Transact

⌘K
  1. Home
  2. Transact
  3. System Configuration
  4. User Connectivity
  5. LDAP and OpenLDAP Resourc...
  6. Integrating Ephesoft Transact with LDAP

Integrating Ephesoft Transact with LDAP

This article provides the configuration steps to integrate Transact with LDAP.

In Ephesoft Transact, there are three properties files that you will need to configure:

  1. server.xml
  2. user-connectivity.properties
  3. application.properties

What is required to configure Ephesoft Transact with LDAP?

In order to successfully integrate Ephesoft Transact with LDAP, it becomes essential to understand the directory structure first. If you do not have any knowledge on how your LDAP looks you will not able to configure the Transact configuration files.

We expect that users are having at least below knowledge of their LDAP:

  • A user which exist in the directory.
  • Password of the user as mentioned above.
  • Difference between domain controllers, Organizational Units, Groups and Users.
  • Information on where does Users exist in LDAP.
  • Information on where does Groups exist in LDAP.
  • Users are mapped with respective groups.

Sample Directory Structure Example to be used to Configure LDAP

In this section, we will go through an example of a directory structure that will help us to configure Transact to integrate with LDAP.

After looking at the below LDAP structure we will understand the information required in order to configure Transact with LDAP.

  • We have a domain controller with a name com.ephesoft where root domain name is “com” and it is having a sub-domain called “ephesoft”. These domains are denoted with abbreviation “dc”.
  • There can be more than 1 sub-domain as well like com.ephesoft.support or similar as per your organization structure.
  • In the below Directory Structure we have two OU called groups AND people.
  • groups OU consist of Groups / Roles in LDAP. We have 5 groups with the name admin, role1, role2, role3 and role4.
  • people OU consist of Users in the LDAP. We have 5 users with the name aj,ephesoft,user1,user2 and user4.
  • We know that user “ephesoft” is added to the group admin.

We now have all the required information in order to configure Transact with LDAP.

Understanding Roles in Transact

In Transact, we distinguish roles on the basis of below:

  • Super Administrator: A super Administrator has complete access to the Transact User Interface.
  • Administrator: An Administrator doesn’t have access to System Configuration User Interface
  • Operator: An Operator usually has access to Non-Admin User Interfaces like Batch List, Review Validate, and so on.

Configuring the Transact Server.xml File

In the server.xml file, we define information about LDAP. The configuration in this file helps to authenticate the users and fetch users and groups from LDAP. Below is a sample screenshot of Realm Setting in server.xml which is used to connect to LDAP and tries to authenticate users.

  • className: This needs to be set to org.apache.catalina.realm.JNDIRealm. This refers to JNDIRealm class which in tomcat.
  • connectionURL: We need to define the URL of the LDAP Server. It is of the form of ldap://<IP,DNS,FQDN>:<PORT> where port in case of LDAP needs to be 389 or 636 (If we have LDAPS i.e. Secure LDAP).
  • connectionName: We need to define the Distinguished Name of any user who exist in the LDAP. In the screenshot above cn=Manager,dc=ephesoft,dc=com means that user with the name “Manager” exists under “ephesoft” sub-domain and “com” root-domain.
  • connectionPassword: We need to provide the password for the user defined in connectionName.
  • userBase: The relative path under which all the users’ information will be located. This attribute defines where to look for a user. In our example above we are looking for users directly under our sub-domain. Therefore it will look for user under the sub-domain as well as in all the Organizational Units as well.
  • userSearch: This is the pattern specifying the LDAP search filter to use after substitution of the username. Possible values is “cn={0}”.
  • roleBase: The relative path under which all the roles information will be located. This attribute defines where to look for a role corresponding to a user. In this example we are searching for all Roles / Groups under sub-domain “ephesoft” as well as in all the Organizational Units.
  • roleName: the attribute in a role entry containing the name of that role. In above example value of cn attribute in LDAP will be checked.
  • roleSearch: the LDAP search filter for selecting role entries. It optionally includes pattern replacements “{0}” for the distinguished name. In above example uniqueMember property of user in LDAP will be looked up.
  • userSubtree: the search scope. Set to true if you wish to search the entire sub tree rooted at the userBase entry.
  • roleSubtree: the search scope. Set to true if you wish to search the entire sub tree rooted at the roleBase entry.

Configuring Ephesoft user-connectivity.properties

  • user-connectivity.properties file is configured to take care of the Authorization part and group filtering. We can apply limitations on what groups / roles needs to be fetched from the LDAP.
  • Below is an example for configuring user-connectivity.properties file

  • user.connectivity_url: We need to define the URL of the LDAP Server. It is of the form of ldap://<IP,DNS,FQDN>:<PORT> where port in case of LDAP port needs to be 389 or 636 (LDAPS).
  • user.connectivity_domain_component_name: We need to put in the sub-domain information. If we have more than one sub-domain like com.ephesoft.support then we need to define convention for user.connectivity_domain_component_name=support,dc=ephesoft
  • user.connectivity_domain_component_organization: We need to give the root level domain name.
  • user.connection: This property needs to be set to 0 if we need to use AD.
  • user.ldap_user_base: This is ldap related property and we can define specific OU if we only want to pick users from specific context path. Example: user.ldap_user_base=ou=groups.
  • user.ldap_group_base: This is ldap related property and we can define specific OU if we only want to pick groups from specific context path or organizational unit. Example: user.ldap_group_base=ou=people.

Configuring the Transact application.properties File

  • This file is used to set the super admin group details.
  • Two properties that require change is  user.super_admin where we define super admin groups and update_super_admin_group where we will need to change the flag to true.

Access Management on Ephesoft User Interface

The Access Manager UI is where access control can be assigned to other groups. From this UI, the Super Admin can set security access for other roles such as which roles can access various Transact User Interfaces. Only the Super Admin can provide access to other groups and assign roles. The Super Admin assigns access by selecting one or more boxes.

The Super Admin can also assign access to batch classes and batch instances from the Batch Class Management screen Roles column. In the example below, role1 can access the batch class BC3A and any batch instances associated with BC3A.