Scripted connection to remote LDAP service

[dmc...@gmail.com]

Hi folks,

I'm fairly new to DDF and am trying to script the deployment on Linux (Ubuntu).

I have the basic install running and I'm now trying to adapt my scripts to configure DDF to automatically connect to a remote LDAP service. I can install the ldap login and sts claims handler  features easily enough by script, and I can then configure them manually through the web admin console, but cannot figure out how to do this via a script. 

The web console seems to save the configuration under the data/cache folder but the actual values look like guid's (or are possibly encrypted?).  I've tried putting a config file into the /etc folder, but that didn't seem to cause anything to happen, and I can't see any .cfg or .config files that reference the ldap parameters.  Is it possible to do this from the ssh console? or is there another way?

I have the feeling I'm missing something obvious!

Regards

Derek

[Brandan Jeter]

Hello,

 

The data/cache folder is an internal folder that the karaf container uses to track configurations. For security reasons, we built in custom functionality that encrypts all values in config files in that folder, so that’s what you were seeing with those files.

 

You are on the right track with dropping a config file in the /etc folder. You just need to make sure that the file is named according to the “Configuration ID” for that ldap config. You can find that at the top of the Edit window of the config in the Admin Console. They generally are separate with underscores. The name of the file should be “<configuration_id>-<unique/custom_name>.config”. For example, the “Security STS LDAP Login” configuration would be something like “Ldap_Login_Config-myLdapConnection.config”.

 

That file naming convention is the only thing I can think of that would be keeping the configuration from showing up in the system. If that doesn’t work, it may be helpful if you provide the name of the file, its contents, and possibly any errors that may be popping up in the logs.

 

Thanks,

 

Brandan Jeter

Software Developer

Connexta, LLC

Office: (602) 714-1459 x273

E-mail: branda...@connexta.com

--
You received this message because you are subscribed to the Google Groups "ddf-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ddf-users+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[dmc...@gmail.com]

Hi Brandan, thanks for the quick reply. I'll give that a go

On Tuesday, August 7, 2018 at 4:08:47 PM UTC+1, Brandan Jeter wrote:

Hello,

 

The data/cache folder is an internal folder that the karaf container uses to track configurations. For security reasons, we built in custom functionality that encrypts all values in config files in that folder, so that’s what you were seeing with those files.

 

You are on the right track with dropping a config file in the /etc folder. You just need to make sure that the file is named according to the “Configuration ID” for that ldap config. You can find that at the top of the Edit window of the config in the Admin Console. They generally are separate with underscores. The name of the file should be “<configuration_id>-<unique/custom_name>.config”. For example, the “Security STS LDAP Login” configuration would be something like “Ldap_Login_Config-myLdapConnection.config”.

 

That file naming convention is the only thing I can think of that would be keeping the configuration from showing up in the system. If that doesn’t work, it may be helpful if you provide the name of the file, its contents, and possibly any errors that may be popping up in the logs.

 

Thanks,

 

Brandan Jeter

Software Developer

Connexta, LLC

Office: (602) 714-1459 x273

E-mail: branda...@connexta.com

[dmc...@gmail.com]

That worked great, thanks

It does bring me onto another question though.  

How does DDF use the LDAP group details specified in the configuration for the STS Ldap and Roles Claims Handler ? 

I've specified the LDAP group details, thinking i could set up groups in LDAP that equate to roles in DDF.  e.g. I could make a user into an admin user by adding him/her to the admin group in LDAP, however DDF seems to ignore the LDAP user groups. 

I can store the role information in LDAP via an attribute added to the user's LDAP account, and associate with the DDF role via the attributeMap.properties file, but it would be fit with general LDAP use much easier if it used group membership.

Regards

Derek

[Scott Tustison]

DDF does use group membership within LDAP to fulfill the role requirements. If the groups aren't getting picked up, there is most likely a configuration error in "Security STS LDAP and Roles Claims Handler". The things to remember are: that the the "LDAP Base Group DN" should point to where the groups are located in LDAP, "LDAP User Login Attribute" and "LDAP Group User Membership Attribute" may not be the same attribute (for example, some servers will use uid as the attribute that specifies the username, but the groups might use cn to specify group membership, if this is your case, then fill those out appropriately), and if you're trying to pull back attributes from a user that logged in with a PKI token, then you need to make sure that the LDAP directory tree matches the DNs in the token or set "Override User Certificate DN" to true.

We also have an embedded test LDAP server (OpenDJ) that is bundled with DDF and you can fire up this server by simply installing the feature. The feature install will drop a configuration file that works with that LDAP server and you can check out the structure of that server and the config that it drops. Hope that helps. 

Scott

[dmc...@gmail.com]

Ok thanks Scott, good to know that it should work.  I'll go and recheck my settings! 

Regards

Derek

[dmc...@gmail.com]

... and yes found an error, basically by running up another instance of vanilla DDF, installing the test OpenDJ as Scott suggested and comparing the settings.

Derek