Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: draw.io diagram "RealmLoginFlow.drawio" edited
Table of Contents
maxLevel1

...

Info

New User Process

A user account must exist in FlexDeploy even for external realm users. This is necessary so that users can control notification settings and administrators can provide additional security, if necessary. Administrators can create external realm users from the Users page, or external realm users can login and create their own account.

When users defined in an external realm login successfully for the first time, they will be redirected to a new user page. There, the user is asked to verify various information like first name, last name, and email for their account. The password for such users is always managed by the external server. Once the user provides the necessary details, their account will be created, an automatic logout will occur, and the user will have to login one more time. At this point, the user will be granted access based on realm group mapping configured by an administrator, which is explained later in this document. If the new user isn’t mapped to any FlexDeploy groups at this point, they will be assigned the new user role configured on the System Settings page, if one exists.

Create / Edit Realm

To create a new realm, click the Create button. To edit an existing realm, click the realm name or select Edit from the options menu. Note that the internal fdRealm cannot be edited. Use the Active button to activate or inactivate a specific realm. You can use the Delete option in each row’s menu to completely remove a specific realm from FlexDeploy configurations.

...

Field

Required

Description

Realm Name

Yes

Description

No

URL

Yes

URL to access LDAP server

For example, ldap://localhost:10389

System Username

Yes

Read-only username to access LDAP server. This should be fully qualified username in LDAP. FlexDeploy will use the system username and system password to bind to LDAP for various operations.

For example, uid=admin,ou=system

System Password

Yes

Password for specified system user name.

User Search Base

Yes

User base tree in LDAP server

For example, ou=users,ou=system.

User Search Filter

Yes

User search filter to find user records in user search base

For example, (&(objectClass=*)(uid={0})), (&(objectClass=*)(sAMAccountName={0}))

Tip

To restrict users able to login to FlexDeploy by membership within a particular LDAP group, you can use a search filter similar to the following. This assumes that your LDAP supports the memberOf virtual attribute.

(objectClass=user)(sAMAccountName={0})(memberOf=CN=FDDevelopers,CN=Users,DC=flexagondev,DC=local)

Similarly, more than one group would look like this.

(&(objectClass=user)(sAMAccountName={0})(|(memberOf=CN=FDDevelopers,CN=Users,DC=flexagondev,DC=local)(memberOf=CN=FDAdmins,CN=Users,DC=flexagondev,DC=local))

Connect Timeout

No

@since 6.5.0.2

A timeout, in seconds, for connecting to the external server. The default timeout is 30 seconds. If no value is provided, there is no timeout.

Read Timeout

No

@since 6.5.0.2

A timeout, in seconds, for LDAP read operations. The default timeout is 120 seconds. If no value is provided, there is no timeout.

Follow Referrals

Yes

@since 6.5.0.2

How to handle referrals (follow/ignore). The default is ignore.

Group Mapping Enabled

Yes

Enable if you want to map LDAP groups to FlexDeploy groups. LDAP server must support memberOf attribute for group mapping in FlexDeploy.

Group Search Base

No*

Group base tree in LDAP server. Required if group mapping is enabled.

For example, (ou=groups,ou=myrealm,dc=MyDomain)

Group Search Filter

No*

Search filter to find groups in group search base. Required if group mapping is enabled.

For example, (objectClass=groupOfUniqueNames)

...

Realm configuration changes including the mapping configuration require a recycle of the FlexDeploy server process, but changes to the groups being mapped do not require a recycle.

...

Examples

...

...

Apache Directory Server Realm

...

Active Directory Realm

...

...

FlexDeploy will use the User logon name (pre-Windows 2000) username instead of the normal one for active directory. See this picture for an example.

...

Using ldaps

A FlexDeploy realm can be configured to use ldaps protocol, which requires adding a server certificate to Java cacerts or the application server trust store.

...

Login Flow with an External Realm

Drawio
simple0
zoom1simple0
inComment0
pageId10125815152
custContentId10213785674lbox110327687189
diagramDisplayNameRealmLoginFlow.drawio
lbox1
contentVer1
revision1
baseUrlhttps://flexagon.atlassian.net/wiki
diagramNameRealmLoginFlow.drawio
pCenter0
width10211020.5
links
tbstyle
height641741