Configuring Authentication based on LDAP or Active Directory service
Here's how to configure LDAP/AD authentication in MidVision's framework for Application Release Automation, RapidDeploy:
Using an external LDAP/AD User repository please set up each authentication configuration in %MV_HOME%/bin/rapiddeploy.properties.
Please check here for different LDAP/AD configuration scenarios.
Take into account that super user (mvadmin) login is enabled in any case. You can use super user to assign users, which were imported from directory services, to any security group and role.
Active Directory Service Configuration
- Active Directory Authentication provider
Use class ActiveDirectoryAuthenticationProviderImpl for Active Directory authentication
Please use the following property to set this up:
authentication.provider.class=com.midvision.rapiddeploy.service.security.authentication.ActiveDirectoryAuthenticationProviderImpl
- External Authentication configuration
The authentication mode on login time can be configured in order to enable or disable the auto addition of a new user in RapidDeploy when the authentication against the Active Directory directory service was successful. If the new user addition is set in false, the security administrator needs to add the user before hand.
Please use the following property to enable/disable this:
rapiddeploy.security.authentication.add.new.user=true
Where:
- rapiddeploy.security.authentication.add.new.user This configuration is for enabling / disabling the addition of a new user from Active Directory. By default the value is set in true.
- LDAP Connection configuration
ldap.initial.context.factory=com.sun.jndi.ldap.LdapCtxFactory ldap.provider.url=ldap://serverA:389/ ldap.security.authentication=simple
Where:
- ldap.provider.url This value can be one URL of a LDAP/AD directory service or multiple URLs of different LDAP/AD directory services separated by space like.
- ldap.security.authentication is the auth mode for LDAP "bind" operation. e.g "none", "simple"
- Basic LDAP Authentication (Two steps, LDAP search and entry lookup)
ldap.security.principal.pattern=%s@company-domain
Where:
- ldap.security.principal.pattern is the Active Directory pattern to identify users. The "%s" will be replaced by the login user ID. For example, based on the above pattern value, doing login with RD user ID as "mvuser", it will try to authenticate against AD as "mvuser@company-domain".
LDAP Directory Service Configuration
- LDAP Authentication provider
Use class LdapAuthenticationProviderImpl for Basic LDAP authentication (One step LDAP entry lookup)
Please use the following property to set this up:
authentication.provider.class=com.midvision.rapiddeploy.service.security.authentication.LdapAuthenticationProviderImpl
Use class TwoStepsLdapAuthenticationProviderImpl for Two Steps LDAP authentication (Two steps, LDAP search and entry lookup)
Please use the following property to set this up:
authentication.provider.class=com.midvision.rapiddeploy.service.security.authentication.TwoStepsLdapAuthenticationProviderImpl
- External Authentication configuration
The authentication mode on login can be configured in order to enable or disable the auto addition of a new user in RD database when the authentication against the LDAP directory service was successful. If the new user addition is set in false, the security administrator needs to add the user before hand.
Additionally, once the user is authenticated and their LDAP attributes looked up, an extra user group membership validation can be set to pass successfully the authentication. This validation is based on on the properties configured in section LDAP Search and LDAP Groups Membership explained below.
Please use the following property to enable/disable them:
rapiddeploy.security.authentication.add.new.user=true rapiddeploy.security.authentication.allow.only.members=false
Where:
- rapiddeploy.security.authentication.add.new.user This configuration is for enabling / disabling the addition of a new user from LDAP directory. By default the value is set in true.
- rapiddeploy.security.authentication.allow.only.members This configuration is for enabling / disabling the group membership validation feature on login time against LDAP directory. This validation checks that the user should have at least one group membership, otherwise authentication fails. By default the value is set in false.
- LDAP Synchronization on Authentication
During the first login operation of any LDAP user, the groups member synchronisation can be enabled or disabled. This operation is complementary and optional to the auto addition a a new user from the LDAP directory service. The group information is looked up and synchronised from the LDAP to RapidDeploy base on the properties configured in section LDAP Search, LDAP Groups Membership and LDAP Synchronisation explained below.
rapiddeploy.security.authentication.add.user.groups=false rapiddeploy.security.authentication.update.user.groups=false
Where:
- rapiddeploy.security.authentication.add.user.groups This configuration is for enabling / disabling the group members synchronisation feature of an imported new user from LDAP directory on login time. By default the value is set in false.
- rapiddeploy.security.authentication.update.user.groups This configuration is for enabling / disabling the group members synchronization feature on login time when an existing user authenticates successfully against LDAP directory on login time. By default the value is set in false.
- LDAP Connection configuration
ldap.initial.context.factory=com.sun.jndi.ldap.LdapCtxFactory ldap.provider.url=ldap://serverA:389/ ldap.security.authentication=simple
Where:
- ldap.provider.url This value can be one URL of a LDAP/AD directory service or multiple URLs of different LDAP/AD directory services separated by space like.
- ldap.security.authentication is the auth mode for LDAP "bind" operation. e.g "none", "simple"
- Basic LDAP Authentication (One step LDAP entry lookup)
ldap.security.principal.pattern=uid=%s,ou=Users,dc=company,dc=com
Where:
- ldap.security.principal.pattern is the path in the LDAP tree to identify users. The "%s" will be replaced by the login user ID. for example, based on the above pattern value, doing login as "mvuser" will do a "bind" operation against the base DN "uid=mvuser,ou=Users,dc=company,dc=com"
- LDAP Search
ldap.security.search.principal=cn=Manager ldap.security.search.credentials={_MV@ENC#_}MrYCMEv6Wtg=Where:
- ldap.security.search.principal Principal DN of the user for searching operation in the LDAP directory. This user must be granted by the LDAP directory Administrator for this operation.
- ldap.security.search.credentials is the credential value (password) of the user for searching operation. This can be set in plain text or encrypted by Property Encryption tool. Through this tool, enter the principal DN value as property key and the credential as property value, then copy and paste the output value.
- Two Steps LDAP Authentication (Two steps, LDAP search and entry lookup)
ldap.security.search.user.dn=dc=company,dc=com ldap.security.search.user.filter.pattern=(&(objectClass=organizationalPerson)(uid=%s))
Where:
- ldap.security.search.user.dn is the base DN where the user search will be executed. This value can contains more than one DN to search separated by "|" character.
- ldap.security.search.user.filter.pattern is the filter pattern for user look up based on LDAP search syntax. The logged user DN entry will be replaced by "%s" in the pattern value.
- LDAP Groups Membership
ldap.security.search.member.dn=dc=company,dc=com ldap.security.search.member.filter.pattern=(&(objectClass=groupOfNames)(member=%s)) ldap.security.search.member.nested.groups.enabled=false
Where:
- ldap.security.search.member.dn=dc=nodomain is the base DN where the group member search will be executed. This value can contains more than one DN to search separated by "|" character.
- ldap.security.search.member.filter.pattern=(&(objectClass=groupOfNames)(member=%s)) is the filter pattern for groups membership look up based on LDAP search syntax. The logged user DN entry will be replaced by "%s" in the pattern value.
- ldap.security.search.member.nested.groups.enabled is for enabling / disabling the verification and importing of nested groups and optionally synchronising on login. By default the value is set in false.
- LDAP Synchronisation
Configuring the User and Groups Synchroniser between LDAP directory and the framework. This will user LDAP search connection set in LDAP Search section explained above.
This is a background process which enables the framework to synchronise users, groups and users-group membership in one way, from LDAP to RD database. User and Group synchronisation can be enabled or disabled separately. The synchroniser execution period can be defined in milliseconds. By default this background process is disabled.
There are three member synchronisation modes, user-group, group-user or none. The mode implies the way the member attribute is looked at. The mode "none" disables the membership synchronisation which means that users should be assigned to groups via the framework. The mode user-group looks at group member attributes in user entries and group-user conversely, looks at user member attributes in group entries to assign users to groups. These member attribute value must point to a user or group member entry.
The synchroniser also enables or disables imported users and groups if any entry is not not available in the LDAP directory.
The framework can manage existing groups in the LDAP directory (LDAP type) and it owns groups (RD type) persisted only in the database. This implies that the LDAP type groups will be imported and synchronised against the LDAP directory data, and the RD type groups will can be defined independently to LDAP changes.
Tip: if the framework security administrator wants to add users to an existing LDAP type group (without changing the LDAP directory). He needs to copy the existing group to a new one (RD type) and then add any user to this group. Take into account that any change made in the LDAP directory data will be synchronised only to the original LDAP type group but not in the new one, which it must be made manually updated.
ldap.sync.period=86400000 # User Sync ldap.sync.users.enabled=false ldap.sync.users.search.dn=ou=Users,dc=company,dc=com ldap.sync.users.search.filter=(objectClass=inetOrgPerson) ldap.sync.users.username.attribute=uid ldap.sync.users.firstname.attribute=givenName ldap.sync.users.lastname.attribute=sn ldap.sync.users.desc.attribute=description ldap.sync.users.email.attribute=mail # Groups Sync ldap.sync.groups.enabled=false ldap.sync.groups.nested.enabled=false ldap.sync.groups.search.dn=ou=Groups,dc=company,dc=com ldap.sync.groups.search.filter=(objectClass=groupOfNames) ldap.sync.groups.name.attribute=cn ldap.sync.groups.desc.attribute=description # Members Sync ldap.sync.members.mode=none ldap.sync.members.attribute=member
Where:
Common settings: * ldap.sync.period is the time lapsed between synchronization executions in milliseconds. (e.g. 86400000 ms = 24 hs)
Users settings:
- ldap.sync.users.enabled is for enabling or disabling the users synchronisation.
- ldap.sync.users.search.dn is the LDAP base DN where the synchroniser looks up the users in the LDAP directory. This value can contains more than one DN to search separated by "|" character.
- ldap.sync.users.search.filter is the query value for groups filtering base on LDAP standard syntax.
- ldap.sync.users.username.attribute is the attribute key for looking up user ID value. if it does not exist the default value define in security.default.users.username property is used instead.
- ldap.sync.users.firstname.attribute is the attribute key for looking up user first name value. if it does not exist the default value define in security.default.users.firstname property is used instead.
- ldap.sync.users.lastname.attribute is the attribute key for looking up user last name value. if it does not exist the default value define in security.default.users.lastname property is used instead.
- ldap.sync.users.desc.attribute is the attribute key for looking up user description value. if it does not exist the default value define in security.default.users.desc property is used instead.
- ldap.sync.users.email.attribute is the attribute key for looking up user email value. if it does not exist the default value define in security.default.users.email property is used instead.
Group settings:
- ldap.sync.groups.enabled is for enabling or disabling the groups synchronisation.
- ldap.sync.groups.nested.enabled is for enabling or disabling nested groups synchronisation.
- ldap.sync.groups.search.dn is the LDAP base DN where the synchroniser looks up the groups in the LDAP directory. This value can contains more than one DN to search separated by "|" character.
- ldap.sync.groups.search.filter is the query for groups filtering base on LDAP standard syntax.
- ldap.sync.groups.name.attribute is the attribute key for looking up the group name value. if it does not exist the default value define in security.default.groups.name property is used instead.
- ldap.sync.groups.desc.attribute is the attribute key for looking up group description value. if it does not exist the default value define in security.default.groups.desc property is used instead.
Member settings:
- ldap.sync.member.mode is for define member synchronisation mode. (Valid values: none | user-group| group-user). User "none" for no membership synchronisation or "user-group" for groups membership referenced in user entry or "group-user" for users members referenced in group entry.
- ldap.sync.member.attribute is the attribute key for looking up user or group member DN value.
RapidDeploy Initial Security Setup Example
- Follow the next steps to setup the initial RD security using default values.
- Change RD properties to use LDAP/AD authentication provider (Active Directory or Basic LDAP Authentication or Two Steps LDAP Authentication) as it is explained above.
- Start RD application
- Do Login on RD with a LDAP user through the user ID as user name.
- Do Logout
- Do login with super user (mvadmin).
- Assign the Security Administrator privilege to the LDAP user previously added.
- Do logout
- Do login with the LDAP user ID.
Adding new users from LDAP to RD
The users will be added when the login is successful with a basic security privilege. Please use the LDAP user ID as User name.
If this user should have others security privileges. Please ask to the Security Administrator to change the user security settings like roles and groups.
LDAP over SSL
Please follow the next steps to configure LDAP authentication over SSL connection:
- On RD configuration change the ldap.provider.url property located in rapiddeploy.properties file like: ldaps://hostname:SSL port/
ldap.provider.url=ldaps://localhost:10636/
- Add the LDAP server CA Certificate into the JDK default KeyStore file (which RD runs) located on JRE_HOME/lib/security/jssecacerts and the default KetStore password is "changeit". The alias of the certificate must be the same of the server hostname defined in the LDAP provider URL.
Command example:
JAVA_HOME/bin/keytool -import -trustcacerts -alias localhost -file certificate.crt -keystore JRE_HOME/lib/security/jssecacerts -storepass changeit
Example to configuration for the User and Groups Synchroniser between LDAP directory and RD framework.
Set values in %MV_HOME%/bin/rapiddeploy.properties
#Sync every hour ldap.sync.period=3600000 # User Sync ldap.sync.users.enabled=true ldap.sync.users.search.dn=ou=people, dc=nodomain ldap.sync.users.search.filter=(objectClass=person) ldap.sync.users.username.attribute=uid ldap.sync.users.firstname.attribute=givenName ldap.sync.users.lastname.attribute=sn ldap.sync.users.desc.attribute=description ldap.sync.users.email.attribute=mail # Groups Sync ldap.sync.groups.enabled=true ldap.sync.groups.nested.enabled=false ldap.sync.groups.search.dn=ou=groups, dc=nodomain ldap.sync.groups.search.filter=(objectClass=groupOfNames) ldap.sync.groups.name.attribute=cn ldap.sync.groups.desc.attribute=description # Members Sync ldap.sync.members.attribute=member ldap.sync.members.mode=none
user-group mode: The user John Doe is member of Users, Administrators and Deployers.
ldap.sync.members.mode=user-group
DN: uid=jdoe, ou=people, dc=nodomain
uid: jdoe
givenNam: John
sn: Doe
description: John Doe
mail: jdoe@midvision.com
member: cn=Users, ou=groups, dc=nodomain
member: cn=Adminitrators, ou=groups, dc=nodomain
member: cn=Deployers, ou=groups, dc=nodomain
--- ---
DN: cn=Users, ou=groups, dc=nodomain
cn: Users
description: Group for Users
--- ---
DN: cn=Adminitrators, ou=groups, dc=nodomain
cn: Adminitrators
description: Group for Adminitrators
--- ---
DN: cn=Deployers, ou=groups, dc=nodomain
cn: Deployers
description: Group for Deployersgroup-user mode: The groups Users, Adminitrators and Deployers have the user John Doe as member.
ldap.sync.members.mode=group-user
DN: uid=jdoe, ou=people, dc=nodomain
uid: jdoe
givenName: John
sn: Doe
description: John Doe
mail: jdoe@midvision.com
--- ---
DN: cn=Users, ou=groups, dc=nodomain
cn: Users
description: Group for Users
member: uid=jdoe, ou=people, dc=nodomain
--- ---
DN: cn=Adminitrators, ou=groups, dc=nodomain
cn: Adminitrators
description: Group for Adminitrators
member: uid=jdoe, ou=people, dc=nodomain
--- ---
DN: cn=Deployers, ou=groups, dc=nodomain
cn: Deployers
description: Group for Deployers
member: uid=jdoe, ou=people, dc=nodomain