Configuring the LDAP Domain

domains, LDAP, configuring LDAP domains

Domains control the user login, authentication method and access privileges to AAI's functions. If your company is using LDAP for user login and authentication, any user who is defined and has an ID and a password in the LDAP domain can log in to AAI. As an AAI administrator, you add and configure the LDAP domain in AAI. Later, when you add schedulers to AAI, you assign them a domain. If you select LDAP, the LDAP settings will be honored for those schedulers.

The LDAP domain supports two user roles only:

  • Admin

    These users have unrestricted access to the entire user interface. They can add, edit, and delete objects.

  • (Application) User

    They can only monitor jobstreams and all their execution details and history. In addition, they can modify the column configurations of the lists that they view, manage their own user preferences, create saved views, and create data insights and manage their own dashboard.

    The areas that pertain to administrative tasks are hidden from them.

General Considerations for LDAP Users of AAI

When LDAP is integrated with AAI, there is no need to create users explicitly in AAI. The first time that an LDAP user logs in to AAI, a user with the User role (read-only privileges) is created for them automatically.

To grant AAI/ LDAP users admin rights, an existing admin user must change their user definitions from User to Admin.

Preparing for Single Sign-On with LDAP

You can optionally use single sign-on (SSL) with LDAP for user authentication to AAI. If you want to use SSL with LDAP, then you must ensure that AAI has an appropriate certificate for the LDAP server. You need to do this before you define an LDAP domain in AAI.

To add an SSL certificate to the AAI server, use the following steps:

  1. Export the certificate to a certificate file, for example domain1.cer. The certificate admin should know how to do this.

    For a Windows 2003 server with Certification services installed, do the following:

    1. From Administrative Tools select Certification Authority.

      In the Certification Authority (CA) interface, expand the Certificate menu on left side.

      Go to Issued Certificates. Right click the LDAP server certificate and go to All Tasks > Export Binary Data...

    2. Select Save Binary Data to file and give it a file name like domain1.cer.

  2. Copy this binary data file to the AAI server.

  3. From the command line on the AAI server, run the following command:

    keytool -import -v -file domain1.cer -keystore <PATH TO STORE>/jawsKeys -storepass <PASS- WORD> -noprompt

    This will create a file called jawsKeys under the specified path.

  4. Repeat these steps for all the SSL LDAP servers that AAI should use.

  5. Modify the .vmoptions file and add the following two lines:

    -Djavax.net.ssl.trustStore=<PATH TO STORE>/jawsKeys
-Djavax.net.ssl.trustStorePassword=<PASSWORD>

  6. Restart JBoss.

Adding an LDAP Domain

To add an LDAP domain to AAI, use the following steps:

  1. From the left navigation panel, click Settings > User Management. The Admin - Users list opens.

  2. Open the Domains tab and select Add Domain.

  3. On the Add Domain dialog, enter the following:

    Name

    This is the name that the users will see in the login dialog when they log in to AAI. It must be unique.

    Type

    Type of domain, in this case LDAP.

  4. In the Directory Connection section enter the data to identify the servers to which you want to connect with this domain.

    • LDAP Servers

      You can enter a list of hostname/port pairs here. AAI will try to reach them in the order that you define in this list.

      1. In LDAP Servers enter the hostname and port of the AAI server.

      2. Click Save to include the server in the list. Use the pencil and trash button to edit or delete this entry.

      3. To add more server pairs to the list, click Add Server.

    • User Authorized to Search the Directory

      Specify the user that will access LDAP. Enter the complete distinguished name for the user node and its password.

  5. In the Directory Details section enter the following:

    • User Attribute

      The name of the attribute that is used to identify users when logging in. When a user enters a user name and password when logging in, AAI searches for a node with an attribute with this type and the user name as its value.

    • Domains Distinguished Name

      LDAP DN (distinguished name) that specifies where to find user nodes within the LDAP directory. All users should be found in the sub-tree identified by this name.

    • Advanced Filter (LDAP Compliant)

      Use this filter to restrict the users who can log in to AAI to specific LDAP groups.

      Example:

      The following users and user groups are defined in LDAP:

      • jawsuser01 (user), who is authorized to query the directory. This is the ID that AAI uses to log on to the LDAP server and authorize the end user.

      • JAWSUSERS(user group)

      • SCHEDULERS (user group)

      This is the attribute in the LDAP environment:

      memberOf=CN=JAWSUSERS, CN=SCHEDULERS, DC=TERMALABS, DC=NET

      You create the following advanced filter to allow members of either group to log on to AAI:

      memberOf=CN=JAWSUSERS, CN=SCHEDULERS, DC=TERMALABS, DC=NET

      AAI appends this filter with "&" at the beginning to the login attribute filter. Your users will have to specify this attribute filter at login.

      The filter string will look like this:

      (&(samaccountname=jawsuser01) 
(memberOf=CN=JAWSUSERS,CN=SCHEDULERS,DC=TERMALABS,DC=NET))

      This filter will only allow users in the JAWSUSER group to log in to AAI.

      Note:

      • For LDAP, you must use opening and closing parentheses in the advanced filters string as you see in the previous example.

      • Make sure that your users have the attribute you are filtering on.

  6. In the Options section do the following:

    1. If you want to allow users to log in to AAI without entering a password, select Allow null password.

    2. If you want to use SSL for LDAP authentication, select SSL. To enable SSL with LDAP, you must have an appropriate certificate already added to the AAI server. For information, see Preparing for Single Sign-On with LDAP .

  7. Save your configuration.

  8. Click the Test Configuration button at the top of the dialog.

    AAI tries to connect to the LDAP server with the information that you have provided. If there is any configuration error, AAI indicates it.

    Tip:

    Be sure to test the configuration every time you make any changes to an LDAP domain because, for security reasons, subsequent login errors contain little or no information.

See also: