A security realm defines the mechanism for user authentication and authorization. FlexDeploy provides a default internal realm for users, which is based on FlexDeploy database tables for Users and Groups. FlexDeploy also supports Active Directory and other LDAP based realms for authentication and authorization using an external directory server. You can define multiple security realms. To configure/view the realms, select Administration -> Security -> Realms from the menu.
...
External realm users will have their passwords managed in the external realm, not in FlexDeploy.
Figure 17.15
Create LDAP Realm
To create an LDAP Realm click the Create button and Select LDAP Realm.
Any changes to LDAP Realm's Configuration tab will require the FlexDeploy application server to be restarted. You can test realm configuration details by clicking on the Test button. Figure 17.16 – Example realm with group mapping using
WebLogic Embedded LDAP
...
Realm Example
Apache Directory Server Realm Example
Figure 17.16
Figure 17.17
Enter the details for the LDAP realm as described in table of inputs below. Click the Save button to save the changes.
...
All LDAP Realm users must be under specific branch on the LDAP server, which is searched by User Search Base and User Search Filter in configuration details.
| Info |
|---|
FlexDeploy uses memberOf virtual attribute to derive User's groups, so if your LDAP does not support that attribute group mapping will not work. |
Field | Required | Description |
|---|---|---|
Realm Name | Yes | Name of the LDAP Realm. |
Description | No | Description of the realm. |
Active | Yes | Whether the realm is active or not. Default is Active. |
User Search Base | Yes | Provide User base tree in LDAP server. For example, ou=users,ou=system. |
User Search Filter | Yes | Provide User search filter to find user records in User Search Base. For example, (&(objectClass=*)(uid={0})) |
URL | Yes | Provide URL to access LDAP server. For example, ldap://localhost:10389 |
System User Name | Yes | Provide read-only user name to access LDAP server. For example, uid=admin,ou=system |
System Password | Yes | Provide password for specified system user name. |
Group Mapping Enabled | No | Check if you want to map LDAP groups to FlexDeploy groups. LDAP server must support memberOf attribute for group mapping in FlexDeploy. |
Group Search Base | No | Provide Group base tree in LDAP server. For example, ou=groups,ou=system. |
Group Search Filter | No | Provide search filter to find groups in Group Search Base. For example, (objectClass=groupOfUniqueNames) |
...
Create Active Directory Realm
...
Any changes to Active Directory Realm's Configuration tab will require the FlexDeploy application server to be restarted. You can test realm configuration details by clicking on the Test button.
Figure 17.19
Enter the details for the Active Directory realm using the details in the table below. Click the Save button to save the changes.
...
Active Directory Realm can be used for authentication as well as authorization using Group mapping feature.
Field | Required | Description |
|---|---|---|
Realm Name | Yes | Name of the Active Directory realm. |
Description | No | Description of the realm. |
Active | No | Whether the realm is active or not. Default is Active. |
User Search Base | Yes | Provide the user base dn in the Active Directory server. For example, CN=Users,DC=flexagondev,DC=local. |
User Search Filter | Yes | Provide the user search filter. For example, (&(objectClass=*)(sAMAccountName={0})) |
URL | Yes | Provide URL to access active directory server. For example, ldap://localhost:10389 |
System User Name | Yes | Provide read-only user name to access active directory server. For example, CN=flexservice,CN=Users,DC=flexagondev,DC=local |
System Password | Yes | Provide password for specified system user name. |
Group Mapping Enabled | No | Check if you want to map active directory groups to FlexDeploy groups. |
Group Search Base | No | Provide Group base tree in active directory server. For example, CN=Groups,DC=flexagondev,DC=local . |
Group Search Filter | No | Provide search filter to find groups in Group Search Base. For example, (objectClass=group) |
Figure 17.20
...
...
Group Mapping with External Directory Server
FlexDeploy provides features to map external directory server groups to FlexDeploy groups, which makes it very easy to manage FlexDeploy users in your environment. Fine-grained access to FlexDeploy features is still controlled by FlexDeploy groups, and by mapping external directory groups to FlexDeploy groups, you essentially control access to FlexDeploy features. You can configure FlexDeploy group permissions using Groups screen and Security tab on each Application/Folder/Project tab on project tree structure.
| Info |
|---|
External Groups are stored as fully qualified name since FlexDeploy 3.5 fixpack, so if were using Group Mapping feature prior to 3.5 fixpack you will have to reconfigure mappings. |
In order to setup Group mapping, check Group Mapping Enabled checkbox, then select Group Mapping tab. Select specific group in External Groups and shuttle desired FlexDeploy groups to Mapped FlexDeploy Groups. See Figure 17.21the figure below, where we have mapped Administrators Active Directory Group FDDevelopers to FD Developers and Embedded WebLogic group Administrators and Operators to FD OperatorsAdministrators.
Realm configuration changes requires a recycle of the FlexDeploy server process, but any changes on Group Mapping tab does not require a recycle.
Figure 17.21
...
The System Settings provide a mechanism for configuring settings required by FlexDeploy. Only users belonging to a group which has FlexDeploy Administrator permission will have access to view or modify system settings.
