For the list of all supported Decision Insight downloads and releases, see the Downloads page.

Configuring User Directories (LDAP)


Not usable on replica nodes

ActiveDirectory/LDAP configuration

The deployment supports authentication through ActiveDirectory (LDAP). To configure this, create or edit the XML file conf/photon-authentication/settings.xml and add/modify the following section:

conf/photon-authentication/settings.xml
<s:settings xmlns:s="http://www.systar.com/gluon/settings">
    <s:setting name="authenticationConfiguration" class="com.systar.photon.application.impl.conf.ShiroConf">
        <shiro-configuration>
            <component name="thirdPartyRealm" type="com.systar.photon.application.impl.authentication.CustomActiveDirectoryRealm">
                <property name="property_name">property_value</property>
				(...)
            </component>
        </shiro-configuration>
    </s:setting>
</s:settings>

You must first configure the LDAP connection using the component com.systar.photon.application.impl.authentication.CustomActiveDirectoryRealm

The name of the component can be whatever you want, as long as it is unique (and different than authenticatorRealm).

Parameter property

Mandatory

Description
url Yes.

The url of the LDAP server. Must contain the LDAP scheme and the port.

For example, ldap://127.0.0.1:389

searchBase Yes. The distinguished name of the search base object where the search begins
uniqueMemberAttribute Yes.

Identifies an attribute of the LDAP user entry where each value is unique, so as to identify the user.

For example, uniqueMemberAttribute=email or uniqueMemberAttribute=uid

uniqueMemberAttributeValuePattern

No.

It requires the following fields:

  • groupRolesMap and/or attributeAsLogin
  • searchBase
  • uniqueMemberAttribute

Defines the pattern to apply to the login (might be different than the ldapLoginPattern) to search for. In the pattern, the '%s' will be replaced by the user login.
For example, uniqueMemberAttributeValuePattern=%s@my_company.com

By default, the login is what the user typed (as if the pattern was defined as '%s').

ldapLoginPattern No.

Defines the pattern to apply to the login typed by the user before trying to connect to an ActiveDirectory server. In the pattern, the '%s' will be replaced by the user login.
E.g: if the users are in a domain 'DOMAIN', just configure the pattern as 'DOMAIN\%s'

By default, the login is what the user typed (as if the pattern was defined as '%s').

ldapLogin No.

Login used to authenticate over LDAP with a generic user, ldapLoginPattern is not used in this case.

ldapPassword No.

Password used to authenticate over LDAP with a generic user, ldapLoginPattern is not used in this case.

attributeAsLogin

No.

LDAP user attribute that will be used as login in Decision Insight.
By default, the login is used as typed by the user (the ldapLoginPattern is NOT used here)

attributeAsFirstName

No.

LDAP user attribute that will be imported in Decision Insight's attribute first name.
If the LDAP user attribute is not set then Decision Insight user attribute first name won't be overridden.
If this parameter is not set, the value won't be imported in Decision Insight.

attributeAsLastName

No.

LDAP user attribute that will be imported in Decision Insight's attribute last name.
If the LDAP user attribute is not set then Decision Insight user attribute last name won't be overridden.
If this parameter is not set, the value won't be imported in Decision Insight.

attributeAsEmail

No.

LDAP user attribute that will be imported in Decision Insight's attribute email .
If the LDAP user attribute is not set then Decision Insight user attribute email  won't be overridden.
If this parameter is not set, the value won't be imported in Decision Insight.

attributeAsDescription

No.

LDAP user attribute that will be imported in Decision Insight's attribute description.
If the LDAP user attribute is not set then Decision Insight user attribute description won't be overridden.
If this parameter is not set, the value won't be imported   in Decision Insight.
groupRolesMap No.

Map between LDAP distinguished group names and Decision Insight's roles.

  • Multiple roles can be mapped to one group using a comma separator "," between each role name.
  • Multiple group-role mappings can be set using a comma separator "," between each mapping.

The synthax to use is:

mapping1, mapping2[, mappingN]

where each mapping is as follows:

"groupDN":"roleName1[,roleNameN]"

that is, "group1":"role1","group2":"role2,role3"

If not set, the user will be able to connect whatever groups he's in and will be assigned the default built-in role Users.

resolveRolesByUserAttribute No.

true/false : if true , the user's LDAP groups membership will be determined from its memberOf attributes.

Default value is true

resolveRolesByGroupMembership No.

true/false : if true, the user's LDAP groups membership will be determined from its parent group DN.

Default value is false

groupAttributeAsUserGroupMember No.

LDAP group attribute that lists its members.

If defined, Decision Insight searches for the user login in members lists of all groups defined in groupRolesMap. All matches will determine the user's groups membership.

Configuration examples

Purpose Configuration example

ActiveDirectory connection

  • Authentication by user login/password
  • User attributes are retrieved by sAMAccountName user attribute that match

uniqueMemberAttributeValuePattern(ex:somebody@axway.com)

  • Retrieve some user attributes
  • Retrieve groups from user memberOf attribute


conf/photon-authentication/settings.xml
<s:settings xmlns:s="http://www.systar.com/gluon/settings">
    <s:setting name="authenticationConfiguration" class="com.systar.photon.application.impl.conf.ShiroConf">
        <shiro-configuration>
            <component name="thirdPartyRealm" type="com.systar.photon.application.impl.authentication.CustomActiveDirectoryRealm">
                <property name="url">ldap://ad.axway.fr:389</property>
                <property name="ldapLoginPattern">bbr\%s</property>
                <property name="groupRolesMap">
                    "CN=inno,OU=Global Groups,OU=DecisionInsight,OU=bbr,DC=axway,DC=fr":"User,inno",
                    "CN=Developpeurs,OU=Groups,OU=bbr,DC=axway,DC=fr":"Super administrator"
                </property>
                <property name="searchBase">DC=axway,DC=fr</property>
                <property name="uniqueMemberAttribute">sAMAccountName</property>
                <property name="uniqueMemberAttributeValuePattern">%s@axway.com</property>
                <property name="attributeAsFirstName">givenName</property>
                <property name="attributeAsLastName">sn</property>
                <property name="attributeAsEmail">mail</property>
                <property name="attributeAsDescription">displayName</property>
            </component>
        </shiro-configuration>
    </s:setting>
</s:settings>

ActiveDirectory connection

  • Authentication via user login/password
  • Search user with attribute uid that matches user login
  • Retrieve some user attributes
  • Retrieve groups from user memberOf attribute
  • Retrieve groups from user group membership
  • Retrieve groups from group member attribute


conf/photon-authentication/settings.xml
<s:settings xmlns:s="http://www.systar.com/gluon/settings">
    <s:setting name="authenticationConfiguration" class="com.systar.photon.application.impl.conf.ShiroConf">
        <shiro-configuration>
            <component name="thirdPartyRealm" type="com.systar.photon.application.impl.authentication.CustomActiveDirectoryRealm">
                <property name="url">ldap://ad.axway.fr:389</property>
                <property name="ldapLoginPattern">bbr\%s</property>
                <property name="groupRolesMap">
                    "CN=inno,OU=Global Groups,OU=DecisionInsight,OU=bbr,DC=axway,DC=fr":"inno",
                    "OU=Global Groups,OU=DecisionInsight,OU=bbr,DC=axway,DC=fr":"User",
                    "CN=Developpeurs,OU=Groups,OU=bbr,DC=axway,DC=fr":"Super administrator"
                </property>
                <property name="searchBase">DC=axway,DC=fr</property>
                <property name="uniqueMemberAttribute">sAMAccountName</property>
                <property name="uniqueMemberAttributeValuePattern">%s</property>
                <property name="attributeAsFirstName">givenName</property>
                <property name="attributeAsLastName">sn</property>
                <property name="attributeAsEmail">mail</property>
                <property name="attributeAsDescription">displayName</property>
                <property name="resolveRolesByGroupMembership">true</property>
                <property name="groupAttributeAsUserGroupMember">member</property>
  			</component>
        </shiro-configuration>
    </s:setting>
</s:settings>

LDAP connection

  • Authentication by unique LDAP user login/password
  • Search user with attribute uid that matches user login
  • Retrieve some user attributes
  • No role/group association: default role is User for every user logged

conf/photon-authentication/settings.xml
<s:settings xmlns:s="http://www.systar.com/gluon/settings">
    <s:setting name="authenticationConfiguration" class="com.systar.photon.application.impl.conf.ShiroConf">
        <shiro-configuration>
            <component name="thirdPartyRealm" type="com.systar.photon.application.impl.authentication.CustomActiveDirectoryRealm">
                <property name="url">ldap://ldap.axway.fr:389</property>
                <property name="ldapLogin">CN=ldapUser,OU=DecisionInsight,OU=bbr,DC=axway,DC=fr</property>
                <property name="ldapPassword">ldapUserPassword</property>
                <property name="searchBase">DC=axway,DC=fr</property>
                <property name="uniqueMemberAttribute">uid</property>
                <property name="attributeAsFirstName">givenName</property>
                <property name="attributeAsLastName">sn</property>
                <property name="attributeAsEmail">mail</property>
                <property name="attributeAsDescription">displayName</property>
            </component>
        </shiro-configuration>
    </s:setting>
</s:settings>

LDAP connection

  • Authentication by unique LDAP user login/password
  • Search user with attribute uid that matches user login
  • Retrieve some user attributes
  • Do not resolve groups by user group membership attribute(override default value)
  • Retrieve groups from user group membership


conf/photon-authentication/settings.xml
<s:settings xmlns:s="http://www.systar.com/gluon/settings">
    <s:setting name="authenticationConfiguration" class="com.systar.photon.application.impl.conf.ShiroConf">
        <shiro-configuration>
            <component name="thirdPartyRealm" type="com.systar.photon.application.impl.authentication.CustomActiveDirectoryRealm">
                <property name="url">ldap://ldap.axway.fr:389</property>
                <property name="ldapLogin">CN=ldapUser,OU=DecisionInsight,OU=bbr,DC=axway,DC=fr</property>
                <property name="ldapPassword">ldapUserPassword</property>
                <property name="searchBase">DC=axway,DC=fr</property>
				<property name="groupRolesMap">
                    "OU=Global Groups,OU=DecisionInsight,OU=bbr,DC=axway,DC=fr":"Super administrator"
                </property>
				<property name="uniqueMemberAttribute">uid</property>
                <property name="attributeAsFirstName">givenName</property>
                <property name="attributeAsLastName">sn</property>
                <property name="attributeAsEmail">mail</property>
                <property name="attributeAsDescription">displayName</property>
				<property name="resolveRolesByUserAttribute">false</property>
				<property name="resolveRolesByGroupMembership">true</property>
			</component>
        </shiro-configuration>
    </s:setting>
</s:settings>

How does it work?

Disabling ActiveDirectory/LDAP role provisioning

If you want to disable ActiveDirectory/LDAP role provisioning, you have to modify the file conf/platform.properties

platform.properties
com.systar.photon.application.auth.ldapRoleProvisioning=false
Parameter value Description
true Default value. ActiveDirectory/LDAP provides the user roles. ActiveDirectory/LDAP user's roles modification through the deployment is forbidden.
false ActiveDirectory/LDAP does NOT provide any user role. ActiveDirectory/LDAP user's roles is managed through the deployment.

Enabling ActiveDirectory/LDAP role provisioning with SSO activated

SSO plugin and ActiveDirectory/LDAP role provisioning can be configured to work together. In this kind of configuration:

  • authentication is done by SSO plugin
  • authorization is done by ActiveDirectory/LDAP role provisioning. In this case, 
    • ActiveDirectory/LDAP is not used anymore to authenticate a user.
    • User's information can be retrieved (using attributeAsFirstName, attributeAsLastName, attributeAsEmail, attributeAsDescription) but they will override data collected by SSO plugin.

To configure it:

  1. Configure SSO plugin: see Configure Single sign-on (SSO)
  2. Modify the file conf/platform.properties to enable ActiveDirectory/LDAP role provisioning and disable SSO role provisioning
platform.properties
com.systar.photon.application.auth.ssoRoleProvisioning=false
com.systar.photon.application.auth.ldapRoleProvisioning=true

3. Do step ActiveDirectory/LDAP configuration. In this case, ldapLogin and ldapPassword are mandatory:

Parameter property

Mandatory

Description
ldapLogin Yes.

Login used to authenticate over LDAP with a generic user, ldapLoginPattern is not used in this case.

ldapPassword Yes.

Password used to authenticate over LDAP with a generic user, ldapLoginPattern is not used in this case.

Security

LDAPS

LDAP and LDAPS configurations are very similar. To use ldaps you need to use the ldaps protocol scheme and adapt the port number (the standard LDAPS port is 636).

conf/photon-authentication/settings.xml
<s:settings xmlns:s="http://www.systar.com/gluon/settings">
    <s:setting name="authenticationConfiguration" class="com.systar.photon.application.impl.conf.ShiroConf">
        <shiro-configuration>
            <component name="thirdPartyRealm" type="com.systar.photon.application.impl.authentication.CustomActiveDirectoryRealm">
                <property name="url">ldaps://server_address:port</property>
            	[...]
			</component>
        </shiro-configuration>
    </s:setting>
</s:settings>

Of course, you need to add the SSL certificate to the keystore, either the "cacerts" or another one (if so you have to config the JVM to use it)

Reminder

  1. Import a certificat (.der) into a keystore: keytool -importcert -alias certificate_alias -file path_to_certificate.der -keystore path_to_keystore -storepass keystore_password
  2. Change the default keystore. Append into platform.properties:
javax.net.ssl.trustStore=path_to_keystore
javax.net.ssl.trustStorePassword=keystore_password
# if needed, activate SSL debuging:
javax.net.debug=ssl:handshake

If the deployment is installed as a Windows service, do not forget to re-launch tnd-service-configure.bat and restart the service

For easier configuration debugging, set the photon-authentication and carbon-user domains log level to DEBUG

Encrypt sensitive properties

It is possible to encrypt sensitive values (ex: ldapPassword property) using Node settings values encryption.

  • first, create a property in the file conf/platform.properties with an encrypted value. ex:
my.secret.ldap.password=${encrypted:+Mpt1CFBV9rgPKNXzLnzowxsoGudW9yieTfeHG4WnP4=}
  • modify the XML file conf/photon-authentication/settings.xml:
conf/photon-authentication/settings.xml
<s:settings xmlns:s="http://www.systar.com/gluon/settings">
    <s:setting name="authenticationConfiguration" class="com.systar.photon.application.impl.conf.ShiroConf">
        <shiro-configuration>
            <component name="thirdPartyRealm" type="com.systar.photon.application.impl.authentication.CustomActiveDirectoryRealm">
            	[...]
                <property name="ldapPassword">${my.secret.ldap.password}</property>
                [...]
			</component>
        </shiro-configuration>
    </s:setting>
</s:settings>

How to debug LDAP configuration

To debug configuration, more information can be appended to Decision Insight's log file by customizing the log configuration file:

  1. Add the new log appender at the end of the <installation directory>/conf/log4j.properties file:

    log4j.logger.photon-authentication=DEBUG
  2. Start the deployment.

Related Links