sub-domain as well as in all the Organizational Units as well.
  • userSearch: This is the pattern specifying the LDAP search filter to use after substitution of the username. Possible values is “cn={0}”.
  • roleBase: The relative path under which all the roles information will be located. This attribute defines where to look for a role corresponding to a user. In this example we are searching for all Roles / Groups under sub-domain “ephesoft” as well as in all the Organizational Units.
  • roleName: the attribute in a role entry containing the name of that role. In above example value of cn attribute in LDAP will be checked.
  • roleSearch: the LDAP search filter for selecting role entries. It optionally includes pattern replacements “{0}” for the distinguished name. In above example uniqueMember property of user in LDAP will be looked up.
  • userSubtree: the search scope. Set to true if you wish to search the entire sub tree rooted at the userBase entry.
  • roleSubtree: the search scope. Set to true if you wish to search the entire sub tree rooted at the roleBase entry.

Configuring Ephesoft user-connectivity.properties

  • user-connectivity.properties file is configured to take care of the Authorization part and group filtering. We can apply limitations on what groups / roles needs to be fetched from the LDAP.
  • Below is an example for configuring user-connectivity.properties file

  • user.connectivity_url: We need to define the URL of the LDAP Server. It is of the form of ldap://<IP,DNS,FQDN>:<PORT> where port in case of LDAP port needs to be 389 or 636 (LDAPS).
  • user.connectivity_domain_component_name: We need to put in the sub-domain information. If we have more than one sub-domain like com.ephesoft.support then we need to define convention for user.connectivity_domain_component_name=support,dc=ephesoft
  • user.connectivity_domain_component_organization: We need to give the root level domain name.
  • user.connection: This property needs to be set to 0 if we need to use AD.
  • user.ldap_user_base: This is ldap related property and we can define specific OU if we only want to pick users from specific context path. Example: user.ldap_user_base=ou=groups.
  • user.ldap_group_base: This is ldap related property and we can define specific OU if we only want to pick groups from specific context path or organizational unit. Example: user.ldap_group_base=ou=people.

 


Configuring Ephesoft application.properties

  • This file is used to set the super admin group details.
  • Two properties that require change is  user.super_admin where we define super admin groups and update_super_admin_group where we will need to change the flag to true.

Access Management on Ephesoft User Interface

  • Super User which is a part of Super User Group has access to all the pages of the Ephesoft User Interface, Access to all Batch classes and access to all batch instances. Only this user can provide access to other groups and assign roles to other groups at batch class level.
  • Access Manger UI where access control can be assigned to other groups

 

  • Roles Column in Batch Class Management Screen where to provide Access control at Batch Class and Batch Instance Level. As you can see in the below screenshot Users in role1 group only will be able to view BC3A batch class and its associated Batch Instances.

 

Was this article helpful to you?

Abhishek Jain