You are here:

CM.Track V1: Authentication Modes for the Portal

Introduction to Authentication Modes in CM.Track

Customers who log in to the ConSol CM portal (CM.Track) use their login and password. Both are Data Object Group Fields in the contact data.

There are three possible authentication modes:

Against the ConSol CM database
This is called DATABASE mode.
Against an LDAP server
This is called LDAP mode.
Against an LDAP server and the ConSol CM database
The order can be configured. This is called Mixed mode.

Definition of the CM.Track Authentication Mode

The authentication mode is specified by the system property cmas-core-security, contact.authentication.method. A change of this property does not require a server restart, and is propagated to all cluster nodes.

The possible values (see also section System Properties) and their respective system behaviors are:

DATABASE
Attempt a database login if the unit has a database password. I.e., the login and password are stored in the ConSol CM database and are thus managed by the ConSol CM engineers, or indirectly by the customers themselves when they reset their password. The customer can reset his own password, see section Password Reset Template for Customers Using CM.Track V1.
LDAP
Try authentication using the available LDAP server(s), if an LDAP ID is provided. I.e., the password is stored in the LDAP directory and cannot be changed via ConSol CM, neither by the customer nor by an engineer.
LDAP,DATABASE
First attempt authentication using the available LDAP server(s), if an LDAP ID is provided. On failure, try a database login if the unit (customer) has a database password.
DATABASE,LDAP
First attempt a database login if the unit (customer) has a database password. On failure try authentication using the available LDAP server(s) if an LDAP ID is provided.

The values are case insensitive, and commas and whitespace are ignored.

DATABASE Authentication Mode

System Property for DATABASE Authentication Mode

Set the system property cmas-core-security, contact.authentication.method to DATABASE (this is the default value).

Data Object Group Fields for Contact Login

Two Data Object Group Fields for the contact data are required:

Login
Password

Please see section CM.Track V1: System Access for CM.Track Users (Customers) for a detailed explanation.

LDAP Authentication Mode

System Property for LDAP Authentication Mode

Set the system property cmas-core-security, contact.authentication.method to LDAP.

System Properties Defining the LDAP Server(s)

The LDAP servers can be defined using the following system properties from the module cmas-core-security.

{name} is a string that you can choose to distinguish LDAP servers. It must always be set, even if only one LDAP server is configured. You should use a simple string for the {name}, not containing any keywords, like internal or external, and which does not contain special characters.

ldap.initialcontextfactory
This is a predefined global property. If it is not set, com.sun.jndi.ldap.LdapCtxFactory is used as its value.
ldap.contact.{name}.providerurl
The property value is the address of the LDAP server in the form ldap[s]://host:port.
ldap.contact.{name}.userdn
The value is the user DN used to look up the contact DN by the LDAP ID. An anonymous account is used if the value is not set.
ldap.contact.{name}.password
The property contains the password to look up the contact DN by the LDAP ID. An anonymous account is used if the value is not set.
ldap.contact.{name}.basedn
This represents the base path to search for the contact DN by the LDAP ID, e.g., ou=accounts,dc=consol,dc=de.
ldap.contact.{name}.searchattr
The property value stands for the attribute to search for the contact DN by the LDAP ID, e.g., uid.

Changes to any of the above system properties do not require a server restart, and are propagated to all cluster nodes. The use of the placeholder {name} allows configurations to define several different LDAP servers.

Authentication attempts against LDAP servers are made until first success, where the server order is determined by their {name} values (ascending alphabetical order of the values).

Data Object Group Field for Contact Login

When LDAP mode is used, aside from the annotation username = true, the Data Object Group Field which is used for the CM.Track user name (login) has to have an additional annotation.

ldapid

Figure 513: ConSol CM Admin Tool - Data Object Group Field for LDAP authentication of CM.Track users

Figure 514: ConSol CM Web Client - Field (red) for LDAP ID in contact data

Mixed Authentication Mode

System Property for Mixed Authentication Mode

Set the system property cmas-core-security, contact.authentication.method depending on the desired order of authentication instances:

LDAP,DATABASE
DATABASE,LDAP

The CM system will first contact the instance which is mentioned first, than the second one. For example, when the contact authentication method is set to LDAP,DATABASE and the customer (contact) uses the password which is only valid in the database, the login will succeed.

In server.log the following message will be displayed:

LDAP login failed: [LDAP: error code 49 - Invalid Credentials]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]

System Properties Defining the LDAP Server(s)

See the respective paragraph in section LDAP Authentication Mode: System Properties Defining the LDAP Server(s).

Data Object Group Field for Contact Login

See the respective paragraph in section LDAP Authentication Mode: LDAP ID

Logging of LDAP Login Attempts in CM.Track

All LDAP errors encountered are logged without a stack trace using loggers with the following prefix:

com.consol.cmas.core.security.contact

The stack trace of LDAP errors is not logged because failed login attempts on the first LDAP server would clutter logs if a following login on the second LDAP server succeeded.

Using LDAPS for Authentication

The LDAPS authentication for CM.Track follows the same principle as using LDAPS for the authentication in the ConSol CM Web Client. Please refer to section Using LDAPS (LDAP over SSL).