Configuring Adeptia Connect for LDAP Authentication

Owned by Akash Kumar Jaiswal (Unlicensed)
Last updated: Apr 04, 2019 by Nitin Beri (Unlicensed)Version comment
4 min read

You must configure Adeptia Connect for LDAP Authentication to allow LDAP users to access Adeptia Connect. This page also lists the steps for configuring Adeptia Connect for Secured LDAP.

Prerequisites

  • Installed LDAP Server.
  • Administrative rights in Adeptia Suite to enable LDAP Authentication and Authorization.
  • Adeptia Suite is certified with Windows Active Directory and Open LDAP server.
  • TLSv1.2 should be enabled on LDAP Server (in case of Secured LDAP).


Steps to Configure LDAP Properties

  1. Sign in to Adeptia Suite.
  2. Go to Administer > Setup > Application Settings.
  3. Click Update System Properties.



  4. Expand Systems > LDAP Authentication.



  5. Configure the LDAP Authentication properties.

    Property Name

    Description

    abpm.ldap.enableLdap

    Enable or disable LDAP authentication.

    abpm.ldap.provider.url

    Provider URL to connect to LDAP Server.

    abpm.ldap.enableLdapOverSSL

    Enable or disable LDAP connection over SSL.

    abpm.ldap.searchScopeLevel

    Search scope level - One, Object, and Subtree.

    abpm.ldap.bindDN

    The DN used to bind against the LDAP server for the user and roles queries. This is DN with read/search permissions on the baseContextDN and rolesContextDN values. It specifies DN of the admin user in LDAP server.

    abpm.ldap.bindCredential

    Password for the bindDN.

    abpm.ldap.baseContextDN

    Fixed DN of the context to start the user search from.

    abpm.ldap.baseFilter

    Search filter to locate the context of the user to authenticate. The input username as obtained from the login module callback will be substituted into the filter where a "{0}" expression is seen.

    abpm.ldap.rolesContextDN

    Fixed DN of the context to search for user roles. For Active Directory, this is the DN where the user account is.

    abpm.ldap.roleFilter

    Search filter to locate the roles associated with an authenticated user. The login module callback will be substituted into the filter anywhere a "{0}"expression is seen. The authenticated userDN will be substitute into the filter where a "{1}" expression is seen.

    abpm.ldap.roleAttributeID

    Name of the role attribute of the context that corresponds to the name of the role.

    If the value of the roleAttributeIsDN property is set to true, this property is the DN of the context to query for the roleNameAttributeID attribute.

    If the roleAttributeIsDN property is set to false, this property is the attribute name of the role name.

    abpm.ldap.roleAttributeIsDN

    Flag indicating whether the user's role attribute contains the fully distinguished name of a role object, or the user's role attribute contains the role name.
    If the value of this property is false, the role name is taken from the value of the user's role attribute.
    If the value of this property is true, the role attribute represents the distinguished name of a role object.
    The role name is taken from the value of the roleNameAttributeId attribute of the corresponding object. The default value of this property is false.

    abpm.ldap.roleNameAttributeID

    Name of the role attribute of the context that corresponds to the name of the role.
    If the value of the roleAttributeIsDN property is set to true, this property is used to find the role object's name attribute.
    If the value of the roleAttributeIsDN property is set to false, this property is ignored.

    abpm.ldap.roleDN.searchRoleNameAttributeID

    Enable or disable searching role name attribute in user's distinguished name.

    abpm.ldap.administratorUsers

    Name(s) of LDAP user(s) (separated by comma) that will be treated as System Admin users in Adeptia Suite and Adeptia Connect.

    abpm.ldap.administratorGroups

    Name(s) of LDAP group(s) (separated by comma) that will be treated as System Admin users in Adeptia Suite and Adeptia Connect.

    abpm.ldap.groupAdminUsers

    Name(s) of LDAP user(s) (separated by comma) that will be treated as Group Admin users in Adeptia Suite and IT Users in Adeptia Connect.

    abpm.ldap.groupAdminGroups

    Name(s) of LDAP group(s) (separated by comma) that will be treated as Group Admin users in Adeptia Suite and IT Users in Adeptia Connect.

    abpm.ldap.developerUsers

    Name(s) of LDAP user(s) (separated by comma) that will be treated as Developer Users in Adeptia Suite and Business Users in Adeptia Connect.

    abpm.ldap.developerGroups

    Name(s) of LDAP group(s) (separated by comma) that will be treated as Developer Users in Adeptia Suite and business Users in Adeptia Connect.

    abpm.ldap.businessUsers

    Name(s) of LDAP users (separated by comma) that will be treated as Business Users in Adeptia Suite.

    abpm.ldap.businessGroup

    Name(s) of LDAP groups (in comma separated format) that will be treated as Business Users in Adeptia Suite.

    abpm.ldap.group.itUsersName of the LDAP group that will be treated as IT Users in Adeptia Connect.

    abpm.ldap.alwaysDefaultGroupLogin

    Enable or disable login only with default LDAP group in Adeptia.

    abpm.ldap.defaultLdapGroup

    Entity id of the group (created in Adeptia) that shall be treated as default LDAP group.

    abpm.ldap.enableDefaultGroupLogin

    Enable or disable login with default LDAP group in Adeptia.

    abpm.ldap.enableSSO

    Enable or disable Single Sign-On in Adeptia Suite.

    abpm.ldap.sso.filterClass

    Class name that needs to be initiated for SSO authentication process.

    abpm.ldap.enable.anonymous.login

    Enable or disable anonymous login through blank password in LDAP.

    abpm.ldap.referrals

    Set the environment property referrals in LDAP.

  6. Click Save to save the changes. If the LDAP server is secured, then you must follow the steps given below before restarting Kernel and WebRunner. Else, restart Kernel and WebRunner to bring the configuration changes into effect.

Steps to Configure Adeptia Connect for Secured LDAP

Users need to do additional steps if configured LDAP Server is secured. Follow these steps to configure Connect with secured LDAP. Ensure other aforementioned steps have already been completed.

  1. Import the LDAP Server certificate in AIS cacert (/Serverkernel/etc/truststore/cacerts) using below command.

    keytool -import -trustcacerts -alias <<ANY_ALIAS_NAME>> -file "<<CERTIFICATE_FILE_PATH>>" -keystore "<<AIS_CACERT_PATH>>"

    For example,
    keytool -import -trustcacerts -alias ldapssl -file "C:\Users\administrator.ADEPTIA\Desktop\adeptia.org.cer" -keystore "C:\Program Files\AdeptiaSuite_6.9.4\AdeptiaSuite-6.9\AdeptiaServer\ServerKernel\etc\truststore\cacerts"

    1. After importing the LDAP Server certificate, you will be prompted to enter the keystore password. The default password is changeit.
    2. Enter yes, when prompted to trust the certificate.

  2. Follow the below steps to configure LDAP properties.

    1. Expand the LDAP Authentication node.



    2. Modify the value of the abpm.ldap.provider.url property.

      1. Set the protocol to ldaps.
      2. Set the port number for SSL request. By default, the port number is 636.

        For example,
        ldaps://adsrv014.adeptia.org:636

    3. Set the value of the abpm.ldap.enableLdapOverSSL property to yes.

  3. Click Save to save the changes.

  4. Restart Kernel and WebRunner to bring the configuration changes into effect. 


Next Step

Accessing Adeptia Connect

See Also

Managing User Privileges

Managing LDAP Users and Groups

Â