Appendix B: Setting Up Authentication and Authorization

Configure the LDAP provider

Enterprise Portal LDAP support includes authentication, attribution, and authorization services. The LDAP provider authenticates users when they log in using credentials that can be validated on the LDAP server.

To use both the LDAP provider and the PortalDB provider, go to step 2.

To use only the LDAP provider:
1. Change to the location of the global.properties.xml file, either:
  - Tomcat – %SYBASE%\infoedition\tomcat\webapps\onepage\config, where SYBASE is the installation directory of your Sybase software, or
  - EAServer – %JAGUAR%\Repository\WebApplication\onepage\config, where JAGUAR is the EAServer installation directory.
2. Using a text editor, open global.propeties.xml, and change the value of the AuthenticationUsing property to “CSI”.
Change to the location of the csi.xml file, either:
- Tomcat – %CATALINA_HOME%\conf, where CATALINA_HOME represents the Tomcat root installation directory, or
- EAServer – %JAGUAR%\Repository\Component\csi-easerver

Using a text editor, open csi.xml, and edit the values appropriate for your system.

The sample csi.xml file that is installed with Enterprise Portal contains the following LDAP provider definitions, which are commented out. Remove the comment delimiters:

<!-- 

<config:authenticationProvider    name="com.sybase.security.ldap.LDAPLoginModule" 
   controlFlag="optional">   <config:options name="ServerType" value="sunone5" />
   <config:options name="ProviderURL" value="ldap://localhost:389" />
   <config:options name="DefaultSearchBase" value="dc=sybase,dc=com" />
</config:authenticationProvider>

--> 

<!-- LDAP attributer - commented out
   <config:provider name=”com.sybase.security.ldap.LDAPAttributer”      type=”attributer” />
-->

Comment out the following PortalDBAttributer definition. To comment out the definition, insert “” at the end of the definition.
```
<config:provider name=”com.sybase.security.portaldb.PortalDBAttributer”    type=”attributer” />
```

Table B-1 defines the complete list of options that you can use to configure the authentication provider. You can enable any of the options by adding the option name and value to csi.xml, using the same syntax as illustrated in step 3. You must add new option definitions within the authenticationProvider definition; that is, between the following two lines:

<config:authenticationProvider    name=”com.sybase.security.ldap.LDAPLoginModule”>
...
</config:authenticationProvider>

**Table B-1: LDAP configuration options**
Configuration option	Default value	Definition
AuthenticationFilter	Most LDAP servers: (&(uid={uid}) (objectclass=personal) Microsoft ActiveDirectory: (&(userPrincipalName={uid}) (objectclass=user))	The filter to use when authenticating users. When performing a user name/password-based authentication, this filter is used to determine the LDAP entry that matches the supplied user name. The string “{uid}” in the filter is replaced with the user name.
AuthenticationMethod	simple	The authentication method to use for all LDAP authentication requests. The supported methods are: “simple” – clear text authentication. “DIGEST-MD5” – more secure, hashed password authentication. Passwords must be stored in plain text on your LDAP server, and you must use JRE 1.4 or higher.
AuthenticationScope	onelevel	Can be set to either “onelevel” or “subtree.” If set to “onelevel,” only the AuthenticationSearchBase is searched used to search for user records; if set to “subtree,” the AuthenticationSearchBase and its subtree are searched.
AuthenticationSearchBase		The location of user records. If not specified, the DefaultSearchBase is used.
BindDN		The DN to bind to when creating the initial LDAP connection. This DN must identify a user who has read capability on all records that are accessed when users authenticate using the login module. This property also defines the credentials that are used to perform anonymous attribution operations when LDAP authentication has not occurred. If this property is not specified, anonymous binding is used, which works on most servers.
BindPassword		The password to bind to when creating the initial LDAP connection. You must specify this only when the BindDN property is specified.
DefaultSearchBase		The search base that is used if no other LDAP search base is specified for authentication, roles, or attribution. Use either of the following two syntax options, and verify that the syntax you choose matches what is configured on the LDAP server: dc=<domain_name>,dc=<top_level_domain>o=<company_name>,c=<country_code> For a machine in the Sybase organization, the previous two syntax options map to: dc=sybase,dc=com o=Sybase,c=us
InitialContextFactory	com.sun.jndi.ldap.LdapCtxFactory	Specifies the JNDI provider to use. If you are using a Sun Java VM version 1.3 or higher, the default value should work. If you are using an IBM or other third-party VM, adjust this value accordingly.
ProviderURL	ldap://localhost:389	The URL to connect to the LDAP server. The default value should work if the LDAP server is located on the same machine as the portal and listens on port 389.
RoleFilter	SunONE: (&(objectclass=ldapsubentry) (objectclass=nsroledefinition)) Netscape Directory Server: (\|(objectclass=groupofnames) (objectclass=groupofuniquenames)) Microsoft ActiveDirectory: (\|(objectclass=groupofnames) (objectclass=group))	The role filter, which when used with the RoleSearchBase and RoleScope, returns the complete list of roles from the LDAP server.
RoleMemberAttributes	Netscape Directory Server: member,uniquemember	A comma-delimited list of one or more role attributes that define the DNs for users who have the role. The DNs are used to determine which roles the user has. This property may be helpful if you use LDAP groups as placeholders for roles. The default value applies only to Netscape Directory Server; no default exists for other servers.
RoleNameAttribute	cn	The attribute that identifies the common names of roles. If a role name value is “dn,” the role name is assumed to be the full DN of the role.
RoleScope	onelevel	Can be set to either “onelevel” or “subtree.” If set to “onelevel,” only the RoleSearchBase is used to search for roles; if set to “subtree,” the RoleSearchBase and its subtree are searched.
RoleSearchBase		The search base used to retrieve a list of roles. If not specified, the DefaultSearchBase is used.
ServerType		The type of LDAP server you are connecting to; supported server types are: “msad2k” – Microsoft ActiveDirectory Windows 2000—see “Caveats when using Microsoft ActiveDirectory LDAP servers”. “nsds4” – Netscape Directory Server 4. “sunone5” – SunONE Directory Server 5. This value is not required, but if provided, establishes default values for the following configuration properties: AuthenticationFilter RoleFilter RoleMembershipAttributes UserRoleMembershipAttributes
UserFreeformRole MembershipAttributes		The “free-form” role membership attribute list. Users who have attributes in this comma-delimited list are automatically granted access to roles whose names match the attribute value. For example, if the value of this property is “department” and the user’s LDAP record has the values “sales” and “consulting” for the department attribute, then the user will be granted roles whose names are “sales” and “consulting.” If you are using a SunONE Directory Server 5: From the LDAP Administration console’s Generic Editor, add a multivalue attribute called “department” for the user. Highlight “department,” click Add Value, and enter “sales.” Click Add Value again, and enter “consulting.”
UserRoleMembership Attributes	SunONE: nsRoleDN Microsoft ActiveDirectory: memberOf	Defines a user attribute to store the list of role DNs for all the roles a user has been granted. These role DNs are cross-referenced against the roles retrieved using the RoleSearchBase and RoleFilter to get a complete list of a user’s roles. For servers other than SunONE and Microsoft ActiveDirectory, there is no default value.

View this book as PDF