Here's how to configure LDAP/AD authentication in MidVision's framework for Application Release Automation, RapidDeploy:
Using an external LDAP/AD User repository please set up each authentication configuration in %MV_HOME%/bin/rapiddeploy.properties.
Please check here for different LDAP/AD configuration scenarios.
Take into account that super user (mvadmin) login is enabled in any case. You can use super user to assign users, which were imported from directory services, to any security group and role.
Use class ActiveDirectoryAuthenticationProviderImpl for Active Directory authentication
Please use the following property to set this up:
authentication.provider.class=com.midvision.rapiddeploy.service.security.authentication.ActiveDirectoryAuthenticationProviderImpl
The authentication mode on login time can be configured in order to enable or disable the auto addition of a new user in RapidDeploy when the authentication against the Active Directory directory service was successful. If the new user addition is set in false, the security administrator needs to add the user before hand.
Please use the following property to enable/disable this:
rapiddeploy.security.authentication.add.new.user=true
Where:
ldap.initial.context.factory=com.sun.jndi.ldap.LdapCtxFactory ldap.provider.url=ldap://serverA:389/ ldap.security.authentication=simple
Where:
ldap.security.principle.pattern=%s@company-domain
Where:
Use class LdapAuthenticationProviderImpl for Basic LDAP authentication (One step LDAP entry lookup)
Please use the following property to set this up:
authentication.provider.class=com.midvision.rapiddeploy.service.security.authentication.LdapAuthenticationProviderImpl
Use class TwoStepsLdapAuthenticationProviderImpl for Two Steps LDAP authentication (Two steps, LDAP search and entry lookup)
Please use the following property to set this up:
authentication.provider.class=com.midvision.rapiddeploy.service.security.authentication.TwoStepsLdapAuthenticationProviderImpl
The authentication mode on login can be configured in order to enable or disable the auto addition of a new user in RD database when the authentication against the LDAP directory service was successful. If the new user addition is set in false, the security administrator needs to add the user before hand.
Additionally, once the user is authenticated and their LDAP attributes looked up, an extra user group membership validation can be set to pass successfully the authentication. This validation is based on on the properties configured in section LDAP Search and LDAP Groups Membership explained below.
Please use the following property to enable/disable them:
rapiddeploy.security.authentication.add.new.user=true rapiddeploy.security.authentication.allow.only.members=false
Where:
During the first login operation of any LDAP user, the groups member synchronisation can be enabled or disabled. This operation is complementary and optional to the auto addition a a new user from the LDAP directory service. The group information is looked up and synchronised from the LDAP to RapidDeploy base on the properties configured in section LDAP Search, LDAP Groups Membership and LDAP Synchronisation explained below.
rapiddeploy.security.authentication.add.user.groups=false rapiddeploy.security.authentication.update.user.groups=false
Where:
ldap.initial.context.factory=com.sun.jndi.ldap.LdapCtxFactory ldap.provider.url=ldap://serverA:389/ ldap.security.authentication=simple
Where:
ldap.security.principle.pattern=uid=%s,ou=Users,dc=company,dc=com
Where:
ldap.security.search.principal=cn=Manager ldap.security.search.credentials={_MV@ENC#_}MrYCMEv6Wtg=
Where:
ldap.security.search.user.dn=dc=company,dc=com ldap.security.search.user.filter.pattern=(&(objectClass=organizationalPerson)(uid=%s))
Where:
ldap.security.search.member.dn=dc=company,dc=com ldap.security.search.member.filter.pattern=(&(objectClass=groupOfNames)(member=%s)) ldap.security.search.member.nested.groups.enabled=false
Where:
Configuring the User and Groups Synchroniser between LDAP directory and the framework. This will user LDAP search connection set in LDAP Search section explained above.
This is a background process which enables the framework to synchronise users, groups and users-group membership in one way, from LDAP to RD database. User and Group synchronisation can be enabled or disabled separately. The synchroniser execution period can be defined in milliseconds. By default this background process is disabled.
There are three member synchronisation modes, user-group, group-user or none. The mode implies the way the member attribute is looked at. The mode "none" disables the membership synchronisation which means that users should be assigned to groups via the framework. The mode user-group looks at group member attributes in user entries and group-user conversely, looks at user member attributes in group entries to assign users to groups. These member attribute value must point to a user or group member entry.
The synchroniser also enables or disables imported users and groups if any entry is not not available in the LDAP directory.
The framework can manage existing groups in the LDAP directory (LDAP type) and it owns groups (RD type) persisted only in the database. This implies that the LDAP type groups will be imported and synchronised against the LDAP directory data, and the RD type groups will can be defined independently to LDAP changes.
Tip: if the framework security administrator wants to add users to an existing LDAP type group (without changing the LDAP directory). He needs to copy the existing group to a new one (RD type) and then add any user to this group. Take into account that any change made in the LDAP directory data will be synchronised only to the original LDAP type group but not in the new one, which it must be made manually updated.
ldap.sync.period=86400000 # User Sync ldap.sync.users.enabled=false ldap.sync.users.search.dn=ou=Users,dc=company,dc=com ldap.sync.users.search.filter=(objectClass=inetOrgPerson) ldap.sync.users.username.attribute=uid ldap.sync.users.firstname.attribute=givenName ldap.sync.users.lastname.attribute=sn ldap.sync.users.desc.attribute=description ldap.sync.users.email.attribute=mail # Groups Sync ldap.sync.groups.enabled=false ldap.sync.groups.nested.enabled=false ldap.sync.groups.search.dn=ou=Groups,dc=company,dc=com ldap.sync.groups.search.filter=(objectClass=groupOfNames) ldap.sync.groups.name.attribute=cn ldap.sync.groups.desc.attribute=description # Members Sync ldap.sync.members.mode=none ldap.sync.members.attribute=member
Where:
Common settings: * ldap.sync.period is the time lapsed between synchronization executions in milliseconds. (e.g. 86400000 ms = 24 hs)
Users settings:
Group settings:
Member settings:
The users will be added when the login is successful with a basic security privilege. Please use the LDAP user ID as User name.
If this user should have others security privileges. Please ask to the Security Administrator to change the user security settings like roles and groups.
Please follow the next steps to configure LDAP authentication over SSL connection:
ldap.provider.url=ldaps://localhost:10636/
Command example:
JAVA_HOME/bin/keytool -import -trustcacerts -alias localhost -file certificate.crt -keystore JRE_HOME/lib/security/jssecacerts -storepass changeit
Set values in %MV_HOME%/bin/rapiddeploy.properties
#Sync every hour ldap.sync.period=3600000 # User Sync ldap.sync.users.enabled=true ldap.sync.users.search.dn=ou=people, dc=nodomain ldap.sync.users.search.filter=(objectClass=person) ldap.sync.users.username.attribute=uid ldap.sync.users.firstname.attribute=givenName ldap.sync.users.lastname.attribute=sn ldap.sync.users.desc.attribute=description ldap.sync.users.email.attribute=mail # Groups Sync ldap.sync.groups.enabled=true ldap.sync.groups.nested.enabled=false ldap.sync.groups.search.dn=ou=groups, dc=nodomain ldap.sync.groups.search.filter=(objectClass=groupOfNames) ldap.sync.groups.name.attribute=cn ldap.sync.groups.desc.attribute=description # Members Sync ldap.sync.members.attribute=member ldap.sync.members.mode=none
user-group mode: The user John Doe is member of Users, Administrators and Deployers.
ldap.sync.members.mode=user-group
DN: uid=jdoe, ou=people, dc=nodomain uid: jdoe givenNam: John sn: Doe description: John Doe mail: jdoe@midvision.com member: cn=Users, ou=groups, dc=nodomain member: cn=Adminitrators, ou=groups, dc=nodomain member: cn=Deployers, ou=groups, dc=nodomain --- --- DN: cn=Users, ou=groups, dc=nodomain cn: Users description: Group for Users --- --- DN: cn=Adminitrators, ou=groups, dc=nodomain cn: Adminitrators description: Group for Adminitrators --- --- DN: cn=Deployers, ou=groups, dc=nodomain cn: Deployers description: Group for Deployers
group-user mode: The groups Users, Adminitrators and Deployers have the user John Doe as member.
ldap.sync.members.mode=group-user
DN: uid=jdoe, ou=people, dc=nodomain uid: jdoe givenName: John sn: Doe description: John Doe mail: jdoe@midvision.com --- --- DN: cn=Users, ou=groups, dc=nodomain cn: Users description: Group for Users member: uid=jdoe, ou=people, dc=nodomain --- --- DN: cn=Adminitrators, ou=groups, dc=nodomain cn: Adminitrators description: Group for Adminitrators member: uid=jdoe, ou=people, dc=nodomain --- --- DN: cn=Deployers, ou=groups, dc=nodomain cn: Deployers description: Group for Deployers member: uid=jdoe, ou=people, dc=nodomain