Topic/Category: Active Directory, LDAP

 

Issue:

In some cases due to limitation the group and users search in LDAP cannot find Users and Groups unless there are specific context paths entered in the configuration.

This required the listing of all OUs that contain the authorized Users and Groups.

Combined realms are used particularly when you have Multiple OUs that need to be looked at in order to Authenticate your users.

Since the Global Catalog port (Port 3268) in AD is only use for following refferals to the CN description of a user account, the normal LDAP port (Port 389) could have limitations you encounter later on.

 

Applicable Ephesoft versions:

All Versions of Ephesoft

 

Root Cause:

Limitations to the service which is not able to follow referrals down to the lowest Sub-OU

 

Solution:

 

Setting up Combined Realms in Tomcat:

 

  1. Add the following to the Server.XMLfile around the current Realm configuration for LDAP, in order for the rolebase to match any group membership:

<Realm class Name=”org.apache.catalina.realm.CombinedRealm” >
</Realm>

  1. You will then add another Realm configuration after the already existing Realm setting. In the second Realm setting you will add the secondary OU location you would like tomcat to identify and Authenticateyour both your users and groups.  

Example:     

<Realm class Name=”org.apache.catalina.realm.CombinedRealm” >         <Realm   className=”org.apache.catalina.realm.JNDIRealm”

                 connectionURL=”ldap://<AD ServerName/IP>:389″

                 connectionName=”cn=User,OU=Service Accounts,DC=Test,DC=Ephesoft,DC=com”

                 connectionPassword=”P@ssw0rd”

                 userPattern=”cn={0},OU=DomainUsersLocation1,DC=Test,DC=Ephesoft,DC=com

                 roleBase=”OU=SecurityGroupsLocation1,DC=Test,DC=Ephesoft,DC=com

                 roleSubtree=”true”

                 roleName=”cn”

                 roleSearch=”uniqueMember={0}”

               />

              <Realm   className=”org.apache.catalina.realm.JNDIRealm”

                  connectionURL=”ldap://<AD ServerName/IP>:389″

                  connectionName=”cn=User,OU=Service Accounts,DC=Test,DC=Ephesoft,DC=com”

                  connectionPassword=”P@ssw0rd”

                  userPattern=”cn={0},OU=DomainUsersLocation2,DC=Test,DC=Ephesoft,DC=com

                  roleBase=”OU=SecurityGroupsLocation2,DC=Test,DC=Ephesoft,DC=com

                  roleSubtree=”true”

                  roleName=”cn”

                  roleSearch=”uniqueMember={0}”

              />

           </Realm>

 

 

This configuration only needs to be used if you are not able to use the Global Catalog Port in Active Directory. You will need to follow the instructions for setting up AD at the OU level.
The following link will assist you with this:

How to Configure Active Directory using the Standard LDAP port?

 

More Info:

Other ActiveDirectory Related Articles

Other LDAP Related Articles

 

 

< BackHow To Main Page

Was this article helpful to you?

wikiadmin