General

Information

PLANTA project provides an enhanced security standard via the PLANTA secure component, e.g. by means of a two factor authentication (2FA). This function will be extended by authentication via LDAP. This approach works via communication between the following components:

  • PLANTA Client
  • PLANTA Server 
  • PLANTA Client Adapter (CA) (from C 39.5.31 integrated in PLANTA Client)
  • PLANTA Server Adapter (SA) (integrated in PLANTA Server)
  • Directory Server

Operation Principle

  • For authentication, the client adapter retrieves the login data and transmits them to the ServerAdapter.
  • The ServerAdapter establishes a connection to the directory service via LDAP and authenticates the user.
  • Now, the user is logged off from the server with the selected attribute.
  • The successful authentication with the selected attribute is reported to the client.

Configure PLANTA secure 

secure.conf

  • On the server you have to adjust the following parameters in the secure.conf file:



reverse_proxy.auth = true

reverse_proxy.user_header = x-authenticated-user

reverse_proxy.user_format = plain


servlet.connection = your_host:your_port

Interface and port to which the client adapter is to connect.

ldap_configuration = config/ldap.conf

Path of the LDAP configuration file.


reverse_proxy.auth = true

reverse_proxy.user_header = x-authenticated-user

reverse_proxy.user_format = plain



auth_method.ldap = true

auth_method.ldap_useSSL = true

auth_method.ldap_configuration = config/ldap.conf


ldap.conf

  • On the server you have to adjust the following parameters in the ldap.conf file:

bean:contextSource

url - ldaps://your.ldap.url:port

The URL of the directory service with prefixed protocol and port

base - ou=user,DC=ldap,DC=url

Home level for searching in the directory service

userDn - maxservice@yourldap.url

A service user who has access to the directory service

password - mysecretpassphrase

Password for the service user

baseEnvironmentProperties

A list of properties which are transmitted to LDAP. 

The listed attributes under the java.naming.ldap.attributes.binary key are then read out as binary values.
If several attributes are listed, they must be separated by a blank space.

E.g.: 

<map>

<entry key="java.naming.ldap.attributes.binary" value="objectGUID"/>

</map>


bean:ldapConfig

ldapUserFilter 

A filter with the help of which the search can be restricted

ldapSearchScope = "SUBTREE"

Search depth below start level. Possible values are: "SUBTREE","ONELEVEL_SCOPE" oder "OBJECT_SCOPE"

plantaUserData 

A list of attributes which are read out from LDAP and transferred to the DB.

The attributes are transmitted as a key value.

The attribute which is marked with login in its value is checked for the user recognition.

The attribute which is marked with uuid in its value is converted to a UUID string and logged on as a user.

E.g.: 

<map>

<entry key="userPrincipalName" value="login"/>

<entry key="mail" value=""/>

<entry key="sAMAccountName" value=""/>

<entry key="sn" value=""/>

<entry key="objectGUID" value="uuid"/>

</map>

The userPrincipalName attribute is used to authenticate the user who is then logged-on with the objectGUID attribute.
Furthermore, all specified attributes are written in the DB. If no attribute is marked with uuid, the attribute with login is used for login.

ldap:context-source

url - ldaps://your.ldap.url:port

The URL of the directory service with prefixed protocol and port

base - ou=user,DC=ldap,DC=url

Home level for searching in the directory service

username - maxservice@yourldap.url

A service user who has access to the directory service

password - mysecretpassphrase

Password for the service user


ldap:ldap-template

search-scope = "SUBTREE"

Search depth below home level


bean:ldapConfig

ldapUserFilter - 

A filter with the help of which the search can be restricted

ldapUserDN - dn

Attribute which contains the DN entry

ldapUserId - mail

Attribute which is checked for the user recognition

plantaUserId - sAMAccountName

Attribute which contains the user recognition with the help of which the user is logged on.

Additional Settings

  • You have to store the correct LDAP plugin for the Client adapter in the planta.ini. Here, you furthermore have additional setting options which are documented here.
  • The PLANTA Server must be configured for proxy authentication.
  • Further information on general settings for PLANTA secure can be found here. 
  • The users must have been created with user ID in the PLANTA Server accordingly.
  • Currently, the read-out of binary attributes is not supported.
  • The correct LDAP plugin for the client adapter must be stored in the PlantaClientAdapter.exe.config. Furthermore there are other setting options which are documented in the file itself.
  • The PLANTA Server must be configured for proxy authentication.
  • Further information on general settings for PLANTA secure can be found here. 
  • The users must have been created with user ID in the PLANTA Server accordingly.
  • Currently, the read-out of binary attributes is not supported.