| Table of Contents | ||
|---|---|---|
|
A security realm defines the mechanism for user authentication and authorization. FlexDeploy provides a default internal realm for users, which is based on FlexDeploy database tables for Users and Groups. FlexDeploy also supports Active Directory and other LDAP based realms for authentication and authorization using an external directory server. You can define multiple security realms. To configure/view the realms, select Administration -> Security -> Realms from the menu. FlexDeploy has FlexDeploy’s out-of-the-box realm which can be utilized as well along with alongside external directory servers.
Realms can be ordered to ensure that authentication checks are done in a particular order. If you define multiple realms, users are authenticated against each realm in the specified order until the first successful authentication occurs. Authentication will stop when with the first successful authentication against any realm in list.
If Group Mapping is enabled for a realm where authentication is successful, Groups are derived from mapping configured for that realm. Groups assigned in the FlexDeploy internal realm are always used as well, so if you wanted to can provide additional groups to users defined in an external realm , you can do that in FlexDeploy - from the Administration -> Security -> Users screen. Group mapping in the Realm is optional, in which case If you choose not to enable group mapping, you must assign Groups to Users using FlexDeploy – from the Users screen.
| Tip |
|---|
FlexDeploy FlexDeploy’s internal realm (fdRealm) can also be adjusted in the list of realms. FlexDeploy allows customers to adjust the internal realm order (possibly first), which would allow login logging in with local user users when external directory servers are having issues. For example, if directory servers are having performance issues, login logging in with a local user may take a long time. However, but if you adjust the internal realm to be first in the list, then you will notice faster login for local users in that situation. |
External realm users will have their passwords managed in the external realm, not in FlexDeploy.
| Info |
|---|
New User ProcessA user record account must exist in FlexDeploy even for External Realm Users. This is necessary so that user users can control Notification settings, and it allows the FD Administrator administrators to provide additional Security if necessarysecurity, if necessary. Administrators can create External Realm Users from the Administration -> Security -> Users screen, or External Realm Users can log in and create their own account. When users defined in an External Realm log in successfully for the first time, they will be redirected to a new User record is created in FlexDeploy. At this pointuser page. There, the user is asked to provide various information like First Name, Last Name, Email first name, last name, email etc. The password for such users is always managed by the External Server. Once the user provides the necessary details, their account will be created, an automatic logout will occur, and the user will have to login log in one more time. At this point, the user will be granted access based on Realm Group Mapping configured by the Administratoradministrator, which is explained later in this document. |
...
Create LDAP Realm
To create an LDAP Realm, click the Create button and Select LDAP Realm.
...
All LDAP Realm users must be under a specific branch on the LDAP server, which is searched by User Search Base and User Search Filter in configuration details.
| Info |
|---|
FlexDeploy uses memberOf virtual attribute to derive User's groups, so group mapping will not work if your LDAP does not support that attribute, group mapping will not work. |
Field | Required | Description | ||
|---|---|---|---|---|
Realm Name | Yes | Name of the LDAP Realm. | ||
Description | No | Description of the realm. | ||
Active | Yes | Whether the realm is active or not. Default is Active. | ||
User Search Base | Yes | Provide User base tree in LDAP server. For example, ou=users,ou=system. | ||
User Search Filter | Yes | Provide User search filter to find user records in User Search Base. For example, (&(objectClass=*)(uid={0}))
| ||
URL | Yes | Provide URL to access LDAP server. For example, ldap://localhost:10389 | ||
System User Name | Yes | Provide read-only user name to access LDAP server. For example, uid=admin,ou=system This should be fully qualified user name in LDAP. FlexDeploy will use System User Name and System Password to bind to LDAP for various operations. | ||
System Password | Yes | Provide password for specified system user name. | ||
Group Mapping Enabled | No | Check if you want to map LDAP groups to FlexDeploy groups. LDAP server must support memberOf attribute for group mapping in FlexDeploy. | ||
Group Search Base | No | Provide Group base tree in LDAP server. For example, ou=groups,ou=system. | ||
Group Search Filter | No | Provide search filter to find groups in Group Search Base. For example, (objectClass=groupOfUniqueNames) |
...
FlexDeploy provides features to map external directory server groups to FlexDeploy groups, which makes it very easy to manage FlexDeploy users in your environment. Fine-grained access to FlexDeploy features is still controlled by FlexDeploy groups, and by mapping external directory groups to FlexDeploy groups, you essentially control access to FlexDeploy features. You can configure FlexDeploy group permissions using the Groups screen and Security tab on each Application/ Folder/Project tab on the project tree structure.
In order to setup Group mapping, check the Group Mapping Enabled checkbox on the Configuration tab. Then select the Group Mapping tab. Select a specific FlexDeploy group to work with first. Then, shuttle desired External groups to map to Map the , to selected FlexDeploy GroupsGroup. See the figure below, where we have mapped the Active Directory Groups Administrators and Enterprise Administrators Admins to the FD Administrators group.
Realm configuration changes including the mapping configuration require a recycle of the FlexDeploy server process, including the mapping configuration, but changes on the Group Mapping tab do not require a recycle.
...
Using ldaps
A FlexDeploy realm can be configured to use ldaps protocol, you just need to add which requires adding a server certificate to Java cacerts or application server trust store.
You may encounter java.security.cert.CertificateException: No subject alternative names present when using SSL connection and the hostname in connection URL is not valid when compared to the SSL certificate of the server. The reason this This error occurs in java 1.8.0_181 or higher is because this update includes security improvements for LDAP support. Endpoint identification has been enabled on LDAPS connections. In such this situation, you must regenerate LDAP server certificate with the certificate’s SAN or CN matching the hostname of LDAP server configured in connection URL. This is not recommended for production installation, but you can temporarily disable this by adding -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true to server startup arguments.
...
| Drawio | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|