LDAP

 

Panopticon Real Time can be configured to authenticate towards a Lightweight Directory Access Protocol (LDAP) or source. By configuring the Apache Tomcat Realm, the server can authenticate users and extract their roles by querying the LDAP source.

The realm’s connection to the directory is defined by the connectionURL attribute. Each user that can be authenticated must be represented in the directory with an individual entry that corresponds to an element in the initial DirContext from the connectionURL. This user entry must have an attribute containing the username that is presented for authentication.

You can add a dedicated user with connectionName and connectionPassword in a Realm to define a user with a Read access to the user database and roles. If for example the admin cn name is set as admin and the admin password is set as admin, then you need to add these properties as shown in the example below.

The userPattern attribute may be used to specify the DN, with “{0}” marking where the username should be substituted.

The role is usually an LDAP group entry with one attribute containing the name of the role and another one whose values are distinguished names or usernames of the users in that role. The following attributes configure a directory search to find the names of roles associated with the authenticated user:

q  roleBase: The base entry for the role search. If not specified, the search base is the top-level directory context

q  roleSearch: The LDAP search filter for selecting role entries

q  roleName: The attribute in a role entry containing the name of that role

q  roleNested: Includes nested roles if set to true. This means every newly found roleName and distinguished Name will be recursively tried for a new role search. The default behavior is false.

The following is an example on how the Realm can be configured when using LDAP, in conf/server.xml. Please note that the values should be replaced with details from your own LDAP source.

 

<Realm className="org.apache.catalina.realm.JNDIRealm"
    connectionURL="ldap://localhost:389"

    connectionName="cn=admin,dc=test,dc=com"

    connectionPassword="admin"
    userPattern="uid={0},ou=users,dc=test,dc=com"
    roleBase="ou=groups,dc=test,dc=com"
    roleName="cn"
    roleSearch="(uniqueMember={0})"

    rolenested="true"

/>

Using this configuration, the realm determines the user’s distinguished name by substituting the username into the userPattern, authenticates by binding to the directory with this DN and the password received from the user, and searches the directory to find the user’s roles.

 

NOTE

If you opt not to have a dedicated user, remove connectionName and connectionPassword, and then have each user extract information about itself. You do this by adding userSearchAsUser and roleSearchAsUser in a Realm, and setting both values to true. The recommended usage, however, is to have a dedicated user. This allows you to always have the rights to query a LDAP, unlike using userSearchAsUser and roleSearchAsUser where there is no guarantee that each user is authorized to extract these details.

 

You can specify more than one LDAP domain by defining a Combined Realm. This is done by putting more than one Realm configuration within a parent CombinedRealm:

 

<Realm className="org.apache.catalina.realm.CombinedRealm" >

  <Realm className="org.apache.catalina.realm.JNDIRealm"

    (realm details...) />

  <Realm className="org.apache.catalina.realm.JNDIRealm"

    (realm details...) />

</Realm>   

 

NOTE	LockOutRealm (mentioned at the start of this chapter) is an implementation of the Tomcat Realm interface that extends the CombinedRealm. For futher information, please see Apache Tomcat 9 documentation on https://tomcat.apache.org/tomcat-9.0-doc/realm-howto.html.