{"id":460,"date":"2014-08-18T18:30:27","date_gmt":"2014-08-18T18:30:27","guid":{"rendered":"https:\/\/ephesoft.com\/docs\/?p=460"},"modified":"2020-12-03T14:51:14","modified_gmt":"2020-12-03T21:51:14","slug":"how-to-administer-ephesoft-users-groups","status":"publish","type":"docs","link":"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/how-to-administer-ephesoft-users-groups\/","title":{"rendered":"How to Administer Ephesoft Users and Groups"},"content":{"rendered":"<div class=\"wpb-content-wrapper\"><p style=\"color: #000000\">Ephesoft supports Tomcat, OpenLDAP and Microsoft Active Directory protocols for maintain a roster of users and groups. OpenLDAP is the default management system that is enabled and configured following a clean installation of Ephesoft Transact. There are two main configuration files:<\/p>\n<ul>\n<li>{EPHESOFT_ROOT_DIR}\\Application\\WEB-INF\\classes\\META-INF\\dcma-user-connectivity\\user-connectivity.properties<\/li>\n<\/ul>\n<p style=\"color: #000000\">This file contains the settings necassary to populate groups names in Ephesoft Batch Class Management. The file contains settings for LDAP, Tomcat and MS Active Directory.<\/p>\n<ul>\n<li>{EPHESOFT_ROOT_DIR}\\JavaAppServer\\conf\\server.xml\n<ul>\n<li>\n<dl>\n<dd><b>NOTE: IN EPHESOFT v2.5 Realm settings are located in {EPHESOFT_ROOT_DIR}\\JavaAppServer\\conf\\Catalina\\localhost\\dcma.xml INSTEAD OF server.xml<\/b><\/dd>\n<\/dl>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"color: #000000\">This file tells Ephesoft how users should be authenticated when they are login into the Ephesoft. The file should have following Realm:<\/p>\n<h3 style=\"color: #000000\"><span id=\"Configuring_Apache-Tomcat\" class=\"mw-headline\">Configuring Apache-Tomcat<\/span><\/h3>\n<p style=\"color: #000000\">Apache-Tomcat configuration is enabled in three different files:<\/p>\n<ul>\n<li>{EPHESOFT_ROOT_DIR}\\Application\\WEB-INF\\classes\\META-INF\\dcma-user-connectivity\\user-connectivity.properties<\/li>\n<\/ul>\n<p style=\"color: #000000\">This file contains the settings necassary to populate groups names in Ephesoft Batch Class Management. The following settings should be set for Tomcat:<\/p>\n<pre style=\"color: #000000\">user.tomcatUserXmlPath={EPHESOFT_ROOT_DIR}\\\\JavaAppServer\\\\conf\\\\tomcat-users.xml\r\nuser.connection=2\r\n<\/pre>\n<ul>\n<li>{EPHESOFT_ROOT_DIR}\\JavaAppServer\\conf\\server.xml\n<ul>\n<li>\n<dl>\n<dd><b>NOTE: IN EPHESOFT v2.5 Realm settings are located in {EPHESOFT_ROOT_DIR}\\JavaAppServer\\conf\\Catalina\\localhost\\dcma.xml INSTEAD OF server.xml<\/b><\/dd>\n<\/dl>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"color: #000000\">This file tells Ephesoft that users should be authenticated using tomcat. The file should have following Realm:<\/p>\n<pre style=\"color: #000000\">&lt;Realm className=\"org.apache.catalina.realm.MemoryRealm\"\/&gt; \r\n<\/pre>\n<ul>\n<li>{EPHESOFT_ROOT_DIR}\\JavaAppServer\\conf\\tomcat-users.xml<\/li>\n<\/ul>\n<p style=\"color: #000000\">This file contains user groups and users. For example a group called admin and a user called ephesoft with password demo is defined as follows:<\/p>\n<pre style=\"color: #000000\">  &lt;role rolename=\"admin\"\/&gt;\r\n  &lt;user username=\"ephesoft\" password=\"demo\" roles=\"admin\"\/&gt;\r\n<\/pre>\n<h3 style=\"color: #000000\"><span id=\"Configuring_OpenLDAP\" class=\"mw-headline\">Configuring OpenLDAP<\/span><\/h3>\n<p style=\"color: #000000\">OpenLDAP Software is a free, open source implementation of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License. LDAP is a platform-independent protocol. To connect to the Ephesoft LDAP database and modify groups, users, permissions, etc administrators can utilize the bundled JExplorer tool @ the following location:<\/p>\n<ul>\n<li>{EPHESOFT_ROOT_DIR}\\Dependencies\\OpenLDAP\\ldap-client\\jxplorer-3.2.1\\jxplorer.bat<\/li>\n<\/ul>\n<p style=\"color: #000000\">Connection to LDAP configuration is enabled in two different files:<\/p>\n<ul>\n<li>{EPHESOFT_ROOT_DIR}\\Application\\WEB-INF\\classes\\META-INF\\dcma-user-connectivity\\user-connectivity.properties<\/li>\n<\/ul>\n<p style=\"color: #000000\">This file contains the settings necassary to populate groups names in Ephesoft Batch Class Management. The following settings should be set for LDAP configuration:<\/p>\n<pre style=\"color: #000000\">user.ldap_url=ldap:\/\/localhost:389\r\nuser.ldap_config=com.sun.jndi.ldap.LdapCtxFactory\r\nuser.ldap_domain_component_name=ephesoft\r\nuser.ldap_domain_component_organization=com\r\nuser.ldap_username=cn=Manager,dc=ephesoft,dc=com\r\nuser.ldap_password=*******\r\nuser.connection=0\r\n<\/pre>\n<ul>\n<li>{EPHESOFT_ROOT_DIR}\\JavaAppServer\\conf\\server.xml\n<ul>\n<li>\n<dl>\n<dd><b>NOTE: IN EPHESOFT v2.5 Realm settings are located in {EPHESOFT_ROOT_DIR}\\JavaAppServer\\conf\\Catalina\\localhost\\dcma.xml INSTEAD OF server.xml<\/b><\/dd>\n<\/dl>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"color: #000000\">This file tells Ephesoft that users should be authenticated using tomcat. The file should have following Realm:<\/p>\n<pre style=\"color: #000000\">&lt;Realm   className=\"org.apache.catalina.realm.JNDIRealm\"\r\nconnectionURL=\"ldap:\/\/localhost:389\"\r\nconnectionName=\"cn=Manager,dc=ephesoft,dc=com\"\r\nconnectionPassword=\"secret\"\r\nuserPattern=\"cn={0},ou=people,dc=ephesoft,dc=com\"\r\nroleBase=\"ou=groups,dc=ephesoft,dc=com\"\r\nroleName=\"cn\"\r\nroleSearch=\"uniqueMember={0}\"\r\n\/&gt;<\/pre>\n<h3 style=\"color: #000000\"><span id=\"Configuring_Active_Directory\" class=\"mw-headline\">Configuring Active Directory<\/span><\/h3>\n<h4 style=\"color: #000000\"><span id=\"Update_-_Configuring_Active_Directory_Globally_.28Applies_to_v3.0_or_Higher.29\" class=\"mw-headline\">Update &#8211; Configuring Active Directory Globally (Applies to v3.0 or Higher)<\/span><\/h4>\n<p style=\"color: #000000\">Requirement:\u00a0<i>Latest dcma-user-connectivity-0.0.15.jar<\/i>\u00a0<a class=\"external autonumber\" style=\"color: #3366bb\" href=\"http:\/\/support.ephesoft.com\/portal\/ephesoft\/ViewAttachment.do?blockId=efda1d7e49e38b79d217ba4da1ef3e7a95faf19dd1e5128e&amp;fileName=dcma-user-connectivity-0.0.15.zip&amp;zgId=d98871d738e7a28fdc91a236738b3d70&amp;downloadType=uploadedFile&amp;isSupAttach=true\" rel=\"nofollow\">[5]<\/a><\/p>\n<p style=\"color: #000000\">Objective:<\/p>\n<dl style=\"color: #000000\">\n<dd>\n<ul>\n<li>Using root domain(Domain components DC only) as user base and role base for authentication using LDAP\/MS Active directory.<\/li>\n<li>Possibly having a single and convenient realm to handle all requests.<\/li>\n<\/ul>\n<\/dd>\n<\/dl>\n<p style=\"color: #000000\">Proposed Solution:<\/p>\n<dl style=\"color: #000000\">\n<dd>\n<ul>\n<li>Enhancing LDAP and MS Active directory to be able to provide authentication having the knowledge of root domain only.<\/li>\n<li>Setting up the realm for providing the same.<\/li>\n<li>Updating jars to handle this scenario.<\/li>\n<\/ul>\n<\/dd>\n<\/dl>\n<p style=\"color: #000000\">Solution:<\/p>\n<dl style=\"color: #000000\">\n<dd>\n<ul>\n<li>MS Active directory<\/li>\n<li>MS Active Directory works on various ports for different purposes.<\/li>\n<li>Port\u00a0<b>389<\/b>\u00a0is for normal LDAP working of MS Active Directory.<\/li>\n<li>Port\u00a0<b>3268<\/b>\u00a0is for Global catalog working of MS Active Directory.<\/li>\n<li>MS Active directory working as simple LDAP service cannot handle root domain search requests. This is Because Searching a root domain in Active directory returns referrals to the root components which can only be handled by Global catalog service and not by normal LDAP service.<\/li>\n<\/ul>\n<\/dd>\n<\/dl>\n<p style=\"color: #000000\">To do this you will modify the user-connectivity.properties file located in:<\/p>\n<p style=\"color: #000000\"><i>Epehesoft Install Directory\\Application\\WEB-INF\\classes\\META-INF\\dcma-user-connectivity<\/i><\/p>\n<dl style=\"color: #000000\">\n<dd>\n<ul>\n<li>Set the \u201cuser.msactivedirectory_url\u201d to \u201cldap:\/\/&lt;Server-Name\/IP&gt;:<b>3268<\/b>\u201d<\/li>\n<li>Set the \u201cuser.msactivedirectory_context_path\u201d to empty<\/li>\n<li>Set the \u201cuser.msactivedirectory_group_search_filter\u201d to a single filter value. (Not multiple filters to be specified)<\/li>\n<\/ul>\n<\/dd>\n<\/dl>\n<p style=\"color: #000000\">This setting will be in sync with the one done while setting the Realm.<\/p>\n<p style=\"color: #000000\"><b>Setting changes to LDAP<\/b><\/p>\n<p style=\"color: #000000\">Normal LDAP service allows us to search on root domain without any further configuration. So there is not much change to be made in order to make LDAP work with root domain chosen as base. Following are the changes:<\/p>\n<dl style=\"color: #000000\">\n<dd>\n<ul>\n<li>Set the \u201cuser.ldap_user_base\u201d to empty.<\/li>\n<li>Set the \u201cuser.ldap_group_base\u201d to empty.<\/li>\n<\/ul>\n<\/dd>\n<\/dl>\n<p style=\"color: #000000\"><b>**Note**: these properties are added in the Installer version 3.0.2.0 onwards. Please update your properties file with the Changes mentioned if running versions prior to 3.0.2.0.<\/b><\/p>\n<p style=\"color: #000000\"><b>Sample Configuration for User-connectivity.properties file:<\/b><\/p>\n<pre style=\"color: #000000\">    user.ldap_url=ldap:\/\/localhost:389\r\n    user.ldap_config=com.sun.jndi.ldap.LdapCtxFactory\r\n    user.ldap_domain_component_name=ephesoft\r\n    user.ldap_domain_component_organization=com\r\n    user.ldap_username=cn=Manager,dc=ephesoft,dc=com\r\n    user.ldap_password=secret\r\n    user.ldap_user_base=\r\n    user.ldap_group_base=\r\n            user.msactivedirectory_url=ldap:\/\/msad.ephesoft.com:3268\r\n            user.msactivedirectory_config=com.sun.jndi.ldap.LdapCtxFactory\r\n            user.msactivedirectory_context_path=\r\n            user.msactivedirectory_domain_component_name=ephesoft\r\n            user.msactivedirectory_domain_component_organization=com\r\n            user.msactivedirectory_user_name=CN=administrator,DC=ephesoft,DC=com\r\n            user.msactivedirectory_password=Passw0rd\r\n                  # filter can have |(OR), &amp;(AND) and\u00a0!(NOT)\r\n                  # | (|(cn=a*))\r\n                  # &amp; (&amp;(cn=a*))\r\n                  #\u00a0! (!(cn=a*))\r\n                  # complex example ((!(cn=a*))(|(cn=ephesoft*)(&amp;(cn=b*)))\r\n                  user.msactivedirectory_group_search_filter=(!(cn=*h*oft*))\r\n                  user.tomcatUserXmlPath=C:\\\\Ephesoft\\\\JavaAppServer\/conf\/tomcat-users.xml\r\n    # 0 for LDAP\r\n    # 1 for MS Active Directory\r\n    # 2 for Tomcat\r\n    user.connection=1\r\n<\/pre>\n<p style=\"color: #000000\">Next you will need to modify the Realm settings in the Server.XML file located in:<\/p>\n<p style=\"color: #000000\"><i>Epehesoft Install Directory\\JavaAppServer\\conf<\/i><\/p>\n<pre style=\"color: #000000\">    &lt;Realm   className=\"org.apache.catalina.realm.JNDIRealm\"\r\n               connectionURL=\"ldap:\/\/&lt;Server-Name\/IP&gt;:3268\"\r\n               connectionName=\"&lt;Authenticated-User-Name&gt;\"\r\n               connectionPassword=\"&lt;Authenticated-User-Password&gt;\"\r\n                     userBase=\"&lt;Any Chosen User Base&gt;\"\r\n                     userSearch=\"&lt;Unique Parameter for user search Suggested: (sAMAccountName={0})&gt;\"\r\n                     userSubtree=\"true\"\r\n                     referrals=\"follow\"\r\n                          roleBase=\"&lt;Any Chosen User Base&gt;\"\r\n                          roleName=\"cn\"\r\n                          roleSubtree=\"true\"\r\n                          roleSearch=\"(member={0})\"\r\n                                 \r\n    \/&gt;\r\n<\/pre>\n<p style=\"color: #000000\">Example Realm Configuration:<\/p>\n<pre style=\"color: #000000\">    &lt;Realm   className=\"org.apache.catalina.realm.JNDIRealm\"\r\n               connectionURL=\"ldap:\/\/msad.ephesoft.com:3268\"\r\n               connectionName=\"CN=administrator,DC=ephesoft,DC=com\"\r\n               connectionPassword=\"password\"\r\n                   userBase=\"DC=ephesoft,DC=com\"\r\n                   userSearch=\"(sAMAccountName={0})\"\r\n                   userSubtree=\"true\"\r\n                   referrals=\"follow\"\r\n                       roleBase=\"DC=ephesoft,DC=com\"\r\n                       roleName=\"cn\"\r\n                       roleSubtree=\"true\"\r\n                       roleSearch=\"(member={0})\"\r\n                                 \r\n    \/&gt;\r\n<\/pre>\n<h4 style=\"color: #000000\"><span id=\"Specifying_the_AD_Group_as_Super_Admin\" class=\"mw-headline\">Specifying the AD Group as Super_Admin<\/span><\/h4>\n<p style=\"color: #000000\">To edit this you will need to navigate to the Following location:<\/p>\n<p style=\"color: #000000\">Scroll to the setting below and remove the entry &#8220;admin&#8221; and replace with the Assigned AD Security Group.<\/p>\n<p style=\"color: #000000\">user.super_admin=&lt;GroupName&gt;<\/p>\n<p style=\"color: #000000\">Sample Application.properties:<\/p>\n<pre style=\"color: #000000\">  #Super admin group update disabled.\r\n    ephesoft.product.version=3.0.2.0\r\n    report.ant.buildfile.path=C:\\\\Ephesoft\\\\Report\/ephesoft-reporting\/build.xml\r\n    enable.reporting=true\r\n    enable.uploadBatch=true\r\n  #default doc type view can be \"dropdown_list\" or \"suggest_box\"\r\n    document.default_doc_type_view=suggest_box_view\r\n    function_key_script_name=ScriptFunctionKey\r\n  #This property value has become obsolete. No need to set its value from version 3.0.2.0 onwards.\r\n    tesseract_version_3=C:\\\\Ephesoft\\\\Application\/native\/Tesseract-OCR\r\n    field_value_change_script_name=ScriptFieldValueChange\r\n    row_count=50\r\n    zip_switch=true\r\n    update_interval=5\r\n    preloaded_image_count=3\r\n  #0 for html cleaner(default)\r\n  #any other value for Tidy parser (Support for EE 2.4 or earlier)\r\n    html_parser=0\r\n    custom_reports_url=<a class=\"external free\" style=\"color: #3366bb\" href=\"http:\/\/www.ephesoft.com\/\" rel=\"nofollow\">http:\/\/www.ephesoft.com<\/a>\r\n    custom_reports_title=Ephesoft\r\n    custom_reports_pop_up_xdimension=500\r\n    custom_reports_pop_up_ydimension=500\r\n    enable.restart_all_batch=false\r\n    batchlist.table_row_count=15\r\n    zoom_count=1\r\n    create_batch_instance_backup=off\r\n    plugin_upload_folder_path=C:\\\\Ephesoft\\\\SharedFolders\/plugin-upload-folder\r\n    user.super_admin=admin\r\n    help_url=<a class=\"external free\" style=\"color: #3366bb\" href=\"http:\/\/www.ephesoft.com\/wiki\/index.php?title=Special:Search\" rel=\"nofollow\">http:\/\/www.ephesoft.com\/wiki\/index.php?title=Special:Search<\/a>\r\n    batch_copy_timeout=3600\r\n  # 1-RoundRobin (Default)\r\n  # 0-BatchInstancePriority\r\n    workflow.batchPickingAlgo=1\r\n  # false for review panel as closed on Review-Validation screen for batches with READY_FOR_VALIDATION state\r\n  # true for review panel as open by default on Review-Validation screen for batches with READY_FOR_VALIDATION state\r\n    default_review_panel_open=false\r\n  # 0 for limited\/metered user\r\n  # 1 for shared user(not implemented)\r\n  # 2 for dedicated\r\n    user_type=2\r\n  # file size limit in KB.\r\n    upload_batch_limit=1024\r\n  # Set this property as true if super admin roles has been updated\r\n    update_super_admin_group=false\r\n<\/pre>\n<h4 style=\"color: #000000\"><span id=\"Update_-_Super_Admin_Group_Setting_in_v3.0.2.0_or_Higher\" class=\"mw-headline\">Update &#8211; Super Admin Group Setting in v3.0.2.0 or Higher<\/span><\/h4>\n<p style=\"color: #000000\">The following line has been added to the Application.properties file regarding applying changes to the user.super_admin Group.<\/p>\n<pre style=\"color: #000000\">  # Set this property as true if super admin roles has been updated\r\n    update_super_admin_group=false\r\n<\/pre>\n<p style=\"color: #000000\">When changes are made to the user.super_admin line on the same file, you will need to set the above line to\u00a0<b>true<\/b>. Then you will restart Ephesoft and it will set the new group as the Super Admin.<\/p>\n<h4 style=\"color: #000000\"><span id=\"Limitations_of_this_Solution\" class=\"mw-headline\">Limitations of this Solution<\/span><\/h4>\n<p style=\"color: #000000\">Issue: Choosing the below authentication may run into ambiguity. That is in case we have multiple users by same \u201cname\u201d(the user distinguishing parameter in realm). This will lead to a point where we cannot handle the client log in request as it will depend on LDAP\/MS Active Directory implementations. It depends on how the concerned server will choose the user. Please see example:<\/p>\n<p style=\"color: #000000\">Three users:<\/p>\n<dl style=\"color: #000000\">\n<dd>\n<ul>\n<li>CN=admin, OU=sales, DC=ephesoft, DC=com<\/li>\n<li>CN=admin, OU=java, OU=tech, DC=ephesoft, DC=com<\/li>\n<li>CN=admin, OU=management, DC=ephesoft, DC=com<\/li>\n<li>Realm \u201cuser base\u201d set to domain components (DC=ephesoft, DC=com).<\/li>\n<li>Realm \u201cuser search\u201d set to \u201ccn={0}\u201d. (Checks for common name = &lt;Value used for login&gt;)<\/li>\n<li>Intended user to log in CN=admin, OU=sales, DC=ephesoft, DC=com.<\/li>\n<\/ul>\n<\/dd>\n<\/dl>\n<p style=\"color: #000000\">In the above scenario, the realm searches all child entries of DC=ephesoft, DC=com in LDAP\/MS AD server with username(\u201cadmin\u201d) to be equal to common name value of any user entry lying under \u201cDC=ephesoft, DC=com\u201d. In this case it will find the first matching entry and will authenticate against it. This chosen entry might not be the desired one. The point of concern here is choosing \u201cuser search\u201d parameter carefully.<\/p>\n<p style=\"color: #000000\">Solution:<\/p>\n<dl style=\"color: #000000\">\n<dd>\n<ul>\n<li>Keep the \u201cuser search\u201d value in realm in way that it can identify your user uniquely. That is the parameter used for searching a user must uniquely identify each of the user entries in LDAP\/ MS AD.<\/li>\n<li>Make the user enter the its value for that unique parameter into username while logging in to the application.<\/li>\n<li>Keeping cn(common name), first name, last name as \u201cuser search\u201d parameter may cause such scenario.<\/li>\n<\/ul>\n<\/dd>\n<\/dl>\n<h4 style=\"color: #000000\"><span id=\"Configuring_Active_Directory_at_the_OU_Level\" class=\"mw-headline\">Configuring Active Directory at the OU Level<\/span><\/h4>\n<p style=\"color: #000000\"><i>Written by &#8211; Pat Myers @ Zia consulting.<\/i><\/p>\n<p style=\"color: #000000\">First you have to configure the Active Directory to pull the groups so you can set the role(s) for the batch classes. To do this you will modify the user-connectivity.properties file located in: Epehesoft Install Directory\\Application\\WEB-INF\\classes\\META-INF\\dcma-user-connectivity<\/p>\n<p style=\"color: #000000\">Set up the following properties for Active Directory:<\/p>\n<pre style=\"color: #000000\">user.msactivedirectory_url= ldap:\/\/YourDomain.com:389\r\nuser.msactivedirectory_config=com.sun.jndi.ldap.LdapCtxFactory\r\nuser.msactivedirectory_context_path=OU=Security Groups\r\nuser.msactivedirectory_domain_component_name=yourdomain\r\nuser.msactivedirectory_domain_component_organization=com\r\nuser.msactivedirectory_user_name=CN=Ephesoft Service,OU=Users,DC=YourDomain,DC=com\r\nuser.msactivedirectory_password=UserPassword\r\n# filter can have |(OR), &amp;(AND) and\u00a0!(NOT)\r\n# | (|(cn=a*))\r\n# &amp; (&amp;(cn=a*))\r\n#\u00a0! (!(cn=a*))\r\n# complex example ((!(cn=a*))(|(cn=ephesoft*)(&amp;(cn=b*)))\r\nuser.msactivedirectory_group_search_filter=\r\n# 0 for LDAP\r\n# 1 for MS Active Directory\r\n# 2 for Tomcat\r\nuser.connection=1\r\n<\/pre>\n<p style=\"color: #000000\"><b>user.msactivedirectory_url<\/b>\u00a0\u2013 This is the url to the LDAP server<\/p>\n<p style=\"color: #000000\"><b>user.msactivedirectory_context_path<\/b>\u00a0\u2013 path to root where groups reside. Multiple locations can be specified with a \u201c;;\u201d delimiter (eg. OU=Internal Groups;;OU=Contractors)<\/p>\n<p style=\"color: #000000\"><b>user.msactivedirectory_domain_component_name<\/b>\u00a0\u2013 component value for AD is DC below the root DC. There can only one value here such as &#8216;ephesoft&#8217;. &#8216;cn=na,cn=ephesoft&#8217; or &#8216;cn=ephsesft&#8217; is not allowed.<\/p>\n<p style=\"color: #000000\"><b>user.msactivedirectory_domain_component_organization<\/b>\u00a0\u2013 root DC of the AD store (typically \u201ccom\u201d)<\/p>\n<p style=\"color: #000000\"><b>user.msactivedirectory_user_name<\/b>\u00a0\u2013 User name to connect to the AD server.<\/p>\n<p style=\"color: #000000\"><b>user.msactivedirectory_password<\/b>\u00a0\u2013 User password to connect to the AD server.<\/p>\n<p style=\"color: #000000\"><b>user.msactivedirectory_group_search_filter<\/b>\u00a0&#8211; Display only the groups that meets the filter value<\/p>\n<p style=\"color: #000000\"><b>user.connection<\/b>\u00a0\u2013 value should be set to 1 to read the AD configuration (opposed to LDAP or Tomcat properties)<\/p>\n<p style=\"color: #000000\">If you have batch classes you should now restart the Ephesoft service set the roles for the batch classes.<\/p>\n<p style=\"color: #000000\">Next you have to modify the path for authentication of the users. The file you have to modify is called server.xml and it is located in: {EPHESOFT_ROOT_DIR}\\JavaAppServer\\conf\\\u00a0<b>NOTE: IN EPHESOFT v2.5 Realm settings are located in {EPHESOFT_ROOT_DIR}\\JavaAppServer\\conf\\Catalina\\localhost\\dcma.xml INSTEAD OF server.xml<\/b><\/p>\n<p style=\"color: #000000\">Modify the realm element to have the url, name, password, pattern and role base for the Active Directory instance.<\/p>\n<pre style=\"color: #000000\">&lt;Realm \r\n className=\"org.apache.catalina.realm.JNDIRealm\"\r\n connectionURL=\"ldap:\/\/YourDomain.com:389\"\r\n connectionName=\"CN=Ephesoft Service,OU=Users,DC=YourDomain,DC=com\"\r\n connectionPassword=\"UserPassword \"\r\n userPattern=\"cn={0},OU=Users,DC=YourDomain,DC=com\"\r\n roleBase=\"OU=Security Groups,DC=YourDomain,DC=com\"\r\n roleSubtree=\u201dtrue\u201d\r\n roleName=\"cn\"\r\n roleSearch=\"member={0}\"\r\n\/&gt;\r\n<\/pre>\n<p style=\"color: #000000\">Attributes in Realm element that need to be modified:<\/p>\n<p style=\"color: #000000\"><b>connectionURL<\/b>\u00a0\u2013 This is the url to the LDAP server<\/p>\n<p style=\"color: #000000\"><b>connectionName<\/b>\u00a0\u2013 User name to connect to the AD server.<\/p>\n<p style=\"color: #000000\"><b>connectionPassword<\/b>\u00a0\u2013 User password to connect to the AD server.<\/p>\n<p style=\"color: #000000\"><b>userPattern<\/b>\u00a0\u2013 path and pattern to the users<\/p>\n<p style=\"color: #000000\"><b>roleBase<\/b>\u00a0\u2013 path to root where groups reside. Groups must have a common OU to be included in the role base but can be is sub directories under this specified root<\/p>\n<p style=\"color: #000000\"><b>roleSubtree<\/b>\u00a0&#8211; attribute to enable searches in sub groups<\/p>\n<p style=\"color: #000000\"><b>roleName<\/b>\u00a0\u2013 attribute in AD of the Groups that should be included<\/p>\n<p style=\"color: #000000\"><b>roleSearch<\/b>\u00a0\u2013 attribute in the groups specifying the user. The {0} is used as a wild card to indicate all users in those groups<\/p>\n<p style=\"color: #000000\">Once the configuration is set restart the server and log in as the AD user with the value that is placed in as the cn value (the cn may be the full name) and the AD password.<\/p>\n<h4 style=\"color: #000000\"><span id=\"Complex_Example\" class=\"mw-headline\">Complex Example<\/span><\/h4>\n<p style=\"color: #000000\"><b>Requirements<\/b><\/p>\n<ul>\n<li>Customer wants to use login name, instead of name, last name combination. Implementation of sAMAccountName.<\/li>\n<li>Users are created in different OUs, i.e. location or department based AD structure. i.e. MyOrganization, YourOrganization, Accounting, HR. etc<\/li>\n<li>Customer has sub domain. Users and groups are defined under this sub domain such as user@MySubDomain.MyDomain.com. If this user is located in\u00a0<b>Users<\/b>\u00a0group inside\u00a0<b>Accounting<\/b>\u00a0organizational unit, it would be equal to<b>CN=user,OU=Users,OU=Accounting,MySubDomain,DC=MyDomain,DC=com<\/b><\/li>\n<\/ul>\n<p style=\"color: #000000\"><b>server.xml configuration:<\/b><\/p>\n<pre style=\"color: #000000\">        &lt;Realm   className=\"org.apache.catalina.realm.JNDIRealm\"\r\n                connectionURL=\"ldap:\/\/MyServer.MySubDomain.MyDomain.com:389\"\r\n                connectionName=\"CN=Ephesoft_serviceAccount,OU=Service Users,OU=Users,OU=MyDepartment,OU=MyOrganization,DC=MySubDomain,DC=MyDomain,DC=com\"\r\n                connectionPassword=\"**********\"\r\n                userBase=\"DC=MySubDomain,DC=MyDomain,DC=com\"\r\n                userSearch=\"(&amp;(objectClass=user)(sAMAccountName={0}))\"\r\n                userSubtree=\"true\"\r\n                roleBase=\"DC=MySubDomain,DC=MyDomain,DC=com\"\r\n                roleSubtree=\"true\"\r\n                roleName=\"cn\"\r\n                roleSearch=\"(&amp;(objectClass=Group)(member={0}))\"\r\n                referrals=\"follow\"\/&gt;\r\n<\/pre>\n<p style=\"color: #000000\"><b>user-connectivity.properties configuration:<\/b><\/p>\n<pre style=\"color: #000000\">user.msactivedirectory_url=ldap:\/\/MyServer.MySubDomain.MyDomain.com:389\r\nuser.msactivedirectory_config=com.sun.jndi.ldap.LdapCtxFactory\r\nuser.msactivedirectory_context_path=OU=Ephesoft,OU=Groups,OU=MyDepartment,OU=MyOrganization;;OU=YourDepartment,OU=MyOrganization\r\nuser.msactivedirectory_domain_component_name=MySubDomain,dc=MyDomain\r\nuser.msactivedirectory_domain_component_organization=com\r\nuser.msactivedirectory_user_name=CN=Ephesoft_serviceAccount,OU=Service Users,OU=Users,OU=MyDepartment,OU=MyOrganization,DC=MySubDomain,DC=MyDomain,DC=com\r\nuser.msactivedirectory_password=************\r\n<\/pre>\n<h3 style=\"color: #000000\"><span id=\"Authorization_of_Ephesoft_URLs\" class=\"mw-headline\">Authorization of Ephesoft URLs<\/span><\/h3>\n<p style=\"color: #000000\">Ephesoft has several URLS such as<\/p>\n<ul>\n<li>BatchList.html<\/li>\n<li>BatchClassManagement.html<\/li>\n<li>BatchInstanceManagement.html<\/li>\n<li>ReviewValidate.html<\/li>\n<li>WebScanner.html<\/li>\n<li>Reporting.html<\/li>\n<\/ul>\n<p style=\"color: #000000\">Administrators can authorize access to these URLs using group\/role names defined in Tomcat, LDAP and MS Active Directory. Web.xml can be found here:\u00a0<b>*{EPHESOFT_ROOT_DIR}\\WEB_INF\\web.xml<\/b>\u00a0By Default all URLs authorized by all groups by using\u00a0<b>&#8220;*&#8221;<\/b>\u00a0in the auth-constrain node:<\/p>\n<pre style=\"color: #000000\">\t\t&lt;auth-constraint&gt;\r\n\t\t\t&lt;role-name&gt;*&lt;\/role-name&gt;\r\n\t\t&lt;\/auth-constraint&gt;\r\n<\/pre>\n<p style=\"color: #000000\">To authorize a specific security role, LDAP container), administrators should modify the role-name node.<\/p>\n<p style=\"color: #000000\">Examples: 1) to allow a role to access BatchInstanceManagement.html(role taken here admin):<\/p>\n<pre style=\"color: #000000\">   &lt;security-constraint&gt;\r\n         &lt;web-resource-collection&gt;\r\n               &lt;web-resource-name&gt;batch instance management&lt;\/web-resource-name&gt;\r\n               &lt;url-pattern&gt;\/BatchInstanceManagement.html&lt;\/url-pattern&gt;\r\n               &lt;http-method&gt;GET&lt;\/http-method&gt;\r\n               &lt;http-method&gt;POST&lt;\/http-method&gt;\r\n         &lt;\/web-resource-collection&gt;\r\n         &lt;auth-constraint&gt;\r\n               &lt;role-name&gt;admin&lt;\/role-name&gt;\r\n         &lt;\/auth-constraint&gt;\r\n   &lt;\/security-constraint&gt;\r\n<\/pre>\n<p style=\"color: #000000\">Here we have allowed the role by mentioning it in the auth-constraint tag.<\/p>\n<p style=\"color: #000000\">2) To allow multiple roles to access BatchInstanceManagement.html do the following configuration(roles taken here are role2 and admin):<\/p>\n<pre style=\"color: #000000\">       \r\n&lt;security-constraint&gt;\r\n         &lt;web-resource-collection&gt;\r\n               &lt;web-resource-name&gt;batch instance management&lt;\/web-resource-name&gt;\r\n               &lt;url-pattern&gt;\/BatchInstanceManagement.html&lt;\/url-pattern&gt;\r\n               &lt;http-method&gt;GET&lt;\/http-method&gt;\r\n               &lt;http-method&gt;POST&lt;\/http-method&gt;\r\n         &lt;\/web-resource-collection&gt;\r\n         &lt;auth-constraint&gt;\r\n               &lt;role-name&gt;role2&lt;\/role-name&gt;\r\n               &lt;role-name&gt;admin&lt;\/role-name&gt;\r\n         &lt;\/auth-constraint&gt;\r\n   &lt;\/security-constraint&gt;\r\n<\/pre>\n<p style=\"color: #000000\">Here the &lt;Security-role&gt; tag need not to be modified. It can remain as it is with a single entry (*) allowing all groups. However it may give warnings if security-role tag is not mapped to groups individually. These warnings can be eliminated by providing mapping for roles in &lt;security-role&gt; tag.<\/p>\n<pre style=\"color: #000000\">      &lt;security-role&gt;\r\n            &lt;role-name&gt;*&lt;\/role-name&gt;\r\n      &lt;\/security-role&gt;\r\n\r\n<\/pre>\n<p><!--Added by: J.D. Abbey--><br \/>\n<!--Date: 8\/18\/2014--><br \/>\n<!--Change: Migrated from old Wiki--><br \/>\n<!--Reviewed by: -->[\/vc_column_text][\/vc_column][\/vc_row]<\/p>\n<\/div>","protected":false},"featured_media":0,"parent":21480,"menu_order":4,"comment_status":"closed","ping_status":"open","template":"","doc_tag":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v19.0 (Yoast SEO v22.1) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to Administer Ephesoft Users and Groups | Ephesoft Docs<\/title>\n<meta name=\"robots\" content=\"noindex, follow\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to Administer Ephesoft Users and Groups\" \/>\n<meta property=\"og:description\" content=\"Ephesoft supports Tomcat, OpenLDAP and Microsoft Active Directory protocols for maintain a roster of users and groups. OpenLDAP is the [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/how-to-administer-ephesoft-users-groups\/\" \/>\n<meta property=\"og:site_name\" content=\"Ephesoft Docs\" \/>\n<meta property=\"article:modified_time\" content=\"2020-12-03T21:51:14+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/how-to-administer-ephesoft-users-groups\/\",\"url\":\"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/how-to-administer-ephesoft-users-groups\/\",\"name\":\"How to Administer Ephesoft Users and Groups | Ephesoft Docs\",\"isPartOf\":{\"@id\":\"https:\/\/ephesoft.com\/docs\/#website\"},\"datePublished\":\"2014-08-18T18:30:27+00:00\",\"dateModified\":\"2020-12-03T21:51:14+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/how-to-administer-ephesoft-users-groups\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/how-to-administer-ephesoft-users-groups\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/how-to-administer-ephesoft-users-groups\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/ephesoft.com\/docs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Transact\",\"item\":\"https:\/\/ephesoft.com\/docs\/products\/transact\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"System Configuration\",\"item\":\"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"User Connectivity\",\"item\":\"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/\"},{\"@type\":\"ListItem\",\"position\":5,\"name\":\"How to Administer Ephesoft Users and Groups\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/ephesoft.com\/docs\/#website\",\"url\":\"https:\/\/ephesoft.com\/docs\/\",\"name\":\"Ephesoft Docs\",\"description\":\"Intelligent Document Processing Made Easy\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/ephesoft.com\/docs\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"How to Administer Ephesoft Users and Groups | Ephesoft Docs","robots":{"index":"noindex","follow":"follow"},"og_locale":"en_US","og_type":"article","og_title":"How to Administer Ephesoft Users and Groups","og_description":"Ephesoft supports Tomcat, OpenLDAP and Microsoft Active Directory protocols for maintain a roster of users and groups. OpenLDAP is the [&hellip;]","og_url":"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/how-to-administer-ephesoft-users-groups\/","og_site_name":"Ephesoft Docs","article_modified_time":"2020-12-03T21:51:14+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/how-to-administer-ephesoft-users-groups\/","url":"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/how-to-administer-ephesoft-users-groups\/","name":"How to Administer Ephesoft Users and Groups | Ephesoft Docs","isPartOf":{"@id":"https:\/\/ephesoft.com\/docs\/#website"},"datePublished":"2014-08-18T18:30:27+00:00","dateModified":"2020-12-03T21:51:14+00:00","breadcrumb":{"@id":"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/how-to-administer-ephesoft-users-groups\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/how-to-administer-ephesoft-users-groups\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/how-to-administer-ephesoft-users-groups\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/ephesoft.com\/docs\/"},{"@type":"ListItem","position":2,"name":"Transact","item":"https:\/\/ephesoft.com\/docs\/products\/transact\/"},{"@type":"ListItem","position":3,"name":"System Configuration","item":"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/"},{"@type":"ListItem","position":4,"name":"User Connectivity","item":"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/"},{"@type":"ListItem","position":5,"name":"How to Administer Ephesoft Users and Groups"}]},{"@type":"WebSite","@id":"https:\/\/ephesoft.com\/docs\/#website","url":"https:\/\/ephesoft.com\/docs\/","name":"Ephesoft Docs","description":"Intelligent Document Processing Made Easy","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/ephesoft.com\/docs\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"comment_count":0,"_links":{"self":[{"href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/docs\/460"}],"collection":[{"href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/types\/docs"}],"replies":[{"embeddable":true,"href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/comments?post=460"}],"version-history":[{"count":0,"href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/docs\/460\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/docs\/21480"}],"next":[{"title":"How To Configure Apache Tomcat Users and Groups","link":"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/how-to-configure-apache-tomcat\/","href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/docs\/2494"}],"prev":[{"title":"Default Authentication Method in Ephesoft Transact","link":"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/default-authentication-method-in-ephesoft-transact\/","href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/docs\/16504"}],"wp:attachment":[{"href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/media?parent=460"}],"wp:term":[{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/doc_tag?post=460"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}