Customers who log in to the ConSol CM portal (CM.Track) use their login and password. Both are Data Object Group Fields in the contact data.
There are three possible authentication modes:
The authentication mode is specified by the system property cmas-core-security, contact.authentication.method. A change of this property does not require a server restart, and is propagated to all cluster nodes.
The possible values (see also section System Properties) and their respective system behaviors are:
The values are case insensitive, and commas and whitespace are ignored.
Set the system property cmas-core-security, contact.authentication.method to DATABASE (this is the default value).
Two Data Object Group Fields for the contact data are required:
Please see section CM.Track V1: System Access for CM.Track Users (Customers) for a detailed explanation.
Set the system property cmas-core-security, contact.authentication.method to LDAP.
The LDAP servers can be defined using the following system properties from the module cmas-core-security.
{name} is a string that you can choose to distinguish LDAP servers. It must always be set, even if only one LDAP server is configured. You should use a simple string for the {name}, not containing any keywords, like internal or external, and which does not contain special characters.
Initially, these system properties might not be present in your CM system. Just add them manually. Changes to any of the above system properties do not require a server restart and are propagated to all cluster nodes. The use of the placeholder {name} allows configurations to define several different LDAP servers.
Authentication attempts against LDAP servers are made until first success, where the server order is determined by their {name} values (ascending alphabetical order of the values).
When LDAP mode is used, aside from the annotation username = true, the Data Object Group Field which is used for the CM.Track user name (login) has to have an additional annotation.
Figure 586: ConSol CM Admin Tool - Data Object Group Field for LDAP authentication of CM.Track users
Figure 587: ConSol CM Web Client - Field (red) for LDAP ID in contact data
Set the system property cmas-core-security, contact.authentication.method depending on the desired order of authentication instances:
The CM system will first contact the instance which is mentioned first, than the second one. For example, when the contact authentication method is set to LDAP,DATABASE and the customer (contact) uses the password which is only valid in the database, the login will succeed.
In server.log the following message will be displayed:
LDAP login failed: [LDAP: error code 49 - Invalid Credentials]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
See the respective paragraph in section LDAP Authentication Mode: System Properties Defining the LDAP Server(s).
See the respective paragraph in section LDAP Authentication Mode: LDAP ID
All LDAP errors encountered are logged without a stack trace using loggers with the following prefix:
The stack trace of LDAP errors is not logged because failed login attempts on the first LDAP server would clutter logs if a following login on the second LDAP server succeeded.
The LDAPS authentication for CM.Track follows the same principle as using LDAPS for the authentication in the ConSol CM Web Client. Please refer to section Using LDAPS (LDAP over SSL).