Active Directory

Panopticon Real Time can be configured to authenticate towards an Active Directory server. Panopticon Real Time is using LDAP to interact and communicate with the Active Directory server. Therefore, the configuration is very similar to the LDAP configuration in the previous section.

The following is an example on how the Realm can be configured when using Active Directory. Please note that the values should be replaced with details from your own LDAP source.

<Realm className="org.apache.catalina.realm.JNDIRealm"

   connectionURL="ldap://ad.dwch.com:3268"

   alternateURL="ldap://ad.dwch.com:389"

   authentication="simple"

   referrals="follow"

   connectionName=admin@DWCH.com

   connectionPassword="admin"

   userBase="cn=Users,dc=DWCH,dc=com"

   userSearch="(sAMAccountName={0})"

   userSubtree="true"

   roleBase="cn=Users,dc=DWCH,dc=com"

   roleName="cn"

   roleSearch="(member={0})"

   roleSubtree="true"

   roleNested="true"

/>

NOTE

Similar with LDAP, you can opt not to have a dedicated user by removing connectionName and connectionPassword and instead let each user extract information about itself by adding userSearchAsUser and roleSearchAsUser in a Realm. Set both values to true. As mentioned in the LDAP section, the recommended usage is to have a dedicated user since there is no guarantee that each user is authorized to extract these details.

 

A useful tool when configuring your Active Directory realm is Active Directory Explorer from Microsoft Sysinternals: https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer.

USEFUL TIP

Depending on how your Active Directory is set up, you may need to specify different attribute values for your userBase and your roleBase. For further info, see Apache Tomcat 9 documentation about realms: https://tomcat.apache.org/tomcat-9.0-doc/realm-howto.html. Abbreviations used: CN = Common Name, OU = Organizational Unit, DC = Domain Component