LDAP Authentication Configuration

advertisement
Getting Started with GroundWork Monitor
GroundWork Monitor Enterprise Edition 6.2
© 2009 GroundWork Open Source, Inc.
PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source, Inc. © 2007 GroundWork Open Source, Inc.
Page 1
Getting Started with GroundWork Monitor
Course Objectives for this Module
Integration with Active Directory




Requirements
Getting it going
Setting up Groups and Roles
Disabling default authentication
Integration with OpenLDAP
• Requirements
• Getting it going
• Groups and Roles again
LDAPS
• Requirements
• Setup
• Certificates export and import
© 2009 GroundWork Open Source, Inc.
Page 2
GroundWork Monitor Enterprise Edition 6.2
Module 8 : LDAP for AD, Open LDAP and LDAPS Setup
© 2009 GroundWork Open Source, Inc.
Page 3
LDAP Authentication Configuration
Active Directory
Resource How-to: Home > USING APPLICATIONS > Operational How To's
• Some important points:
• LDAP users cannot be assigned to roles using the portal administrator
application
• LDAP users do NOT need to be defined in the portal (this is different from
GroundWork Monitor 5.x)
• Configuration of LDAP parameters is done outside of the User Interface,
and requires a restart of gwservices.
• Role Names have changed
• User is now GWUser
• Operator is now GWOperator
• Admin is now GWAdmin
© 2009 GroundWork Open Source, Inc.
Page 4
LDAP Authentication Configuration
Active Directory: Requirements
Required:
• Active Directory domain controller to which you have access
• Account with rights to browse the container in which you store the users:
Example: ldapauth, context:
cn=ldapauth,ou=GWUsers,dc=demo,dc=com
Optional:
• Roles in the portal for desired access levels
• A container and groups set up to match roles in the portal
Useful:
• Adsiedit.msc
© 2009 GroundWork Open Source, Inc.
Page 5
LDAP Authentication Configuration
Active Directory: Sample Set of Users and Groups
Organizational Unit (OU)
 GWUsers
Groups in the OU
 GWUser
 GWAdmin
 GWOperator
Users and membership
 ldapauth
 admin
GWAdmin
 test1
GWOperator
 test2
GWUser
 test3
© 2009 GroundWork Open Source, Inc.
Page 6
LDAP Authentication Configuration
Active Directory: Getting it going
Edit login-config.xml
Copy and paste the section from the how-to
Change the AD server name or IP address
Change the LDAP admin user and password
Change the contexts for the LDAP admin and users, roles
Restart the portal (gwservices)
Test the login
© 2009 GroundWork Open Source, Inc.
Page 7
LDAP Authentication Configuration
Active Directory: Setting up groups and roles
Add roles to the portal
Example:
Add Executive role
Allow view to reports tab to Executive role
Add groups to AD
Example:
Add Executive group
Add user to Executive group
Test the login
© 2009 GroundWork Open Source, Inc.
Page 8
LDAP Authentication Configuration
Active Directory: Notes about Roles
• Roles are additive
• There is no (easy) way to change the automatic mapping of all AD users to the
the GWUser role in the portal. Restrict this role if you do not want all users to
have the default apps.
© 2009 GroundWork Open Source, Inc.
Page 9
LDAP Authentication Configuration
Disabling Default Authentication
A good idea… because…
LDAP Users are stored in portal with no password
LDAP failure means all can login without password
For instance is a user is deleted from LDAP…
Easy to do (and undo):
Edit login-config.xml:
Comment out DBIdentityLoginModule section
Change “sufficient” to “required” in
SynchronizingLDAPExtLoginModule section
Restart gwservices
© 2009 GroundWork Open Source, Inc.
Page 10
LDAP Authentication Configuration
OpenLDAP
Some important points:
• OpenLDAP is hard to configure.
• OpenLDAP allows anonymous browsing by default. This can be a bad thing.
Always configure GWME to use a user to access containers.
• The user must have access to browse the tree in the User and Role context
containers
© 2009 GroundWork Open Source, Inc.
Page 11
LDAP Authentication Configuration
OpenLDAP: Requirements
Required:
• An OpenLDAP server
• Administrative access to OpenLDAP (for setting up Users and Roles)
• A user account with rights to scan the containers for Users and Roles
Useful:
• LDAP browser
© 2009 GroundWork Open Source, Inc.
Page 12
LDAP Authentication Configuration
OpenLDAP: Getting it Going
Login to the OpenLDAP server and set up the Users container (default is
ou=People)
Set up the Roles container
Add users to Users container
Add users to roles
It is a good idea to test your LDAP user login for browsing. Note: root user is
cn=manager by default, and while the uid=root object is in the People
container, the context is the default, for example:
cn=manager,dc=groundworkers,dc=com
© 2009 GroundWork Open Source, Inc.
Page 13
LDAP Authentication Configuration
OpenLDAP: Getting it Going
Edit login-config.xml
Paste in the same text from the how-to as you would for active directory
Change the LDAP server from the default to your OpenLDAP server
Change the bindDN to the LDAP auth user
Change the bindCredential to the LDAP auth user’s password
Change the contexts for users and roles, and make sure to change the
format of the role filter and attributes. These differ from AD.
Restart gwservices
Test login
© 2009 GroundWork Open Source, Inc.
Page 14
LDAP Authentication Configuration
OpenLDAP: Roles and Groups
Setting up Role-based access in GWME and OpenLDAP is similar to the process
with AD.
The main differences are:
OpenLDAP uses a separate container for the Roles (technically, groups), while
AD typically places the groups in the same container as the users.
To set up, match the roles in GWME to the roles in OpenLDAP as you would for
AD, and add users to roles in OpenLDAP.
© 2009 GroundWork Open Source, Inc.
Page 15
LDAP Authentication Configuration
LDAPS
LDAPS is LDAP over SSL.
Some important points:
LDAPS requires a certificate. Administrators will likely already have this as a text
files somewhere safe. This process goes through extracting the certificate, so
care should be taken to use the correct parts of this procedure.
© 2009 GroundWork Open Source, Inc.
Page 16
LDAP Authentication Configuration
LDAPS: Requirements
An OpenLDAP server with LDAPS turned on.
The OpenLDAP setup completed as above, but stop before you restart the
portlal.
© 2009 GroundWork Open Source, Inc.
Page 17
LDAP Authentication Configuration
LDAPS:Setup
Edit login-config.xml
Add the setting for SSL
Change the LDAP server protocol and port
Extract the cert from OpenLDAP (unless the administrator already has it)
Run the openssl command
Grab the cert from the output and place it in a text file (example ldaps.pem)
Import the cert into JBoss
Run the keytool command
Restart gwservices
© 2009 GroundWork Open Source, Inc.
Page 18
LDAP Authentication Configuration
Troubleshooting
If the LDAP logins do not work:
Check the framework.log file for startup errors. A simple problem with an XML
tag can keep a module from loading and working.
Enable debug for the org.jboss.security class, and look in the framework.log for
JNDI error and debug messages. Errors will be in the form of java exceptions.
Double check that you can log in with a LDAP client with the LDAP auth user
and password, as entered in the login-config.xml. Also check a test user in
user context.
Log files in AD and OpenLDAP may also give clues.
© 2009 GroundWork Open Source, Inc.
Page 19
Thank you
GroundWork Open Source, Inc.
139 Townsend Street, Suite 500
San Francisco, CA 94107
Phone: 415.992.4500
Website: www.gwos.com
Email: info@gwos.com
GroundWork Subscription Support: support.gwos.com
© 2009 GroundWork
Open Source, Inc.
Confidential
- Do not distribute
Page 20
Download