Combined Realm for AD/LDAP Limitations to Service

June 19, 2020
|In Active Directory, LDAP
|By Breanna Fitzgerald

Applies to: All versions of Ephesoft Transact

Issue

In some cases, the group and users search in LDAP can’t find users and groups unless there are specific context paths entered in the configuration. This required listing all organizational units (OU) that contain the authorized users and groups.

Combined realms are used particularly when you have multiple OUs that need to be looked at to authenticate your users. Because the Global Catalog port (Port 3268) in Active Directory is only used for following referrals to the common name (CN) description of a user account, the normal LDAP port (Port 389) could cause issues later on.

Root Cause

Limitations to the service which is not able to follow referrals down to the lowest sub-organizational unit.

Solution

To resolve this issue, you will need to set up combined realms in Apache Tomcat.

  1. Open the server.xml file located at [Transact Install Directory]\JavaAppServer\conf\server.xml.
  2. Add the following to the server.xml file around the current realm configuration for LDAP, in order for the role base to match any group membership:
<Realm class Name="org.apache.catalina.realm.CombinedRealm"></Realm>
  1. Then add another realm configuration after the already existing realm setting. In the second realm setting, add the secondary OU location you would like Apache Tomcat to identify and authenticate both your users and groups.

Example:

<Realm class Name="org.apache.catalina.realm.CombinedRealm">
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://<AD ServerName/IP>:389"
connectionName="cn=User,OU=Service Accounts,DC=Test,DC=Ephesoft,DC=com"
connectionPassword="P@ssw0rd" userPattern="cn={0},OU=DomainUsersLocation1,DC=Test,DC=Ephesoft,DC=com
roleBase="OU=SecurityGroupsLocation1,DC=Test,DC=Ephesoft,DC=com"
roleSubtree="true"
roleName="cn"
roleSearch="uniqueMember={0}"
/>

<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://<AD ServerName/IP>:389"
connectionName="cn=User,OU=Service Accounts,DC=Test,DC=Ephesoft,DC=com"
connectionPassword="P@ssw0rd"
userPattern="cn={0},OU=DomainUsersLocation2,DC=Test,DC=Ephesoft,DC=com
roleBase="OU=SecurityGroupsLocation2,DC=Test,DC=Ephesoft,DC=com"
roleSubtree="true"
roleName="cn"
roleSearch="uniqueMember={0}"
/>
</Realm>

This configuration only needs to be used if you are not able to use the Global Catalog Port in Active Directory. You will need to follow the instructions for setting up AD at the OU level. Refer to How to Configure Active Directory using the Standard LDAP Port for more information.