LDAP Authentication for Engineers in the Web Client

Introduction to ConSol CM LDAP Authentication

ConSol CM offers LDAP authentication for the Web Client as a standard feature, i.e., instead of managing the passwords for the ConSol CM engineers in the ConSol CM database, they can be retrieved from an LDAP server (like e.g., a Microsoft Active Directory server).

When engineers want to log in to the ConSol CM Web Client, they enter their user name and password and press Enter. Behind the scenes, the ConSol CM server sends a request with the engineer's user name and password and asks the LDAP server whether those credentials are correct.

If the credentials are correct, the approval is sent back to the ConSol CM server and the engineer is logged into the Web Client.

Please keep in mind that the LDAP connection is only used to authenticate the user (confirm the identity). The authorization (i.e., the assignment of access permissions in the system) is done via the engineer and role administration in the Admin Tool. For every user who should work with the system as an engineer, an engineer account has to be created in the engineer administration!

Please see also the following picture for an explanation of the CM authentication process using LDAP.

Figure 433: ConSol CM - LDAP authentication process

Configuring LDAP Authentication

There are two ways you can enable the ConSol CM system to use LDAP authentication for engineers in the Web Client:

• Select LDAP authentication during system setup and enter the requested parameters (system properties) after the setup.
• Set up the system with the regular authentication mechanism and switch to LDAP later on, i.e., enter all required system properties later on.

Configuring LDAP During Initial Setup

During system setup you can select LDAP as the authentication mode on the Administrator screen (third step). This will set the system property cmas-core-security, authentication.method (see below) to LDAP. No further parameters are entered. You have to set the LDAP parameters manually. Please see the next section for an explanation.

Switching the Authentication Mode to LDAP in a Running System

To switch the authentication method to LDAP, you have to set the required values in the system properties (navigation group System, navigation item System Properties, see System Properties):

• authentication.method
  LDAP
• ldap.authentication
  simple
• ldap.basedn
  The DN (distinguished name) of the LDAP (sub-)tree where the required attributes are located.
• ldap.initialcontextfactory
  The Java class name for the initial context factory of the LDAP implementation when using LDAP authentication. Should usually be com.sun.jndi.ldap.LdapCtxFactory.
• ldap.password
  Password for connecting to the LDAP server to look up users. Only needed if look-up cannot be done anonymously.

• ldap.userdn
  LDAP user for connecting to the LDAP server to look up users. Only needed if look-up cannot be done anonymously.

  A server user name/password pair might be required to access the LDAP server. If you are not sure, you might want to use an LDAP browser to confirm.

• ldap.providerurl
  The complete URL for the LDAP server:

  ldap://<HOSTNAME>:<LDAP PORT>

• ldap.searchattr
  Search attribute for looking up the LDAP entry connected to the CM login, i.e., the attribute which is used as user name for the authentication.

Using LDAPS (LDAP over SSL)

Introduction

Per default, when an LDAP client accesses an LDAP server, the information is transferred in clear text. In case you want the user name and password to be transferred to the LDAP server in encrypted form, you have to set up the LDAP authentication using LDAPS.

Preparations

You have to configure the CM server machine (Java) in a way that can use certificates. One way to do this for a Linux environment is described in the following section.

1. Retrieve the certificate:
   

   openssl s_client -connect dc2.mydomain.com:ldaps

2. The answer will contain a section which starts with "---BEGIN CERTIFICATE " and ends with "END CERTIFICATE ---". Copy this section to a file, e.g., /tmp/certificate2_dc2_mydomain_com.txt

3. Import the certificate to the truststore of your machine, e.g., /home/mydirectory/mytruststore
   

   $JAVA_HOME/bin/keytool -import -alias <arbitrary> -trustcacerts -keystore /home/mydirectory/mytruststore -file/tmp/certificate2_dc2_mydomain_com.txt
   

   You have to enter (set) a password.

4. Enter the truststore in the ConSol CM config file in JAVA_OPTS:
   

   -Djavax.net.ssl.trustStore=/home/mydirectory/mytruststore -Djavax.net.ssl.trustStorePassword=<see above>

LDAPS Configuration in the ConSol CM Admin Tool (System Properties)

Configure the ConSol CM server as shown in the following example:

• cmas-core-security, ldap.authentication = simple
• cmas-core-security, ldap.basedn = OU=myOU,DC=myDC
• cmas-core-security, ldap.initialcontextfactory = com.sun.jndi.ldap.LdapCtxFactory
• cmas-core-security, ldap.password = myLDAPpw
• cmas-core-security, ldap.searchattr = sAMAccountName
• cmas-core-security, ldap.userdn = myLDAP_UserDN

Depending on the LDAP server configuration, use one of the following values for the server URL:

• Standard LDAPs port
  cmas-core-security, ldap.providerurl = ldaps://dc2.mydomain.com:636
• LDAPs port Global Catalogue
  cmas-core-security, ldap.providerurl = ldaps://dc2.mydomain.com:3269

Configuring Engineer Accounts for LDAP Authentication

Use the engineer administration (navigation group Access and Roles, navigation item Engineers) in the Admin Tool to configure the engineer accounts.

When LDAP is used as authentication method, it is not possible to set the ConSol CM password within the engineer administration. The pop-up window for engineer management provides the following fields which are relevant for LDAP authentication.

• Login
  
  If no LDAP ID has been provided, this is used as the user name during the LDAP authentication process which is looked up in the LDAP directory in the ldap.searchattr node.
• LDAP ID
  If you would like to employ special user names in ConSol CM which are not identical to the values used in the LDAP directory, fill in this field. During the LDAP authentication process, this LDAP ID is used as the user name which gets looked up in the LDAP directory in the ldap.searchattr node.

Please refer to section Engineers for details concerning the other (non LDAP-related) data fields.