Appboard/old/ldap configuration: Difference between revisions

imported>Cmace
(copied from internalwiki)
 
imported>Jason.nicholls
(Replaced content with '{{DISPLAYTITLE:AppBoard LDAP Configuration}} {{Note|The enPortal interface is required to configure LDAP. Refer to the [[enportal/old/ldap_configuration|enPortal LDAP Config…')
Line 1: Line 1:
This page provides information about configuring LDAP with AppBoard.
{{DISPLAYTITLE:AppBoard LDAP Configuration}}


 
{{Note|The enPortal interface is required to configure LDAP. Refer to the
== Introduction to LDAP ==
[[enportal/old/ldap_configuration|enPortal LDAP Configuration]] page for more information.}}
 
Many modern applications make use of the same concepts of Users, Roles, and Domains that are used in AppBoard/enPortal. It is not efficient to replicate the same lists of Users, Domains, and Roles in each application. Also, such lists would be difficult to maintain and keep in sync with one another.
 
 
LDAP is Lightweight Directory Access Protocol. It provides a service for storing and managing directories of items such as Users and Roles. It also provides simple interfaces for applications to access this information. This enables an organization to store all of this information in one centralized location.
 
 
The LDAP Configuration Wizard is a tool in AppBoard for setting up Domains or Roles to be managed externally by an LDAP server.
 
 
== Accessing the LDAP Configuration Wizard ==
 
Perform the following steps to access the LDAP Configuration Wizard:
 
 
# Log in to the AppBoard Builder as an administrator.
# In the <b>Builder Modes</b> panel, click <b>Settings</b>.  The <b>System Configuration</b> panel is displayed.
# In the <b>System Configuration</b> panel, do one of the following:
## Click the <b>User Management</b> button and select the option on the <b>User Management</b> screen to <b>Add LDAP Managed Domain</b>
## Click the <b>Stack Assignment</b> button and select the option on the <b>Stack Assignment</b> screen to <b>Add Roles from LDAP</b>
 
 
== Configuring LDAP Repositories ==
 
After selecting either <b>Add LDAP Managed Domain</b> or <b>Add Roles from LDAP</b>, perform the following steps to configure an LDAP Repository:
 
# On the <b>Repositories</b> screen, click the green "+" and enter the <b>LDAP Repository Name</b>
# Fill in the following values in the <b>Configuration</b> panel:
#* <b>Repository Name</b> - This displays the Repository Name for informational purposes, and cannot be edited. It is a unique name used to identify an LDAP Server that has been mapped into AppBoard.
#* <b>Repository URL</b> - The URL where the LADP Repository can be accessed by AppBoard. This URL will typically begin with "ldap://". Example: "ldap://192.168.155.165:389"
#* <b>User DN</b> - Enter the Distinguished Name of the user with permission to log in and query the LDAP server. If unspecified, the anonymous account will be used.  This account should have read-only access to the repository information needed for synchronization. Example: "uid=LimitedAdmin,ou=System,ou=Users,dc=private,dc=abc"
#* <b>Password</b> - Enter the Password of the user with permission to log in and query the LDAP server
#* <b>Factory</b> - The Java class used by JNDI to talk to the LDAP server. This is set by default to "com.sun.jndi.ldap.LdapCtxFactory" and should not be edited.
#* <b>Authentication Type</b> - Type of authentication that is used by the LDAP Server. This is set by default to "simple" and should not be edited.
#* <b>Admin Access</b> - If this box is unchecked, the Domains or Roles managed by the adapters in this Repository are set to ReadOnly via the admin user interface. Leaving this box unchecked prevents the following actions: Domain deletion, User creation, User deletion, Role creation, and Role deletion.
#* <b>Connection Timeout</b> - Defines a fixed period of time to attempt to connect with the LDAP Server. This is typically only used in a redundant LDAP Server configuration. Enter the number of milliseconds to wait before aborting the connection attempt. The default value is 10,000.
 
== Configuring LDAP Managed Roles ==
 
{{Note|The Roles tab in the wizard is only provided when the wizard is launched from the <b>Stack Assignment</b> screen.}}
 
 
Perform the following steps to configure an LDAP Role:
 
 
# From the <b>Stack Assignment</b> screen, select the LDAP Repository for the LDAP Managed Roles (see above to create an LDAP Repository) and click Next to go to the <b>Roles</b> panel.
# <b>+</b> - Click the green "+" and enter the <b>LDAP Root Role</b> Name
# Fill in the following values in the <b>Configuration</b> panel:
#* <b>Search Base</b> - Identifies a unique node in an LDAP Directory resource to perform the search for Roles. This does not include the host, port, and baseURL identified by LDAPDefinition element. Example: "ou=Solutions,ou=Applications,dc=private,dc=abc"
#* <b>Search Filter</b> - Defines a filter for retrieving users from the LDAP repository. Example: "ou=company.com"
#* <b>Search Scope</b> - Defines whether to search only within the location identified by the base or if the search should look deeply into the location identified by the base. Example: "subTree"
#* <b>Role ID Attribute Key</b> - The LDAP attribute that identifies the name of LDAP Roles. Example: "businessCategory"
#* <b>Role Class</b> - Allows a filter to be placed on the type of LDAP objects that are to be Roles. Example: "groupOfNames"
#* <b>Domain/User Assignment Attribute Key</b> - The LDAP attribute that assigns Roles to Users and/or Domains. Example: "member"
#* <b>Max Number of Roles to Import</b> - The largest number of Roles to import from the LDAP Repository into AppBoard. This can be used when testing against a Repository with a large number of Roles. This attribute has a default of 0, which indicates that all entries should be returned.  Note the LDAP Server also has configuration settings that may limit the number of entries returned, which, if exceeded, throws a Naming exception.
#* <b>Max Search Time</b> - How long to wait for the search to be performed (in milliseconds).  This attribute has a default of 0, which means to wait indefinitely. Note: the LDAP Server also has configuration settings that may limit how long it will try to run a request before throwing a Naming exception.
 
== Configuring LDAP Managed Domains ==
 
 
{{Note|The Domains tab in the wizard is only provided when the wizard is launched from the <b>User Management</b> screen.}}
 
 
Perform the following steps to configure an LDAP Domain:
 
 
# From the <b>User Management</b> screen, select the LDAP Repository for the LDAP Managed Domain (see above to create an LDAP Repository) and click Next to go to the <b>Domains</b> panel.
# <b>+</b> - Click the green "+" and enter the <b>LDAP Domain Name</b>
# Fill in the following values in the <b>Configuration</b> panel:
#* <b>Search Base</b> - Identifies a unique node in an LDAP Directory resource to perform the search for Users. This does not include the host, port, and baseURL identified by LDAPDefinition element. Example: "ou=Customer,ou=Users,dc=private,dc=abc"
#* <b>Pluggable Authenticator</b> -  The pluggable authentication that will be used by AppBoard to authenticate any user within this domain.  Note: This is the fully qualified Java class that must implement the com.edgetech.eportal.session.SessionAuthenticator interface. Use "com.edgetech.eportal.session.impl.LDAPSessionAuthenticatorExtendedWithLazyLoad" by default.
#* <b>Search Filter</b> - Defines a filter for retrieving users from the LDAP repository. Example: "mail=*company.com"
#* <b>Search Scope</b> - Defines whether to search only within the location identified by the base or if the search should look deeply into the location identified by the base. Example: Recursive
#* <b>User ID Attribute Key</b> - The LDAP attribute that identifies the names of LDAP Users. Example: "mail"
#* <b>User Class</b> - Allows a filter to be placed on the type of LDAP objects that are interpreted as Users. Example: "inetOrgPerson"
#* <b>Remove UID Prefix</b> - For cases where LDAP uids include prefix characters that should be removed before creating the enportal userIDs. This attribute should seldom need to be used.
#* <b>Remove UID Suffix</b> - For cases where LDAP uids include domain info such as an email address.  This enables the AppBoard userid to only be the username portion of the email address. Example: jadams@company.com and uidSuffix="company.com" then the AppBoard user name would be jadams.
#* <b>Default Role</b> - The AppBoard Role to assign to this Domain. All users in this Domain will inherit this Role assignment.
#* <b>Authentication Type</b> - Type of authentication that is used by the LDAP Server. Use "simple" by default.
#* <b>Session Lease</b> - The time in seconds until the current session will expire from lack of use.  This is in the context of AppBoard sessions for users in this Domain.
#* <b>Session Extension</b> - The number of seconds relative to the current time for which to extend the AppBoard session for users in this Domain as they use the AppBoard system.
#* <b>Max Number of Users to Import</b> - The largest number of Users to import from the LDAP Repository into AppBoard. This can be used when testing against a Repository with a large number of User accounts. This attribute has a default of 0, which indicates that all entries should be returned.  Note the LDAP Server also has configuration settings that may limit the number of entries returned, which, if exceeded, throws a Naming exception.
#* <b>Max Search Time</b> - How long to wait for the search to be performed (in milliseconds).  This attribute has a default of 0, which means to wait indefinitely. Note: the LDAP Server also has configuration settings that may limit how long it will try to run a request before throwing a Naming exception.

Revision as of 17:57, 17 July 2014


Template-note.png
The enPortal interface is required to configure LDAP. Refer to the enPortal LDAP Configuration page for more information.