LDAP

Panopticon Streams can be configured to authenticate towards a Lightweight Directory Access Protocol (LDAP) or source. By configuring the Apache Tomcat Realm, the server can authenticate users and extract their roles by querying the LDAP source.

The realm’s connection to the directory is defined by the connectionURL  attribute. Each user that can be authenticated must be represented in the directory with an individual entry that corresponds to an element in the initial DirContextfrom the connectionURL. This user entry must have an attribute containing the username that is presented for authentication.

You can add a dedicated user with connectionName  and connectionPassword  in a Realm to define a user with a Read access to the user database and roles. If for example the admin cn  name is set as admin and the admin password is set as admin, then you need to add these properties as shown in the example below.

The userPattern  attribute may be used to specify the DN, with “{0}” marking where the username should be substituted.

The role is usually an LDAP group entry with one attribute containing the name of the role and another one whose values are distinguished names or usernames of the users in that role. The following attributes configure a directory search to find the names of roles associated with the authenticated user:

  • roleBase:  The base entry for the role search. If not specified, the search base is the top-level directory context
  • roleSearch: The LDAP search filter for selecting role entries
  • roleName: The attribute in a role entry containing the name of that role
  • roleNested: Includes nested roles if set to true. This means every newly found roleName and distinguished Name will be recursively tried for a new role search. The default behavior is false.

The following is an example on how the Realm can be configured when using LDAP. Please note that the values should be replaced with details from your own LDAP source.

<Realm className="org.apache.catalina.realm.JNDIRealm"
    connectionURL="ldap://localhost:389"
    connectionName="cn=admin,dc=test,dc=com"
    connectionPassword="admin"
    userPattern="uid={0},ou=users,dc=test,dc=com"
    roleBase="ou=groups,dc=test,dc=com"
    roleName="cn"     roleSearch="(uniqueMember={0})"
    rolenested="true"
/>

Using this configuration, the realm determines the user’s distinguished name by substituting the username into the userPattern, authenticates by binding to the directory with this DN and the password received from the user, and searches the directory to find the user’s roles.

NOTE: If you opt not to have a dedicated user, remove connectionName and connectionPassword, and then have each user extract information about itself. You do this by adding userSearchAsUser and roleSearchAsUser in a Realm, and setting both values to true. The recommended usage, however, is to have a dedicated user. This allows you to always have the rights to query a LDAP, unlike using userSearchAsUser and roleSearchAsUser where there is no guarantee that each user is authorized to extract these details.

 

 

 

 

 

 

 

 

 

(c) 2013-2024 Altair Engineering Inc. All Rights Reserved.

Intellectual Property Rights Notice | Technical Support