You can configure access control (ACL) so that user authentication is based on the information in an LDAP server, instead of the DevTest database. The authorization process continues to use the DevTest database. The ACL administrator should consult with your LDAP administrator for configuration and implementation that is based on the following properties.
Note: When you configure ACL to use the LDAP server, users can log in only with accounts that are in their LDAP database. Users will not be able to use any standard user credentials to log in to a DevTest UI or CLI.
If LDAP successfully authenticates the user and the user does not exist in the DevTest database, the user is automatically added to the database.
During the configuration process, you add the following properties:
The URL of the LDAP server.
The distinguished name of the security principal.
The password of the security principal. When the registry starts, it adds the string _enc to the property name and encrypts the value.
The security level to use. The valid values are none and simple. If you set the value to none, the LDAP authentication call ignores the password that the user provided and simply validates the user name. In addition, you do not need to include the lisa.acl.ldap.securityPrincipal and lisa.acl.ldap.securityCredential properties. If you set the value to simple, the user name and password (which is passed as clear text) are validated.
The distinguished name of the node where the user search begins.
The search filter that specifies the object class for user entries, for example, (objectClass=user).
The attribute that specifies the user name, for example, sAMAccountName.
Indicates whether to search all the subnodes. The valid values are true and false.
The default role that is assigned to a user that is added to the DevTest database after being successfully authenticated. If you do not include this property, the default role is Guest.
If the LDAP server uses referrals, you can use this property to specify the type of referral. The valid values are follow, ignore, and throw. If you do not include this property, the default value is follow.
Note: If the properties file also includes the lisa.acl.auth.enabled property and the value is true, LDAP authentication does not work properly. Remove or comment out the lisa.acl.auth.enabled property.
LDAP authentication uses the same login dialogs that are provided for the default ACL module.
Follow these steps:
lisa.acl.auth.module.impl=com.itko.lisa.acl.custom.BaseLDAPAuthenticationModule
lisa.acl.ldap.ldapUrl=ldap://172.24.255.255:389
lisa.acl.ldap.securityPrincipal=CN=admin,OU=users,DC=example,DC=com
lisa.acl.ldap.securityCredential=adminpwd
lisa.acl.ldap.securityAuthentication=simple
lisa.acl.ldap.baseContext=OU=users,DC=example,DC=com
lisa.acl.ldap.userSearchFilter=(objectClass=user)
lisa.acl.ldap.usernameAttribute=sAMAccountName
lisa.acl.ldap.userSearchAllDepths=true
lisa.acl.ldap.lisaDefaultRole=DevTest Administrator
For more information about adding LDAP users to the DevTest database, see "Authorize Users Authenticated by LDAP".
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|