LDAP authentication within SDC

  1. Secure Delivery Center > Getting Help

This topic contains 2 replies, has 2 voices, and was last updated by  ignaciom 5 years, 1 month ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #348738 Reply

    sdc-support
    Member

    Secure Delivery Center allows you to authenticate on your Delivery Hub using any authentication system you want. To allow flexibility, you enable this feature through a External Authentication Extension, so you can write one customized for your company’s requirements.

    One authentication system that is widely used is the Lightweight Directory Access Protocol (LDAP). Because many of our customers are using a standard LDAP server, we have written a generic LDAP External Authentication Extension that is flexible and easy to configure. It makes it easy to have your LDAP authentication working on your Delivery Hub on a couple of minutes.

    This tutorial will provide you with the required files and the steps to enable LDAP authentication on your Secure Delivery Center.

    The Admin Management
    Before diving into the details about the extension it’s important to understand how the System admins will be managed.

    Though SDC can manage system admins through a custom implementation of the External Authentication Extension, the generic implementation described here does not manage system admins. Instead, SDC keeps a local list of users with administrator rights.

    Basically what the Delivery Hub does is:

    1. The Delivery Hub will authenticate your user with your LDAP service.
    2. If your user authenticated correctly it will look through its local index of admins.
    3. If it can find a local system admin that matches the user id, then this LDAP user will be considered system admin.

    Because of this architecture, before doing anything you need to create at least one System Admin user within the Admin Console that matches one user id from your LDAP server (probably your user!).

    Once the external authentication extension is enabled, and you have logged in on the Admin Console with this special LDAP user, you can lookup for any LDAP user and mark it as system admin. You can create as many system admins as required and it’s also possible to mark LDAP users as Group Admins the same way you would do with local users.

    The Authentication Extension
    We have attached a zip that contains all the files required. Within the zip you will find the jar ldap-auth.jar, this is the authentication extension ready to be used on your Delivery Hub. To enable the extension you will need to:

    1. Create the local system admin that will match the LDAP user that will be your admin.
    2. Download and extract the attached zip file.
    3. Stop your Delivery Hub.
    4. Copy the ldap-auth.jar file into the “[Data Files directory]/system-config/private/server-extensions/” directory.
    5. Configure your LDAP context queries (see the section below).
    6. Start your Delivery Hub.

    The configuration file
    Since this is a generic extension, you need a way to configure it with your LDAP service information. In the attached zip you will find the file ldap.properties. This properties file contains all the specific information needed to access and query your LDAP service. The properties listed are just an example and though your implementation may be very similar you can add or remove as many properties as you need. The LDAP authentication extension will read this file and will use all the properties you define.

    It’s important to mention that the properties name you use should be a valid LDAP property, but in order for the LDAP authentication extension to read them they must have the prefix lookup.prop. Naturally this prefix will be striped out when create the LDAP context.
    To finish the extension configuration you will need to:

    1. From the extracted zip copy the ldap.properties file.
    2. Paste the ldap.properties file into the “[Data Files directory]/server/” directory.
    3. Edit the ldap.properties to have your LDAP service information and your query information. You can add as many properties as you need.

    If your login is successful after following these steps, your External Authentication Extension is installed and working. If you have any questions please don’t hesitate to ask, and you need more information or would like to implement your own External Authentication Extension please visit http://gosecure.genuitec.com/help/sdc_admin.html#external_users.

    Best regards,
    The SDC Team

    • This topic was modified 5 years, 4 months ago by  support-jed.
    Attachments:
    You must be logged in to view attached files.
    #398313 Reply

    ignaciom
    Moderator

    We are now allowing the SDC LDAP extension to edit the returned attributes from an LDAP lookup so that the filters can add some other attributes than “cn” and “uid”. By setting the property:

    ldap.returning.attributes=cn,uid,sAMAccountName

    Now you can perform lookup filters like the following:

    lookup.filter.lookup=(&(sAMAccountName={0}))
    lookup.filter.search=(|(cn={0})(sAMAccountName={1}))

    Best Regards
    The SDC Team

    #453274 Reply

    ignaciom
    Moderator

    With the latest release of SDC our LDAP extension can now be used to authenticate against Active Directory, follow the basic configuration that is in our documentation and do the following changes to the ldap.properties file.

    1. Add the property:
    ldap.returning.attributes=cn,uid,sAMAccountName

    This property now allow you to get the returning search attributes from the LDAP server.

    2. modify the properties:
    lookup.filter.lookup=(&(sAMAccountName={0}))
    lookup.filter.search=(|(cn={0})(sAMAccountName={0}))

    These properties will be used to find a match of a user name and or sAMAccountName attribute.

    3. Optionally if you need to make lookup of users using credentials you’ll need to set properties like:
    lookup.prop.java.naming.security.authentication=simple
    lookup.prop.java.naming.security.principal=cn=user,OU=Users,DC=example,DC=com
    lookup.prop.java.naming.security.credentials=password

    Cheers
    Ignacio
    SDC Support

Viewing 3 posts - 1 through 3 (of 3 total)
Reply To: LDAP authentication within SDC

You must be logged in to post in the forum log in