Hi,
Need advice on setting up secure LDAP authentication in Business Publisher:
Have set up the necessary parameters in:
...\ARIS7.1\BPServer\tomcat\webapps\businesspublisher\config\webappserver.cfg
Was able to get non-SSL LDAP authentication to work.
Now I need to set up SSL LDAP authentication.
There seems to be 2 related parameters in the config file:
1) <ldapproviderurl value="ldap://xxx.xxx.xxx"/>
2) <ldapsecurityauthentication value="simple"/>
Question is to enable SSL LDAP authentication, do I need to set both (1) to use protocol ldaps://xxx.xxx.xxx and set (2) to value="ssl"? OR it should be only one of these 2 settings?
Thanks,
KL
Hi KL,
LDAP Security Authentication happen between Business Publisher SERVER and LDAP Server.
If LDAP Security Authentication value is "simple" implies no encryption happens and if value is "SSL" implies it is a secure socket layer.
So you should configure both, ldapsecurityauthentication value="SSL" and LDAP URL value in your Webappserver.cfg file.
Regards,
Karthikeyan
Thanks for the reply.
I have tried configuring both, ldapsecurityauthentication value="SSL" and LDAP URL value in the Webappserver.cfg file. But I get an exception:
Query: /businesspublisher/login.do
javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: simple bind failed: xxx.xxx.xxx:636 [Root exception is java.net.SocketException: Connection reset]]
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:224)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:171)
at com.idsscheer.aris.businesspublisher.application.business.components.login.LDAPLogin.ABPLdapHelper.getGroupsBackward(ABPLdapHelper.java:515
...
Any idea what is causing the above?
I am running the ARIS business server together with the publisher server in the same machine. I have no problem with the business server after turning on SSL LDAP. I have also tried importing the SSL cert from the ldap server into the publisher server but still the same error
Thanks for any advice!
I managed to find out, in a way, why I am getting the javax.naming.PartialResultException above. It seems to be related to the <usersearchpath> setting under <ldap> in webappserver.cfg. When I narrow down the usersearchpath by specifying the OU, the connection to LDAP SSL works ok. So I suspect when using SSL LDAP somehow the usersearchpath cannot have too many records, and thus need to be narrowed down.
One way to resolve this is to narrow the usersearchpath by specifying the OU, but I am having a problem here. The users for the business publisher are from different departments, thus they have different OUs. The <usersearchpath> setting seems to allow only one search path only.
Anyone has any idea how I can set multiple <usersearchpath> in webappserver.cfg for LDAP?
Thanks,
KL
Dear KL,
Do not restrict your Usersearchpath\Groupsearchpath by specifying the OU. Give the Usersearchpath\Groupsearchpath by specifying the DC[Top level search path].
And disable the "ldapAssignments.jsp" and Enable "ldapAssignments2.jsp" as below in Webappserver.cfg file.
<!--ldapAssignmentsForm value="ldapAssignments.jsp"/-->
<ldapAssignmentsForm value="ldapAssignments2.jsp"/>
Then enter the user/group name to search in "Filter " and click Update as shown in the below screen shot,
Thanks a lot for the useful advice and screenshots!
Anyway my Webappserver.cfg does not have the option for <ldapAssignmentsForm> by default. Even after I have added this option in, it does not work as the system still use ldapAssignments.jsp. But I managed to trace that ldapAssignments.jsp was called (hardcoded) from ...\ARIS7.1\BPServer\tomcat\webapps\businesspublisher\layouts\admin\usergroup.jsp. So I modified usergroup.jsp to call ldapAssignments2.jsp and it works now.
Thanks for pointing me in the right direction!