...
Realms can be ordered to ensure that authentication checks are done in particular order. If you define multiple realms, users are authenticated against each realm in the specified order until the first successful authentication occurs. If Group Mapping is enabled for that realm, Groups are derived from that Realm. Groups assigned in the FlexDeploy internal realm are always used, so if you wanted to provide additional groups to users defined in external realm, you can do that in FlexDeploy - Users screen. Group mapping in the Realm is optional, in which case you must assign Groups to Users using FlexDeploy – Users screen. FlexDeploy internal realm is last in sequence of realms.
...
Info | ||
---|---|---|
| ||
User A user record must exist in FlexDeploy even for External Realm Users. This is necessary so that user can control Notification settings and allows the FD Administrator to provide additional Security if necessary. When users defined in an External Realm logs log in successfully for the first time, a new User record in is created in FlexDeploy. At this point, the user is asked to provide various information like First Name, Last Name, Email etc. Password The password for such users is always managed in by the External Server. Once the user provides the necessary details, an automatic logout will occur and the user will have to perform login one more time. At this point, user will be granted access based on Realm Group Mapping configured by the Administrator, which is explained later in this document. |
Create LDAP Realm
...
WebLogic Embedded LDAP Realm Example
Apache Directory Server Realm Example
...
Info |
---|
FlexDeploy uses memberOf virtual attribute to derive User's groups, so if your LDAP does not support that attribute, group mapping will not work. |
...
Any changes to Active Directory Realm's Configuration tab will require the FlexDeploy application server to be restarted. You can test your realm configuration details by clicking on the Test button.
...
All Active Directory Realm users must be under a specific branch on Active Directory server, which is searched by User Search Base and User Search Filter in configuration details.
An Active Directory Realm can be used for authentication as well as authorization using the Group mapping feature.
Field | Required | Description |
---|---|---|
Realm Name | Yes | Name of the Active Directory realm. |
Description | No | Description of the realm. |
Active | No | Whether the realm is active or not. Default is Active. |
User Search Base | Yes | Provide the user base dn in the Active Directory server. For example, CN=Users,DC=flexagondev,DC=local. |
User Search Filter | Yes | Provide the user search filter. For example, (&(objectClass=*)(sAMAccountName={0})) |
URL | Yes | Provide URL to access active directory server. For example, ldap://localhost:10389 |
System User Name | Yes | Provide read-only user name to access active directory server. For example, CN=flexservice,CN=Users,DC=flexagondev,DC=local |
System Password | Yes | Provide password for specified system user name. |
Group Mapping Enabled | No | Check if you want to map active directory groups to FlexDeploy groups. |
Group Search Base | No | Provide Group base tree in active directory server. For example, CN=Groups,DC=flexagondev,DC=local . |
Group Search Filter | No | Provide search filter to find groups in Group Search Base. For example, (objectClass=group) |
Group Mapping with External Directory Server Anchor GroupMapping GroupMapping
GroupMapping | |
GroupMapping |
FlexDeploy provides features to map external directory server groups to FlexDeploy groups, which makes it very easy to manage FlexDeploy users in your environment. Fine-grained access to FlexDeploy features is still controlled by FlexDeploy groups, and by mapping external directory groups to FlexDeploy groups, you essentially control access to FlexDeploy features. You can configure FlexDeploy group permissions using the Groups screen and Security tab on each Application/Folder/Project tab on the project tree structure.
Info |
---|
External Groups are stored as fully qualified name since FlexDeploy 3.5, so Group Mappings configured prior to 3.5 will need to be reconfigured. |
In order to setup Group mapping, check the Group Mapping Enabled checkbox , then select on the Configuration tab. Then select the Group Mapping tab. Select a specific group in External Groups and FlexDeploy group to work with first. Then shuttle desired FlexDeploy External groups to Mapped Map the, to FlexDeploy Groups. See the figure below, where we have mapped the Active Directory Group FDDevelopers to FD Developers and Embedded WebLogic group Administrators to FD AdministratorsGroups Administrators and Enterprise Administrators to the FD Administrators group.
Realm configuration changes requires require a recycle of the FlexDeploy server process, including the mapping configuration, but any changes on the Group Mapping tab does do not require a recycle.