Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: draw.io diagram "RealmLoginFlow.drawio" edited
Table of Contents
maxLevel1

A security realm defines the mechanism for user authentication and authorization. FlexDeploy provides a default internal realm for users, which is based on FlexDeploy database tables for Users users and Groupsgroups. FlexDeploy also supports Active Directory and other LDAP based realms for authentication and authorization using an external directory server. You can define multiple security realms. To configure /and view the realms, select Administration -> Security -> navigate to Realms from the menu or global search. FlexDeploy’s out-of-the-box realm can be utilized alongside external directory servers.Realms can be ordered

...

Drag and drop ordering of realms is supported to ensure that authentication checks are done in a particular order. If you define multiple realms, users are authenticated against each realm in the specified order until the first successful authentication occurs. Authentication will stop with the first successful authentication against any realm in list.If Group Mapping is enabled for a realm where authentication is successful, Groups are derived from mapping configured for that realm. Groups assigned in the FlexDeploy internal realm are always used as well, so you can provide additional groups to users defined in an external realm from the Administration -> Security -> Users screen. If you choose not to enable group mapping, you must assign Groups to Users from the Users screenthe list.

Tip

FlexDeploy’s internal realm (fdRealm) can be adjusted in the list of realms. FlexDeploy allows customers to adjust the internal realm order (possibly first), which would allow logging in with local users when external directory servers are having issues. For example, if directory servers are having performance issues, logging in with a local user may take a long time. However, if you adjust the internal realm to be first in the list, then you will notice faster login for local users. 

If group mapping is enabled for a realm, an external user’s groups are derived from mapping configured for that realm. Groups assigned in the FlexDeploy internal realm are always used as well, so you can provide additional groups to users defined in an external realm from the groups screen or from individual user profiles. If you choose not to enable group mapping, you must assign groups to users manually in FlexDeploy.

External realm users will have their passwords managed in the external realm, not in FlexDeploy.

Info

New User Process

A user account must exist in FlexDeploy even for External Realm Usersexternal realm users. This is necessary so that users can control Notification notification settings , and it allows administrators to can provide additional security, if necessary. Administrators can create External Realm Users external realm users from the Administration -> Security -> Users screen, or External Realm Users can log in Users page, or external realm users can login and create their own account.

When users defined in an External Realm log in external realm login successfully for the first time, they will be redirected to a new user page. There, the user is asked to provide verify various information like first name, last name, and email etcfor their account. The password for such users is always managed by the External Serverexternal server. Once the user provides the necessary details, their account will be created, an automatic logout will occur, and the user will have to log in login one more time. At this point, the user will be granted access based on Realm Group Mapping realm group mapping configured by the an administrator, which is explained later in this document.

...

If the new user isn’t mapped to any FlexDeploy groups at this point, they will be assigned the new user role configured on the System Settings page, if one exists.

Create / Edit Realm

To create an LDAP Realm, click the Create button and Select LDAP Realma new realm, click the Create button. To edit an existing realm, click the realm name or select Edit from the options menu. Note that the internal fdRealm cannot be edited. Use the Active button to activate or inactivate a specific realm. You can use the Delete option in each row’s menu to completely remove a specific realm from FlexDeploy configurations.

Any changes to LDAP Realma realm's Configuration tab configuration will require the FlexDeploy application server to be restarted for the changes to take effect. This does not include updating group mappings. You can test realm configuration details by clicking on the Test Connection button.

WebLogic Embedded LDAP Realm Example

...

Apache Directory Server Realm Example

...

Enter the details for the LDAP realm as described in table of inputs below. Click the Save button to save the changes.

Use the Move Up and Move Down buttons to change the order of the Realms.

Use the Active check box to activate or inactivate a specific Realm. You can use the Delete button to completely remove a specific Realm from FlexDeploy configurations.

All LDAP Realm your changes.

All LDAP realm users must be under a specific branch on the LDAP server, which is searched by based on the User Search Baseand User Search Filter in configuration details on the general tab.

Info

FlexDeploy uses the memberOf virtual attribute to derive Usera user's groups, so group mapping will not work if your LDAP does not support that attribute.

Field

Required

Description

Realm Name

Yes

Name of the Active Directory realm.

Description

No

Description of the realm.

Active

No

Whether the realm is active or not. Default is Active.

User Search Base

Yes

Provide the user base dn in the Active Directory server. For example, CN=Users,DC=flexagondev,DC=local.

User Search Filter

Yes

Provide the user search filter. For example, (&(objectClass=*)(sAMAccountName={0}))

URL

Yes

Provide URL to access active directory server. For example, ldap://localhost:10389

System User Name

Yes

Provide read-only user name to access active directory server. For example, CN=flexservice,CN=Users,DC=flexagondev,DC=local

This should be fully qualified user name in LDAP. FlexDeploy will use System User Name and System Password to bind to LDAP for various operations.

System Password

Yes

Provide password for specified system user name.

Group Mapping Enabled

No

Check if you want to map active directory groups to FlexDeploy groups

Field

Required

Description

Realm Name

Yes

Description

No

URL

Yes

Name of the LDAP Realm.

Description

No

Description of the realm.

Active

Yes

Whether the realm is active or not. Default is ActiveURL to access LDAP server

For example, ldap://localhost:10389

System Username

Yes

Read-only username to access LDAP server. This should be fully qualified username in LDAP. FlexDeploy will use the system username and system password to bind to LDAP for various operations.

For example, uid=admin,ou=system

System Password

Yes

Password for specified system user name.

User Search Base

Yes

Provide User base tree in LDAP server.

For example, ou=users,ou=system.

User Search Filter

Yes

Provide User search filter to find user records in User Search Base. user search base

For example, (&(objectClass=*)(uid={0})), (&(objectClass=*)(sAMAccountName={0}))

Tip

To restrict users which can able to login to FlexDeploy by membership within a particular LDAP group, you can use a search filter similar to the following. This assumes that your LDAP supports the memberOf virtual attribute.

(objectClass=user)(sAMAccountName={0})(memberOf=CN=FDDevelopers,CN=Users,DC=flexagondev,DC=local)

Same for Similarly, more than one groups group would look like this.

(&(objectClass=user)(sAMAccountName={0})(|(memberOf=CN=FDDevelopers,CN=Users,DC=flexagondev,DC=local)(memberOf=CN=FDAdmins,CN=Users,DC=flexagondev,DC=local))

URLConnect Timeout

Yes

Provide URL to access LDAP server. For example, ldap://localhost:10389

System User Name

Yes

Provide read-only user name to access LDAP server. For example, uid=admin,ou=system

This should be fully qualified user name in LDAP. FlexDeploy will use System User Name and System Password to bind to LDAP for various operations.

System Password

Yes

Provide password for specified system user name.

Group Mapping Enabled

No

Check if you want to map LDAP groups to FlexDeploy groups. LDAP server must support memberOf attribute for group mapping in FlexDeploy.

Group Search Base

No

Provide Group base tree in LDAP server. For example, ou=groups,ou=system.

Group Search Filter

No

Provide search filter to find groups in Group Search Base. For example, (objectClass=groupOfUniqueNames)

Create Active Directory Realm

To create an Active Directory Realm, click on the Create button and Select Active Directory Realm.

Any changes to Active Directory Realm's Configuration tab will require the FlexDeploy application server to be restarted. You can test your realm configuration details by clicking on the Test button.

...

Enter the details for the Active Directory realm using the details in the table below. Click the Save button to save the changes.

Use the Move Up and Move Down buttons to change the order of the Realms.

Use the Active check box to activate or inactivate a specific Realm. You can use the Delete button to completely remove a specific Realm from FlexDeploy configurations.

All Active Directory Realm users must be under a specific branch on Active Directory server, which is searched by User Search Base and User Search Filter in configuration details.

An Active Directory Realm can be used for authentication as well as authorization using the Group mapping feature.

No

@since 6.5.0.2

A timeout, in seconds, for connecting to the external server. The default timeout is 30 seconds. If no value is provided, there is no timeout.

Read Timeout

No

@since 6.5.0.2

A timeout, in seconds, for LDAP read operations. The default timeout is 120 seconds. If no value is provided, there is no timeout.

Follow Referrals

Yes

@since 6.5.0.2

How to handle referrals (follow/ignore). The default is ignore.

Group Mapping Enabled

Yes

Enable if you want to map LDAP groups to FlexDeploy groups. LDAP server must support memberOf attribute for group mapping in FlexDeploy.

Group Search Base

No*

Provide

Group base tree in

active directory server.

LDAP server. Required if group mapping is enabled.

For example,

CN

(ou=

Groups

groups,

DC

ou=

flexagondev

myrealm,

DC

dc=

local .

MyDomain)

Group Search Filter

No*

Provide search

Search filter to find groups in

Group Search Base.

group search base. Required if group mapping is enabled.

For example, (objectClass=

group

groupOfUniqueNames)

Group Mapping with External Directory Server
Anchor
GroupMapping
GroupMapping

FlexDeploy provides features to map external directory server groups to FlexDeploy groups, which makes it very easy to manage FlexDeploy users in your environment. Fine-grained access to FlexDeploy features is still controlled by FlexDeploy groups, and by mapping external directory groups to FlexDeploy groups, you essentially control access to FlexDeploy features. You can configure FlexDeploy group permissions using the Groups screen Permissions page and Security tab on each Folder/Project tab on the project tree structurefrom the Security section of individual objects supporting object-level permissions (folders/projects, target groups, releases, etc.).

In order to setup Group set up group mapping, check the Group Mapping Enabled checkbox on the Configuration tab. Then select the Group Mapping tab. first make sure to enable group mapping from the realm’s group mapping tab and provide the group search base and filter. If you haven’t already loaded external groups for this realm or they need to be refreshed, click the Fetch External Groups button or the Refresh External Groups button.

Select a specific FlexDeploy group to work with first. Then, shuttle desired External search and select external groups to map to the selected FlexDeploy Group. See the figure below, where we have mapped the Active Directory Groups Administrators and Enterprise Admins to the LDAP group Enterprise Admins to the FlexDeploy FD Administratorsgroup.

Realm configuration changes including the mapping configuration require a recycle of the FlexDeploy server process, but changes on the Group Mapping tab to the groups being mapped do not require a recycle.

...

...

Examples

Apache Directory Server Realm

...

Active Directory Realm

...

FlexDeploy will use the User logon name (pre-Windows 2000) username instead of the normal one for active directory. See this picture for an example.

...

Using ldaps

A FlexDeploy realm can be configured to use ldaps protocol, which requires adding a server certificate to Java cacerts or the application server trust store.

You may encounter java.security.cert.CertificateException: No subject alternative names present when using SSL connection and the hostname in connection URL is not valid when compared to the SSL certificate of the server. This error occurs in java 1.8.0_181 or higher is because this update includes security improvements for LDAP support. Endpoint identification has been enabled on LDAPS connections. In this situation, you must regenerate the LDAP server certificate with the certificate’s SAN or CN matching the hostname of the LDAP server configured in connection URL. This is not recommended for production installation, but you can temporarily disable this by adding -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true to server startup arguments.

Login Flow

...

with an External Realm

Drawio
simple
simple0
zoom1
0inComment0
pageId871035924010125815152
custContentId9755590765lbox110327687189
diagramDisplayNameRealmLoginFlow.drawio
lbox1
contentVer21
revision21
baseUrlhttps://flexagon.atlassian.net/wiki
diagramNameRealmLoginFlow.drawio
pCenter0
width10211020.5
links
tbstyle
height641741