Configure to use LDAP

Feedback

iPortal, iServer, and iEdge all support users of LDAP (Lightweight Directory Access Protocol) directory stores.

For specific use, you need to configure LDAP login first, and then you can use the user in the LDAP server to log in to iPortal and iServer and iEdge. This article uses iServer as an example of how to configure and use an LDAP directory.

LDAP login configuration

Click Security -> LDAP  Configuration on the homepage of the service manager to go to the LDAP login configuration page.

Configure basic information

The LDAP login method is not enabled by default. After selecting the Whether log in With LDAP option, you need to set information such as the LDAP server address, LDAP administrator name, LDAP administrator password, and root entry location. Among them:

  1. LDAP Server Address: an available LDAP server, such as "LDAP://192.168.17.13:389", if the LDAP connection protocol is SSL, the LDAP server format is "ldaps://192.168.17.13:636". Where 192.168.17.13 is the IP address of the machine where the LDAP server is located.
  2. LDAP Linking Protocol: TLS and SSL are two kinds of connection protocols. Through the use of connection protocol, the data exchange between LDAP server and iServer server is more secure. Connection agreements are selected based on the connection protocol supported by the LDAP server.
  3. LDAP Admin Name: The name of the LDAP server administrator, for example, cn=Manager,dc=maxcrc,dc=com.
  4. LDAP Admin Password: The administrator password corresponding to the LDAP administrator name, such as secret.
  5. Root Directory Position: base DN, for example: dc=maxcrc,dc=com.

 Note:

1. If the selected LDAP server uses the SSL connection protocol, you also need to configure to use SSL to connect to the LDAP server;

2. If you choose to use the LDAP server in the Active Directory server, you also need to use the SuperMap to add the following configuration to the %iServer_HOME%/webapps/iserver/WEB-INF/shiro.ini file:

ldapRealm.userNamingAttribute = userPrincipalName

If you are using an earlier version of Windows, such as Windows 95, Windows 98, etc. This value needs to be filled in as sAMAccountName.

Configure role mappings

On the LDAP login configuration page, the LDAP group roles mapping can be used, so that all users belonging to the LDAP group have access permissions corresponding to the roles.

Click the Add Role Mapping button, select the LDAP group name (corresponding to the group name at the root entry position in the LDAP server) in the pop-up "Add Role Mapping" dialog box (as shown in the figure below), and then select the corresponding iServer role for the group. Click the Add button to complete the role mapping addition. This way, all users belonging to the LDAP group can log in and access iServer, and have access permissions corresponding to the role mapped by the group. On the LDAP login configuration page, you can view the mapping relationship between added LDAP groups and iServer roles, and edit and delete the mapping relationship between added roles.

Connect to the LDAP server using SSL

 If the LDAP server uses the SSL encrypted connection protocol, the following additional settings are required to use the server successfully:

  1. Download OpenSSL from the OpenSSL official website and install it successfully. For example: installation path D:\OpenSSL-Win64.
  2. Add the D:\OpenSSL-Win64\bin directory to your system's PATH environment variable.
  3. You can open a command line window anywhere and enter the following command:

openssl.exe s_client -connect 192.168.17.13:636 -servername 192.168.17.13 -showcerts | openssl x509 -outform pem > e:/ldap.cer   

192.168.17.13 is the IP address of the machine where the LDAP server is located; e:/ldap.cer specifies the file path of the generated LDAP server certificate, and ldap.cer is the name of the newly generated certificate file, as long as the file starts with *.cer either suffix or ending is acceptable.

  1. Import the newly generated certificate into the JRE in %SuperMap iServer_HOME%/support/JRE. Open a command line window in the directory and enter the following command:

keytool -import -v -trustcacerts -alias ldap -file e:/ldap.cer -storepass changeit -keystore ./lib/security/cacerts

./lib/security/cacerts is the path where the cacerts file is located; ldap is an alias, which can be filled arbitrarily; e:/ldap.cer is the path to the certificate file generated in step 3.

  1. Modify the file %SuperMap iServer_HOME%/bin/catalina.bat. Add a new line of code after set JAVA_OPTS=%JAVA_OPTS% -Xms256m -Xmx1536m -Xss512k, as follows:

set JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

  1. Restart the service to select the SSL protocol to connect to the LDAP server in the LDAP login configuration.