Transact

⌘K
  2. Home
  4. Transact
  6. System Configuration
  8. User Connectivity
  10. Active Directory Resource...
  12. How to Configure Active Directory Using the Standard LDAP Service Port

How to Configure Active Directory Using the Standard LDAP Service Port

By default, MS Active Directory supports all LDAP connections using the Standard 389 port.

You can configure Ephesoft to do the same by following the instructions below.

Applicable Ephesoft versions:

Ephesoft v4.x and up

1. First you have to configure the Active Directory to pull the groups so you can set the role(s) for the batch classes. To do this you will modify the user-connectivity.properties file located in:

Epehesoft Install Directory\Application\WEB-INF\classes\META-INF\dcma-user-connectivity

Set up the following properties for Active Directory:

user.connectivity_url=ldap://<Servername/IP>:389
user.connectivity_config=com.sun.jndi.ldap.LdapCtxFactory
user.connectivity_domain_component_name=test,dc=ephesoft
user.connectivity_domain_component_organization=com
user.connectivity_username=cn=User,dc=test,dc=ephesoft,dc=com
user.connectivity_password=P@ssw0rd
# This Property defines which type of connectivity is used
# 0 = LDAP
# 1 = MS Active Directory
# 2 = Tomcat
user.connection=1
#This Attribute is added so as to make search of groups in LDAP/AD configurable,by default its cn(commonName) is returned
user.connectivity_groupSearchAttributeFilter=cn
#This Attribute is added to make search of Users (Organisational Unit) in LDAP/AD configurable,by default its cn
user.connectivity_userSearchAttributeFilter=cn
#Set this for MS Active Directory
user.msactivedirectory_context_path=cn=Users;;ou=securitygroup1;;ou=domainusers;;ou=securitygroup2
# filter can have |(OR), &(AND) and !(NOT)
# | (|(cn=a*))
# & (&(cn=a*))
# ! (!(cn=a*))
# complex example ((!(cn=a*))(|(cn=ephesoft*)(&(cn=b*)))
user.msactivedirectory_group_search_filter=

Configuration that need to be modified:

user.connectivity_url – This is the url to the AD/LDAP server

user.msactivedirectory_context_path – path to root OU where groups reside. Multiple locations can be specified with a “;;” delimiter (eg. OU=Internal Groups;;OU=Contractors)

user.connectivity_domain_component_name – component value for AD is DC below the root DC. There can only one value here such as ‘ephesoft’. ‘cn=na,cn=ephesoft’ or ‘cn=ephsesft’ is not allowed.

user.connectivity_domain_component_organization – root DC of the AD store (typically “com”)

user.connectivity_username – User name to connect to the AD server.

user.connectivity_password – User password to connect to the AD server.

user.msactivedirectory_group_search_filter – Display only the groups that meets the filter value

user.connection – value should be set between 0-2 in order to enable the AD, LDAP or Tomcat configuration in order to authenticate users.

2. Next you have to modify the path for authentication of the users. The file you have to modify is called server.xml and it is located in:

Epehesoft Install Directory\JavaAppServer/conf

Modify the realm element to have the url, name, password, pattern and role base for the Active Directory instance.

<Realm 

className=”org.apache.catalina.realm.JNDIRealm”
connectionURL=”ldap://YourDomain.com:389″
connectionName=”CN=Ephesoft Service,OU=Users,DC=YourDomain,DC=com”
connectionPassword=”UserPassword “
userPattern=”cn={0},OU=Users,DC=YourDomain,DC=com”
roleBase=”OU=Security Groups,DC=YourDomain,DC=com”
roleSubtree=”true”
roleName=”cn”
roleSearch=”member={0}”
/>

Attributes in Realm element that need to be modified:

connectionURL – This is the url to the LDAP server

connectionName – User name to connect to the AD server.

connectionPassword – User password to connect to the AD server.

userPattern – path and pattern to the users

roleBase – path to root where groups reside. Groups must have a common OU to be included in the role base but can be is sub directories under this specified root

roleSubtree – attribute to enable searches in sub groups

roleName – attribute in AD of the Groups that should be included

roleSearch – attribute in the groups specifying the user. The {0} is used as a wild card to indicate all users in those groups

 

3. You will also want to modify the application.properties file located in your \Ephesoft\Application\WEB-INF\classes\META-INF directory

Update the following settings in this file:

update_super_admin_group=true

Then, we need to clarify that the value here is the AD group name. 
 
user.super_admin=Administrators
 
The group name you provide for user.super_admin= will have super admin privileges i.e. access to all the functionality of Ephesoft. The users in the group will be called super admin users and they can assign the user roles from the Ephesoft UI -> System Configuration -> Access Manager screen to the other users who belong to different groups and are not part of the super admin group.
Make sure your user (super admin user) is present in the correct group that you have defined in the application.properties file in user.super_admin group. If this is not the case then the user will give you authorization issues such as the screenshot below:
image.png

4. Once the configuration is set restart the server and log in as the AD user with the value that is placed in as the cn value (the cn may be the full name) and the AD password.