| Table of Contents | ||
|---|---|---|
|
A security realm defines the mechanism for user authentication and authorization. FlexDeploy provides a default internal realm for users, which is based on FlexDeploy database tables for Users and Groups. FlexDeploy also supports Active Directory and other LDAP based realms for authentication and authorization using an external directory server. You can define multiple security realms. To configure/view the realms, select Administration -> Security -> Realms from the menu. FlexDeploy has out of box realm which can be utilized as well along with external directory servers.
Realms can be ordered to ensure that authentication checks are done in particular order. If you define multiple realms, users are authenticated against each realm in the specified order until the first successful authentication occurs. Authentication will stop when first successful authentication against any realm in list (bug was identified here where authentication continued through all realms, bug fixed with 5.2.0.1).
If Group Mapping is enabled for that realm where authentication is successful, Groups are derived from mapping configured for that Realmrealm. Groups assigned in the FlexDeploy internal realm are always used as well, so if you wanted to provide additional groups to users defined in external realm, you can do that in FlexDeploy - Users screen. Group mapping in the Realm is optional, in which case you must assign Groups to Users using FlexDeploy – Users screen.
| Tip |
|---|
FlexDeploy internal realm |
...
(fdRealm) can also be adjusted in list of realms. This feature was enabled as part of 5.2.0.1, previously internal realm was added at the end of realm list. FlexDeploy 5.4.0.1 allows customer to adjust internal realm order (possibly first), which would allow login with local user when external directory servers are having issues. For example, if directory servers are having performance issues, login with local user may take long time, but if you adjust internal realm to be first in the list, then you will notice faster login for local users in that situation. |
External realm users will have their passwords managed in the external realm, not in FlexDeploy.
| Info | ||
|---|---|---|
| ||
A user record must exist in FlexDeploy even for External Realm Users. This is necessary so that user can control Notification settings and allows the FD Administrator to provide additional Security if necessary. When users defined in an External Realm log in successfully for the first time, a new User record is created in FlexDeploy. At this point, the user is asked to provide various information like First Name, Last Name, Email etc. The password for such users is always managed by the External Server. Once the user provides the necessary details, an automatic logout will occur and the user will have to login one more time. At this point, user will be granted access based on Realm Group Mapping configured by the Administrator, which is explained later in this document. |
Create LDAP Realm
To create an LDAP Realm click the Create button and Select LDAP Realm.
...
WebLogic Embedded LDAP Realm Example
...
Apache Directory Server Realm Example
Enter the details for the LDAP realm as described in table of inputs below. Click the Save button to save the changes.
...
Field | Required | Description |
|---|---|---|
Realm Name | Yes | Name of the LDAP Realm. |
Description | No | Description of the realm. |
Active | Yes | Whether the realm is active or not. Default is Active. |
User Search Base | Yes | Provide User base tree in LDAP server. For example, ou=users,ou=system. |
User Search Filter | Yes | Provide User search filter to find user records in User Search Base. For example, (&(objectClass=*)(uid={0})) |
URL | Yes | Provide URL to access LDAP server. For example, ldap://localhost:10389 |
System User Name | Yes | Provide read-only user name to access LDAP server. For example, uid=admin,ou=system |
System Password | Yes | Provide password for specified system user name. |
Group Mapping Enabled | No | Check if you want to map LDAP groups to FlexDeploy groups. LDAP server must support memberOf attribute for group mapping in FlexDeploy. |
Group Search Base | No | Provide Group base tree in LDAP server. For example, ou=groups,ou=system. |
Group Search Filter | No | Provide search filter to find groups in Group Search Base. For example, (objectClass=groupOfUniqueNames) |
...
Create Active Directory Realm
...
Any changes to Active Directory Realm's Configuration tab will require the FlexDeploy application server to be restarted. You can test your realm configuration details by clicking on the Test button.
Enter the details for the Active Directory realm using the details in the table below. Click the Save button to save the changes.
...
Field | Required | Description |
|---|---|---|
Realm Name | Yes | Name of the Active Directory realm. |
Description | No | Description of the realm. |
Active | No | Whether the realm is active or not. Default is Active. |
User Search Base | Yes | Provide the user base dn in the Active Directory server. For example, CN=Users,DC=flexagondev,DC=local. |
User Search Filter | Yes | Provide the user search filter. For example, (&(objectClass=*)(sAMAccountName={0})) |
URL | Yes | Provide URL to access active directory server. For example, ldap://localhost:10389 |
System User Name | Yes | Provide read-only user name to access active directory server. For example, CN=flexservice,CN=Users,DC=flexagondev,DC=local |
System Password | Yes | Provide password for specified system user name. |
Group Mapping Enabled | No | Check if you want to map active directory groups to FlexDeploy groups. |
Group Search Base | No | Provide Group base tree in active directory server. For example, CN=Groups,DC=flexagondev,DC=local . |
Group Search Filter | No | Provide search filter to find groups in Group Search Base. For example, (objectClass=group) |
...
Group Mapping with External Directory ServerAnchor GroupMapping GroupMapping
| GroupMapping | |
| GroupMapping |
...
Realm configuration changes require a recycle of the FlexDeploy server process, including the mapping configuration, but changes on the Group Mapping tab do not require a recycle.
Using ldaps
FlexDeploy realm can be configured to use ldaps protocol, you just need to add server certificate to Java cacerts or application server trust store.
You may encounter java.security.cert.CertificateException: No subject alternative names present when using SSL connection and the hostname in connection URL is not valid when compared to the SSL certificate of the server. The reason this error in java 1.8.0_181 or higher is because this update includes security improvements for LDAP support. Endpoint identification has been enabled on LDAPS connections.
In such situation, you must regenerate LDAP server certificate with the certificate’s SAN or CN matching the hostname of LDAP server configured in connection URL.
This is not recommended for production installation, but you can temporarily disable this by adding -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true to server startup arguments.