Chapter 3. Ambience - LDAP Integration

Table of Contents

Setting up Ambience Integration With LDAP
Setting up the Apache Directory Server
Integrating Ambience With LDAP

Setting up Ambience Integration With LDAP

The following **example** procedure demonstrates how to integrate Ambience with LDAP. Once integrated, you can authenticate LDAP users to Ambience.

The following procedure has been tested using Apache Directory Server. **Adapt the steps to your infrastructure**.

Setting up the Apache Directory Server

  1. Set up Apache Directory Server and start it.
  2. From Apache Directory Studio, set the following properties:
    • New Connection Port: 10389
    • Bind DN or User: uid=admin,ou=system
    • Bind Password: secret
  3. To add a new partition, click the connection and select Open Connection.
  4. Click Advanced partitions configuration.
  5. Add partition: ID=elixirbase Suffix=dc=elixirbase,dc=com.
  6. Save the changes.
  7. Restart Apache Directory Server.
  8. Refresh the LDAP tree. Delete the node: dc=elixirbase,dc=com as the LDIF file includes it.
  9. Click File > Import > LDIF and import elixirbase.ldif which is in the misc directory of the Elixir Ambience build.

elixirbase.ldif is now loaded into Apache Directory Server for LDAP queries.

Integrating Ambience With LDAP

  1. You need to change the Ambience run script. Copy run-server.sh to run-ldap.sh.
  2. Add the following to the Java startup:

    -Delixir.usergroup.factory=com.elixirtech.arch.usergroup.ldap.LDAPUserGroupDomainFactory

    Alternatively, you can add the following line to /etc/application.conf, if you prefer:

    elixir.usergroup.factory=com.elixirtech.arch.usergroup.ldap.LDAPUserGroupDomainFactory

  3. Make sure your Apache Directory Server is running and launch Ambience using run-ldap.sh.
  4. Login to the Ambience Domain Manager.

    If your LDAP server is running on a different host or port, there will be an error in the log. Navigate to Configuration > module > usergroupdb > ldap and alter the host and port values accordingly.

  5. Navigate to Configuration > module > usergroupdb > function > SignIn. Edit the users array at the end of the configuration to include aimi (an administrator): "users":["aimi"].
  6. Login to Ambience as user: aimi with password: aimi.
  7. Navigate to Admin > Access Matrix. Here you can turn on SignIn permissions for other users (subject to licence limits). Turn on access for user: david, then log off and verify you can login as user: david (with password: david). David is not an admin user (those in group Atlas are admin users), so you will need to login as user: aimi to make further admin changes.
  8. Finally as user: aimi, move the contents of /User/admin/cron into /User/aimi/cron, as otherwise the scheduler will attempt to run the jobs as admin when that user exists in LDAP. You can then delete the default admin and test user folders.
  9. Once you have gone through these steps to verify that your LDAP system is working properly, use the Domain Manager to look into the LDAP configuration. Navigate to Configuration > module > usergroupdb > ldap. The configuration reads as follows:
    {"version":1,
    "connectionFactory":"com.elixirtech. \
    arch.usergroup.ldap.DefaultLDAPConnectionFactory",
    "cxtFactory":"com.sun.jndi.ldap.LdapCtxFactory",
    "host":"localhost",
    "port":10389,
    "protocol":"default",
    "method":"simple",
    "user":"uid=admin,ou=system",
    "passwordEncrypted":"8Oz2e9XJ+Grd396E4QK91Q=="}
    					  

    Edit the host and the port as needed to connect to a different server.

    The user and password here represent LDAP credentials to read all users and groups.

  10. There are several sub-configurations for DefaultLDAPConnectorFactory (other custom connector factories may vary). Look at the contents of the sample LDIF to help understand these.

    users contains:

    {"name":"ou=users,dc=elixirbase,dc=com",
    "mode":"one-level","returnAttr":"uid",
    "focus":{"left":"uid"}}
    					  

    This indicates the location where the user information is stored in LDAP - one level below ou=users,dc=elixirbase,dc=com. The user ID is stored as uid and you must focus on this ID to get your set of user names.

    groups contains:

    {"name":"ou=groups,dc=elixirbase,dc=com",
    "mode":"one-level","returnAttr":"roleOccupant",
    "focus":{"left":"cn","right":"uid"}}
    					  

    This is similar to users, but now we want to not only get the groups, but the users assigned to those groups. In a Map structure this is [Group-> List[User]].

    The groups are found one-level below ou=groups,dc=elixirbase,dc=com and the users are found in the roleOccupant attributes. Focus your attention on cn (which is the group name) and the uid (which is the user name). This gives us [cn-> List[uid]] (note the left and right positions).

    Finally adminGroups contains:

    {"name":"ou=groups,dc=elixirbase,dc=com","mode":"subtree",
    "filter":"cn=Atlas","returnAttr":"cn","focus":{"left":"cn"}}
    
    					  

    This filters all the groups, selecting the one whose name is Atlas and returning the cn of that group. This makes Atlas the admin group and anyone who is a member of Atlas is considered an administrator.

This sample represents a typical layout of users and groups in LDAP. However, some systems follow different structures.

If the particular LDAP cannot be modelled using these three query structures, then a custom LDAP mechanism can be included by altering:

"connectionFactory":"com.elixirtech.arch.usergroup.ldap.DefaultLDAPConnectionFactory"

to point to a custom implementation.

Contact Elixir Professional Services to get your custom implementation developed.