uCosminexus Application Server, Security Management Guide

[Contents][Index][Back][Next]

5.17.4 Settings when using Active Directory

This section describes the settings when Active Directory is used as the LDAP directory server.

When the integrated user management framework library is used to register users to the user information repository and update the user information (including user passwords), it is necessary to set the Active Directory environment and register the certificate that enables connections over SSL.

The following table shows the settings when Active Directory is used as the LDAP directory server. The settings depend on the user authentication method being used.

Table 5-16 List of settings when using Active Directory

Setting Password authentication Change password and add/change user Client authentication (X509 certificate)
jaas.conf Specify the necessary login module/ R R R
Specify the login module option/ O R --
ua.conf Specify the user identifying attribute/ R R R
Specify the attribute name used as the user ID in the DN/ -- -- R
Specify the password attribute/ R R --
Specify the type of LDAP directory server/ R R --
Convert the DN containing 2-byte characters such as Japanese/ O O O
Change the URL protocol/ O R O
Connections over SSL O R O

Legend:
R: Required
O: Optional
-: Not required (The settings are ignored.)

The methods used to set the Active Directory environment and register the certificate that enables connections over SSL are as follows.

The object class and attributes of the users managed in Active Directory are different from those managed in other LDAP directory servers. When the integrated user management framework library is used, use the user object class and specify the cn, unicodePwd, sAMAccountName, and userAccountControl attributes to create that user.

Assign the security account manager (SAM) account name to sAMAccountName. Generally, the account name is the same value as the user ID.

Assign the user account property flag to userAccountControl. To create the general user entry, assign 512. Note that users cannot be created when the minimum password length is set to one character in the security policy of the server on which Active Directory is installed. Take either of the following measures so that user entries can be created.

Change the minimum password length to zero or more characters in the security policy and then assign 512 to userAccountControl.

Assign 544 to userAccountControl without changing the minimum password length in the security policy.

Organization of this subsection
(1) Setting jaas.conf
(2) Setting ua.conf
(3) Setting connections over SSL
(4) Notes

(1) Setting jaas.conf

The settings in jaas.conf are as follows.

(a) Designating the login module

Specify WebPasswordLDAPLoginModule when password authentication is used. To use client certificates, specify WebCertificateLoginModule.

(b) Specifying the login module option (when using password authentication)

Assign ldap.w to the WebPasswordLDAPLoginModule option. Or, assign sso.ldap.w when single sign-on is used.

(2) Setting ua.conf

The settings in ua.conf are as follows.

(a) Specifying the user identifying attribute

Assign cn (full user name) or sAMAccountName to the user identifying attribute.

The setup examples are as follows:

Example 1: cn is used as the user identifying attribute.
com.cosminexus.admin.auth.ldap.attr.userid.0=cn

Example 2: sAMAccountName is used as the user identifying attribute.
com.cosminexus.admin.auth.ldap.attr.userid.0=sAMAccountName

When the user identifying attribute is set to sAMAccountName, it is necessary to search repository user entries (RDN). The following is the setting example of properties needed for the search.

Example:
java.naming.security.principal.0=cn=Administrator,cn=Users,dc=cosminexus,dc=com
java.naming.security.credentials.0=adminpassword
com.cosminexus.admin.auth.ldap.search.userrdn.0=true
com.cosminexus.admin.auth.ldap.search.scope.0=onelevel

When the user identifying attribute is set to sAMAccountName, it is not possible to use the addUserData (String uid, UserData userData) method of the LdapUserDataManager class. To add users, use the addUserData (String uid, UserData userData, String name, String value) method and assign cn to the attribute name argument (String name).

(b) Specifying the attribute name used as the user ID in the DN (when using client certificates)

When client certificates are used, disassemble the DNs stored in the client certificates (requesting user's distinguished names in the client certificates) and set the attribute names used as the user IDs. The setup example is as follows:

Example:
com.cosminexus.admin.auth.ldap.certificate.attr.userid.0=cn

The above attribute name is different from the user identifying attribute specified in (a) Specifying the user identifying attribute.

(c) Specifying the password attribute (when using password authentication)

Assign unicodePwd to the password attribute. The setup example is as follows:

Example:
com.cosminexus.admin.auth.ldap.attr.password.0=unicodePwd
(d) Specifying the type of LDAP directory server (when using password authentication)

Add a line that specifies AD as the type of destination LDAP directory server. The following is an example of when the LDAP number is 0.

Example:
com.cosminexus.admin.auth.ldap.directory.kind.0=AD
(e) Converting the DN containing two-byte characters such as Japanese characters

When the DN containing two-byte characters such as Japanese characters is set to the following ua.conf parameters, use the native2ascii command to convert it to Unicode.

The following is the executable form of the native2ascii command.

Executable form
Cosminexus installation directory\jdk\bin\native2ascii pre-converted ua.conf file converted ua.conf file

Use the converted ua.conf file as the integrated user management configuration file.

An example of code conversion is as follows.

Example:
The following are the procedures used to convert a0.conf, the ua.conf file containing the DN setting.
 
java.naming.security.principal.0=cn=Administrator,cn=[Figure],dc=cosminexus,dc=co
com.cosminexus.admin.auth.ldap.basedn.0=cn=[Figure],dc=cosminexus,dc=com
Execute the following native2ascii command against ua0.conf.
native2ascii ua0.conf ua.conf
(f) Changing the URL protocol

Specify ldaps as the URL protocol of the destination LDAP directory server. The setup example is as follows. Note that the port number can be omitted.

Example:
Before: java.naming.provider.url.0=ldap://localhost:389
After: java.naming.provider.url.0=ldaps://localhost:636

(3) Setting connections over SSL

Register the certificate to establish SSL communication between the J2EE server and Active Directory. The following describes how to register the certificate.

  1. Create and register the digital certificate to the server on which Active Directory is installed (LDAP server).
    For details about how to create and register digital certificates, see the Active Directory documentation.
  2. Register the certificate authority (CA) certificate to the J2EE server.
    The CA certificate can be registered to the J2EE server by using keytool, which comes with Cosminexus Developer's Kit for Java. For details about keytool, see the Java 2 SDK Standard Edition documentation. The following is an example of executing keytool. Although the example is composed of multiple lines, the actual statement is in one line.
    Windows:
    keytool -import -alias cakey -file C:\temp\cacer.cer -trustcacerts -keystore 
"Cosminexus installation directory\jdk\jre\lib\security\cacerts"
    UNIX:
    /opt/Cosminexus/jdk/bin/keytool -import -alias cakey -file /tmp/cacer.cer 
-trustcacerts -keystore /opt/Cosminexus/jdk/jre/lib/security/cacerts

If the J2EE server is running when registering the certificate by using keytool, restart the J2EE server.

(4) Notes

Please note:

[Contents][Back][Next]

[Trademarks]

All Rights Reserved. Copyright (C) 2013, Hitachi, Ltd