LDAP with PLANTA secure
General
Information
PLANTA project provides an enhanced security standard via the PLANTA secure component, e.g. by means of a two factor authentication (2FA). This function will be extended by authentication via LDAP. This approach works via communication between the following components: PLANTA Client
- PLANTA Server
- PLANTA Client Adapter (CA) (from C 39.5.31 integrated in PLANTA Client)
- PLANTA Server Adapter (SA) (integrated in PLANTA Server)
- Directory Server
Operation Principle
- For authentication, the client adapter retrieves the login data and transmits them to the ServerAdapter.
- The ServerAdapter establishes a connection to the directory service via LDAP and authenticates the user.
- Now, the user is logged off from the server with the selected attribute.
- The successful authentication with the selected attribute is reported to the client.
Configure PLANTA secure
From Release S 39.5.32
secure.conf
- On the server you have to adjust the following parameters in the secure.conf file:
reverse_proxy.auth = true
reverse_proxy.user_header = x-authenticated-user
reverse_proxy.user_format = plain
servlet.connection = your_host:your_port
Interface and port to which the client adapter is to connect.
ldap_configuration = config/ldap.conf
Path of the LDAP configuration file.
ldap.conf
- On the server you have to adjust the following parameters in the ldap.conf file:
bean:contextSource
url - ldaps://your.ldap.url:port
The URL of the directory service with prefixed protocol and port
base - ou=user,DC=ldap,DC=url
Home level for searching in the directory service
userDn - maxservice@yourldap.url
A service user who has access to the directory service
password - mysecretpassphrase
Password for the service user
baseEnvironmentProperties
A list of properties which are transmitted to LDAP.
The listed attributes under the java.naming.ldap.attributes.binary
key are then read out as binary values.
If several attributes are listed, they must be separated by a blank space.
E.g.:
<map>
<entry key="java.naming.ldap.attributes.binary" value="objectGUID"/>
</map>
bean:ldapConfig
ldapUserFilter
A filter with the help of which the search can be restricted
ldapSearchScope = "SUBTREE"
Search depth below start level. Possible values are: "SUBTREE","ONELEVEL_SCOPE" oder "OBJECT_SCOPE"
plantaUserData
A list of attributes which are read out from LDAP and transferred to the DB.
The attributes are transmitted as a key value.
The attribute which is marked with login
in its value is checked for the user recognition.
The attribute which is marked with uuid
in its value is converted to a UUID string and logged on as a user.
E.g.:
<map>
<entry key="userPrincipalName" value="login"/>
<entry key="mail" value=""/>
<entry key="sAMAccountName" value=""/>
<entry key="sn" value=""/>
<entry key="objectGUID" value="uuid"/>
</map>
The userPrincipalName
attribute is used to authenticate the user who is then logged-on with the objectGUID
attribute.
Furthermore, all specified attributes are written in the DB. If no attribute is marked with uuid, the attribute with login
is used for login.
Earlier Releases
Additional Settings
From Release C 39.5.31
- You have to store the correct LDAP plugin for the Client adapter in the planta.ini. Here, you furthermore have additional setting options which are documented here.
- The PLANTA Server must be configured for proxy authentication.
- Further information on general settings for PLANTA secure can be found here.
- The users must have been created with user ID in the PLANTA Server accordingly.
- Currently, the read-out of binary attributes is not supported.