CentraSite supports various LDAP configurations and provides standard settings that allow you to set up your authentication quickly against these standard systems.
There are many questions that are involved when you configure against an LDAP system:
What kind of LDAP server is it?
What is the hierarchical node structure of the LDAP server?
In which kinds of objects are the user and group definitions contained?
Which node properties contain the user names or group IDs?
What other property mappings are required?
In general, before you begin to specify the configuration, we recommend
you to study the LDAP structure and contents using an LDAP browser. There are
various freeware tools such as JXplorer (http://jxplorer.org/) that allow you to
do this. Using the LDAP browser, you can bind to an LDAP server, then navigate
through the hierarchy to see the structures that contains the users and groups.
Also, you can open the nodes that contain the definitions of individual users
or groups, and view the properties that are stored for each user or group. An
example of a node for a user testuser01 might show the following
properties:
| Property name | Value |
|---|---|
| cn | testuser01 |
| objectClass | OpenLDAPperson |
| JohnSmith@MyCompany.com | |
| Phone | +1 234 555 678 |
The path to the node for this user might be com/People/Location3/testuser01, where com is the root node. The setup on this LDAP server might be that all users are stored under the People node (com/People/…) and all groups are stored under the Groups node (com/Groups/…). Since every CentraSite customer can define their LDAP user and group structures differently, the details of the LDAP configuration that you will perform in CentraSite vary accordingly, since you must map explicitly to the customer LDAP structures.
The general values that you can specify for an LDAP configuration (see the section Creating Authentication Configurations above) are described in the following table.
| Value | Description |
|---|---|
| Domain ID |
(As described in the section Specifying the Domain ID) |
| LDAP server (host:port) |
This is the host name (server and domain) of the machine where the LDAP server is located. You can specify a Host:Port combination in this field, where Port is the port number of the LDAP server on the host machine. You can specify multiple hosts in this field, using the blank character as a separator, for example
If you specify multiple hosts, they are tried in the given order until a connection can be established. Each host can also be specified with a scheme such as
"ldap" or "ldaps", using
the syntax |
| Server Type |
This field allows you to specify the type of LDAP server that will be used. You can specify Active Directory as the server type if the Active Directory server is accessed via LDAP (e.g. from a UNIX system). |
| Caching time for user credentials |
The number of seconds that the user is cached in the server after successful authentication. Changes made to the user, e.g. deletion or password changes, do not take effect until this time has elapsed. This setting is provided for performance reasons. The default value is 120 seconds. If the connection to the LDAP server is slow, you can increase this figure. |
The user-specific settings that you can specify are the standard LDAP settings. Refer to the documentation of your LDAP system supplier for details. Here are some examples.
| User-specific Value | Description | Example |
|---|---|---|
|
The directory tree part of the distinguished name (standard LDAP terminology) of the entry. The method of specifying the path uses the standard LDAP path convention: first, a unique property of the DN node is specified, along with the property's value. Usually the property "ou" (organizational unit) is the property chosen for this purpose. Then the next higher "dc" node (i.e. a node with a "dc" property), then the next higher "dc" node and so on, until finally the root node. |
ou=people,dc=MyServer,dc=com This example identifies the node whose "ou" property has the value "people" and is located under the node whose "dc" property is "MyServer", which in turn is located under the node whose "dc" property has the value "com". |
|
| Object |
This identifies a property value that is used to categorize nodes as user nodes. For example, if you specify "OpenLDAPperson", this means that user nodes can be recognized by being of object class "OpenLDAPperson". |
inetOrgPerson |
| Group Attribute |
If the user repository specifies a property linking users to the groups to which they belong, specify the name of the property here. If there is no such property, leave this field blank. |
memberOf |
| Field |
This is the name of the property in the user node that uniquely identifies the user. (The attribute name of he RDN of users.) |
cn |
The group-specific settings that you can specify are the standard LDAP settings. Refer to the documentation of your LDAP system supplier for details. Here are some examples.
| Group-specific Value | Description | Example |
|---|---|---|
| DN |
This is similar to the DN property for users, as described above, but identifies a DN node for groups rather than for users. |
ou=Groups,dc=abc,dc=de |
| Object |
This identifies a property value that is used to categorize nodes as group nodes. For example, if you specify "groupOfNames", this means that group nodes can be recognized by being of object class "groupOfNames". |
groupOfUniqueNames |
| User Attribute |
If the user repository specifies a property linking a group to the users who are members of the group, specify the name of the property here. If there is no such property, leave this field blank. |
member |
| Resolution |
This specifies whether group nodes contain links to the users who are members of the group, or whether user nodes contain links to the groups they belong to. The option "recurse down" means that group nodes contain links to users. The option "recurse up" means that user nodes contain links to groups. |
Recurse Up |
Note:
If you are using LDAP, note that only the "recurse
up" option is supported for group resolution.
CentraSite can only find and authenticate a user name via the LDAP mechanism if either:
the user name is located directly beneath the LDAP node that
represents all users (specified via the User DN configuration value – for
example, if user names are in the form
uid=Username,ou=People,dc=mydomain,dc=com then the user name must
be beneath the node ou=People,dc=mydomain,dc=com), or:
the LDAP server allows "anonymous bind".
The technical principal is a user name or user account that preferably
should not belong to a real user; in other words, the technical principal is
normally the ID of a fictitious user. It is intended for organizations that
store their user entries in branched LDAP directory structures, for example
uid=Username,loc=Germany,ou=People,dc=mydomain,dc=com but do not
allow anonymous bind. The technical principal must be defined in LDAP as having
(at least) read access to all users and groups that are to be used by
CentraSite.
When CentraSite is configured to use this feature, all LDAP accesses take place using the technical principal. For example, if a user with user name "user1" and password "pwd1" wants to log in to CentraSite Control, LDAP is accessed using the technical principal and the record for the user "user1" is checked.
CentraSite provides a simple command-line tool to generate the credentials file for a given technical principal. You will need this credentials file in the next step, when you set up CentraSite to use the technical principal for authenticating user name.
Note:
Before using this tool on UNIX systems, please ensure that the
binary file createTechUserCreds has execute permission
set; also, please set up the CentraSite environment by sourcing the file
centrasite_setenv.sh (for example, under
bsh or bash: .
./centrasite_setenv.sh).
The tool is invoked as follows (note that the UNIX version of the program is named createTechUserCreds):
<Suite-Install-Dir>\common\security\<architecture>\bin\createTechUserCreds.exe [-f outputfile] [-k keyfile] [-p password] userId
where:
specifies the name of the output file, i.e. the file into which the tool will write the generated credentials.
specifies the name of the file that contains the key used for encryption and decryption of the password.
The file should consist of a single line of 64 hexadecimal characters, i.e. each character is in the range [0-9],[a-f] (if it is longer than 64 characters, the excess characters are ignored). As usual, each pair of hexadecimal characters denotes one byte. The first 16 bytes are used as the AES encryption key; the next 16 bytes are used as the AES initialization vector.
If this parameter is omitted, the system uses a default key.
specifies the password for the given technical principal.
 |
Warning: This parameter is provided for use in batch scripts. The password is specified "in clear text", i.e. unencrypted, and the batch script therefore presents a potential security risk. Take care to control access to any batch script that uses this parameter. Wherever possible, you should omit this parameter and enter the password interactively instead. |
is the user name that will be associated with the generated
credentials. Use the full path to the user, for example
cn=techprincipal,ou=services,o=bigcompany.
Unless you specified the -p parameter, after
entering the command you will be prompted to enter the password (it will not be
echoed visibly). The user name and the encrypted password are then stored in
the credentials file in the location that you specified.
This section contains an example of setting up LDAP Authentication using the command line tool CentraSiteCommand, which is located in C:\SoftwareAG\CentraSite\utilities.
The command to start the command line tool is as follows. The example assumes that there is a user "AdminUser" who has the CentraSite Administrator role, and this user has the password "AdminPass".
cd C:\SoftwareAG\CentraSite\utilities CentraSiteCommand.cmd set Authentication -user AdminUser -password AdminPass
The sample interactive dialog is as follows. The input values are shown in bold type.
Executing the command : set Authentication =========================================================== Step 1: Basic LDAP Host Information ----------------------------------------------------------- LDAP Server (ldap(s)://host:port):ldap://MyServer01:10388 1 = Active Directory 2 = OpenLDAP 3 = Sun ONE Directory 4 = IBM Tivoli 5 = Novell eDirectory 6 = Apache Directory 0 = other server type:6 caching time for user credentials (Default 120 seconds):120 Do you want to use the LDAP Technical User (Y/N) [N]:Y Provide the LDAP Technical User credentials file. techLdapUserCredFile: c:\credentials\admin.txt Provide the LDAP Technical User Key file techLdapUserKeyFile: c:\SoftwareAG\common\security\ssx_32\etc\alt_keyfile.txt Trying to connect to LDAP at: ldap://MyServer01:10388 =========================================================== Check 1: LDAP Host >> PLEASE WAIT... ----------------------------------------------------------- [OK] LDAP server found. Repeat configuration step 1, Continue, or End? (R/C/E) [C]: =========================================================== Step 2: Basic User Information ----------------------------------------------------------- userid field [cn]:cn object class [top,person,organizationalperson,inetorgperson]:inetOrgPerson Specify the root node (DN) for all groups. user base DN:ou=people,ou=abc,o=sag Specify the domain ID domain:MyDomain To test the connection, please provide the credentials of a valid LDAP user. userid:alice0 password: =========================================================== Check 2: LDAP User >> PLEASE WAIT... ----------------------------------------------------------- [OK] User authenticated successfully Do you want to see the LDAP search trace? (Y/N) [N]: Repeat configuration step 2, Continue, or End? (R/C/E) [C]: =========================================================== Step 3: User Properties Mapping ----------------------------------------------------------- Default Mapping:telephoneNumbers:telephoneNumber:number >> telephoneNumber personName:firstName >> cn description >> description personName:lastName >> sn Do you want to keep this default mapping? (Y/N) [N]: Please provide your custom mapping (press Enter if unmapped) organization: description: personName:firstName:givenName personName:middleName: personName:lastName:sn personName:fullName:displayName postalAddresses:postalAddress:city: postalAddresses:postalAddress:stateOrProvince: postalAddresses:postalAddress:country: postalAddresses:postalAddress:postalScheme: emailAddresses:emailAddress:address:mail telephoneNumbers:telephoneNumber:countryCode: postalAddresses:postalAddress:postalCode:postalCode postalAddresses:postalAddress:streetNumber:postalAddress telephoneNumbers:telephoneNumber:areaCode: telephoneNumbers:telephoneNumber:number:telephoneNumber telephoneNumbers:telephoneNumber:extension: telephoneNumbers:telephoneNumber:url: URL: =========================================================== Check 3: LDAP User Properties >> PLEASE WAIT... ----------------------------------------------------------- The above user properties matched with ldap: displayName = Alice 0 mail = mail123@test.de givenName = Alice0 sn = surname Do you want to see the LDAP search trace? (Y/N) [N]: Repeat configuration step 4, Continue, or End? (R/C/E) [C]: =========================================================== Step 4: User Search ----------------------------------------------------------- The LDAP directory will now be searched based on a search filter that applies to the user IDs. search filter (e.g. user*):employee* =========================================================== Check 4: LDAP User Search >> PLEASE WAIT... ----------------------------------------------------------- User elements found: 8. Do you want to see them? Do you want to see all the users? (Y/N) [N]:y User with filter: employee* -> sag\employee1 -> sag\employee3 -> sag\employee4 -> sag\employee5 -> sag\employee6 -> sag\employee7 -> sag\employee8 -> sag\employee2 Do you want to see the LDAP search trace? (Y/N) [N]: Repeat configuration step 5, Continue, or End? (R/C/E) [C]: =========================================================== Step 5: Basic Group Information ----------------------------------------------------------- groupid field [cn]: cn object class [top,groupOfUniqueNames]: groupOfUniqueNames Specify the root node (DN) for all groups. group base DN:ou=groups,ou=abc,o=sag To test the group retrieval, please provide the group ID of valid LDAP group. groupid:group1 =========================================================== Check 5: LDAP Group >> PLEASE WAIT... ----------------------------------------------------------- [OK] The following group was found: cn = group1 Do you want to see the LDAP search trace? (Y/N) [N]: Repeat configuration step 6, Continue, or End? (R/C/E) [C]: =========================================================== Step 6: Basic Group Information Mapping ----------------------------------------------------------- Please provide your group information mapping description:description =========================================================== Check 6: LDAP Group Mapping >> PLEASE WAIT... ----------------------------------------------------------- [OK] The following group was found: description = group1 Do you want to see the LDAP search trace? (Y/N) [N]: Repeat configuration step 7, Continue, or End? (R/C/E) [C]: =========================================================== Step 7: Group Search ----------------------------------------------------------- The LDAP directory will now be searched based on a search filter that applies to the group IDs search filter (e.g. group*):*group* =========================================================== Check 7: LDAP Group Search >> PLEASE WAIT... ----------------------------------------------------------- Group elements found: 6 . Do you want to see them? Do you want to see all groups? (Y/N) [N] :Y Groups with filter: *group* -> sag\invalidgroup -> sag\group1 -> sag\group2 -> sag\AdminGroup -> sag\group3 -> sag\group4 Do you want to see the LDAP search trace? (Y/N) [N]: Repeat configuration step 8, Continue, or End? (R/C/E) [C]: =========================================================== Step 8: Group Resolution ----------------------------------------------------------- There are 3 methods available to perform the group resolution Select one of the following: "\"Recurse Up "\": Read the (multi-valued) field from the user entry, which poin ts to the groups. "\"Recurse Down"\": Search all groups that specify the current/authenticated use r as a member. "\"Computed property"\": Use a "\"computed property"\" field from the user entry , that specifies all groups where the user is a member. group resolution type (ru, rd or cp) [rd]: rd group attribute that points to the users [uniqueMember]: uniqueMember =========================================================== Check 8: LDAP Group Resolution Host >> PLEASE WAIT... ----------------------------------------------------------- Groups for user found: 1 Do you want to see them? Do you want to see all groups? (Y/N) [N] : Y Find all groups of user alice0 -> sag\invalidgroup Do you want to see the LDAP search trace? (Y/N) [N]: Repeat configuration step 9, Continue, or End? (R/C/E) [C]: =========================================================== Check 9: Displaying and saving configuration in CentraSite >> PLEASE WAIT... ----------------------------------------------------------- Repeat configuration step 10, Continue, or End? (R/C/E) [C]: =========================================================== Current Configuration ----------------------------------------------------------- Domain ID: MyDomain Host: ldap://MyServer01:10388 Server Type: ApacheDS Expiration : 120 Users: DN: ou=people,ou=abc,o=sag Object: inetOrgPerson Group Attribute: ou Field: cn Groups: DN: ou=groups,ou=abc,o=sag Object: groupOfUniqueNames User Attribute: uniqueMember Resolution: rd Do you want to save the configuration to CentraSite? (Y/N) [N]:Y Successfully executed the command : set Authentication
