LDAP Authentication for Engineers in the Web Client

Configuring LDAP Authentication

There are two ways you can enable the ConSol CM system to use LDAP authentication for engineers in the Web Client:

Select LDAP authentication during system setup and enter the requested parameters (system properties) after the setup.
Set up the system with the regular authentication mechanism and switch to LDAP later on, i.e., enter all required system properties later on.

Configuring LDAP During Initial Setup

During system setup you can select LDAP as the authentication mode on the Administrator screen (third step). This will set the system property cmas-core-security, authentication.method (see below) to LDAP. No further parameters are entered. You have to set the LDAP parameters manually. Please see the next section for an explanation.

Switching the Authentication Mode to LDAP in a Running System

To switch the authentication method to LDAP, you have to set the required values in the system properties (navigation group System, navigation item System Properties):

authentication.method
LDAP
ldap.authentication
simple
ldap.basedn
The DN (distinguished name) of the LDAP (sub-)tree where the required attributes are located.
ldap.initialcontextfactory
The Java class name for the initial context factory of the LDAP implementation when using LDAP authentication. Should usually be com.sun.jndi.ldap.LdapCtxFactory.
ldap.password
Password for connecting to the LDAP server to look up users. Only needed if look-up cannot be done anonymously.
ldap.userdn
LDAP user for connecting to the LDAP server to look up users. Only needed if look-up cannot be done anonymously.

A server user name/password pair might be required to access the LDAP server. If you are not sure, you might want to use an LDAP browser to confirm.
ldap.providerurl
The complete URL for the LDAP server:

ldap://<HOSTNAME>:<LDAP PORT>
ldap.searchattr
Search attribute for looking up the LDAP entry connected to the CM login, i.e., the attribute which is used as user name for the authentication.

Using LDAPS (LDAP over SSL)

Introduction

Per default, when an LDAP client accesses an LDAP server, the information is transferred in clear text. In case you want the user name and password to be transferred to the LDAP server in encrypted form, you have to set up the LDAP authentication using LDAPS.

Preparations

You have to configure the CM server machine (Java) in a way that can use certificates. One way to do this for a Linux environment is described in the following section.

Retrieve the certificate:

openssl s_client -connect dc2.mydomain.com:ldaps
The answer will contain a section which starts with "---BEGIN CERTIFICATE " and ends with "END CERTIFICATE ---". Copy this section to a file, e.g., /tmp/certificate2_dc2_mydomain_com.txt
Import the certificate to the truststore of your machine, e.g., /home/mydirectory/mytruststore

$JAVA_HOME/bin/keytool -import -alias <arbitrary> -trustcacerts -keystore /home/mydirectory/mytruststore -file/tmp/certificate2_dc2_mydomain_com.txt

You have to enter (set) a password.
Enter the truststore in the ConSol CM config file in JAVA_OPTS:

-Djavax.net.ssl.trustStore=/home/mydirectory/mytruststore -Djavax.net.ssl.trustStorePassword=<see above>

LDAPS Configuration in the ConSol CM Admin Tool (System Properties)

Configure the ConSol CM server as shown in the following example:

cmas-core-security, ldap.authentication = simple
cmas-core-security, ldap.basedn = OU=myOU,DC=myDC
cmas-core-security, ldap.initialcontextfactory = com.sun.jndi.ldap.LdapCtxFactory
cmas-core-security, ldap.password = myLDAPpw
cmas-core-security, ldap.searchattr = sAMAccountName
cmas-core-security, ldap.userdn = myLDAP_UserDN

Depending on the LDAP server configuration, use one of the following values for the server URL:

Standard LDAPs port
cmas-core-security, ldap.providerurl = ldaps://dc2.mydomain.com:636
LDAPs port Global Catalogue
cmas-core-security, ldap.providerurl = ldaps://dc2.mydomain.com:3269