LDAP Configuration - ABO

Install the Back Office and the Update Manager

Product
ABO
AFS_Version
7.7
Category
Technical Notes
language
English
audience
public

For a simple LDAP configuration, create the following file:

As root user

/usr/local/afs7/bo-server/conf/conf.wsc

with the following content:

<?xml version="1.0" encoding="UTF-8"?>
<Conf xmlns="http://www.antidot.net/core/configuration" xmlns:w="http://www.antidot.net/ws/core/configuration"
xmlns:s="http://www.antidot.net/ws/sso/configuration" xmlns:a="http://www.antidot.net/bows/configuration"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<w:WSModule>
<w:Authentication>
<w:LdapPlugin onAuthFail="ERROR"
name="Ldap authentication plugin">
<w:Timeout session="60000" inactivity="30000" />
</w:LdapPlugin>
</w:Authentication>
<w:Ldap>
<w:Url>ldap://10.10.5.1:389</w:Url>
<w:Security>
<w:AuthenticationType>simple</w:AuthenticationType>
</w:Security>
<w:LoginAttribute>mail</w:LoginAttribute>
<w:ReaderDN>cn=reader,dc=antidot,dc=net</w:ReaderDN>
<w:ReaderPassword>my_password</w:ReaderPassword>
<w:SearchDN>dc=antidot,dc=net</w:SearchDN>
<w:Param name="DirectLoginAttribute">mail</w:Param>
<w:UseProxyUser>true</w:UseProxyUser>
</w:Ldap>
</w:WSModule>
</Conf>

If the LDAP is accessible in SSL, use the following configuration:

<!-- START OF LDAP SECTION -->
<w:Ldap>
<w:Url>ldaps://10.10.5.1:636</w:Url>
<w:Security>
<w:AuthenticationType>simple</w:AuthenticationType>
<w:Protocol>ssl</w:Protocol>
<w:TrustStore>
<w:Location>/users/hm/workspace/anka/root/keystore/store.jks</w:Location>
<w:Password>my_password</w:Password>
</w:TrustStore>
</w:Security>
<w:LoginAttribute>mail</w:LoginAttribute>
<w:ReaderDN>cn=reader,dc=antidot,dc=net</w:ReaderDN>
<w:ReaderPassword>my_password</w:ReaderPassword>
<w:SearchDN>dc=antidot,dc=net</w:SearchDN>
<w:Param name="DirectLoginAttribute">mail</w:Param>
<w:UseProxyUser>true</w:UseProxyUser>
</w:Ldap>
<!-- END OF LDAP SECTION -->

Set the /usr/local/afs7/bo-server/conf/conf.wsc access rights to be readable for any user with the following command:

chmod 755 /usr/local/afs7/bo-server/conf/conf.wsc

It is necessary to create a TrustStore for SSL LDAP configuration.

To do so:

  • Retrieve certificate used by LDAP for SSL (can be located in /etc/ldap/ssl/ca.cert)
  • Run the following command:

    keytool -import -trustcacerts -file /path/to/ca.cert -keystore store.jks

    (Keytool can be find in the JDK, by installing sun-java6-jdk package for instance)

  • Give and confirm the desired password when prompted.
  • Trust the certificate when prompted.
  • A store.jks file is generated. It will be used by the BO to check LDAP identity for every connection.
  • Path to this file and password must be added to the bo-server configuration thanks to the following lines in the LDAP configuration file:

    <w:Param name="TrustStore">/usr/local/afs7/bo-server/cert/store.jks</w:Param>
    <w:Param name="TrustStorePassword">my_password</w:Param>