2.7.2 SNMP settings
QFLEX has the ability to use LDAP/Active Directory for user authentication and authorization.
LDAP
Let assume we`re using following ldif file for our LDAP server:
dn: dc=mycompany,dc=com
objectClass: domain
objectClass: top
dc: mycompany
dn: ou=people,dc=mycompany,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people
dn: uid=sheppard,ou=people,dc=mycompany,dc=com
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: person
givenName: John
sn: Sheppard
displayName: John Sheppard
uid: sheppard
loginShell: sheppard
cn: John Sheppard
uidNumber: 31546
userPassword: {SHA}FuRghGiBVEh38QrtWf3adeGW5WQ=
homeDirectory: C:\
gidNumber: 28341
dn: uid=lowson,ou=people,dc=mycompany,dc=com
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: person
gidNumber: 0
givenName: Miranda
sn: Lowson
displayName: Miranda Lowson
uid: lowson
homeDirectory: C:\
loginShell: lowson
cn: Miranda Lowson
uidNumber: 7382
userPassword: {SHA}IixNlELBI9AgxGjWKUWLwsBE8cU=
dn: ou=groups,dc=mycompany,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups
dn: cn=ROLE_ADMIN,ou=groups,dc=mycompany,dc=com
objectClass: posixGroup
objectClass: top
cn: ROLE_ADMIN
gidNumber: 28341
memberUid: sheppard
dn: cn=ROLE_USER,ou=groups,dc=mycompany,dc=com
objectClass: posixGroup
objectClass: top
cn: ROLE_USER
gidNumber: 26718
memberUid: lowson
So, we have 2 users and 2 roles (ROLE_ADMIN, ROLE_USER).
To enable LDAP integration, browse to page Options/LDAP. This form contains following fields:
Parameter Name | Purpose | Default Value |
Enable LDAP | Enable/disable LDAP integration. | false |
LDAP server URL | Server URL in form ldap(s)://ldap_server_url:port. | ldap://localhost:389 |
Base | Your Company Base DN. | DC=mycompany,DC=com |
Search base | Search base value is used by QFLEX to perform user search. DN in this case is: base + search base (In our example: ou=people,dc=mycompany,dc=com). | ou=people |
Authentication filter | That`s a query to filter user. {0} will be replaced with user login parameter. | (&(uid={0})(objectClass=person)) |
Group search base | This entry is used to search user role (DN: base + group search base, in our example: ou=groups,dc=mycompany,dc=com). | ou=groups |
Group search filter | This is a query to filter user role. There are 2 available parameters: {0} = user DN, {1} = username. | memberUid={1} |
Role prefix | A prefix prepended to all user role fetched from server. |
|
Administrator role | This role in LDAP will be mapped to QFLEX Administrator role. | ROLE_ADMIN |
User role | This role in LDAP will be mapped to QFLEX User role. | ROLE_USER |
Manager DN | Manager DN used to perform user search. {0} parameter will be replaced with username. Reset this field if your LDAP server is configured to use anonymous search. | uid={0},ou=people,DC=mycompany,DC=com |
Manager password | Manager password to perform user search. {0} parameter will be replaced with user password. Leave this field blank if your server is configured to use anonymous search. | {0} |
Active Directory
Active Directory configuration has following differences from LDAP.
Parameter Name | Value |
Search base | CN=Users |
Authentication filter | (&(userPrincipalName={0})(objectClass=person)) |
Group search base | CN=Users |
Group search filter | (&(member={0})(objectClass=group)) |
Manager DN | {0} |
Manager password | {0} |
Notes
LDAP/AD authentication process is performed before legacy DB-based authentication.
So, if LDAP/AD login fails, QFLEX will try to make it agains database.
Remove all principals from “Security” section to disable DB authentication (check if LDAP is enabled before).
Troubleshooting
The error shown below is similar each time there is an LDAP authentication issue.
"The exception is [
LDAP: error code 49 - 80090308: LdapErr: DSID-0Cxxxxxx , comment: AcceptSecurityContext error, data xxx
, vece]."
However, there are several values that can indicate what LDAP function is causing the issue. Here are some general references for Microsoft Active Directory:
The AD-specific error code is the one after “data” and before “vece” or “v893” in the actual error string returned to the binding process:
525 | user not found |
52e | invalid credentials |
530 | not permitted to logon at this time |
531 | not permitted to logon at this workstation |
532 | password expired |
533 | account disabled |
701 | account expired |
773 | user must reset password |
775 | user account locked |
Example issue message:
LDAP failure: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580]