5.16.4 Settings when using Active Directory
This section describes the settings when Active Directory is used as the LDAP directory server.
When the integrated user management framework library is used to register users to the user information repository and update the user information (including user passwords), it is necessary to set the Active Directory environment and register the certificate that enables connections over SSL.
The following table shows the settings when Active Directory is used as the LDAP directory server. The settings depend on the user authentication method being used.
|
Setting |
Password authentication |
Change password and add/change user |
Client authentication (X509 certificate) |
|
|---|---|---|---|---|
|
jaas.conf |
Specify the necessary login module/ |
R |
R |
R |
|
Specify the login module option/ |
O |
R |
-- |
|
|
ua.conf |
Specify the user identifying attribute/ |
R |
R |
R |
|
Specify the attribute name used as the user ID in the DN/ |
-- |
-- |
R |
|
|
Specify the password attribute/ |
R |
R |
-- |
|
|
Specify the type of LDAP directory server/ |
R |
R |
-- |
|
|
Convert the DN containing 2-byte characters such as Japanese/ |
O |
O |
O |
|
|
Change the URL protocol/ |
O |
R |
O |
|
|
Connections over SSL |
O |
R |
O |
|
- Legend:
-
R: Required
O: Optional
-: Not required (The settings are ignored.)
The methods used to set the Active Directory environment and register the certificate that enables connections over SSL are as follows.
- Tip
-
The object class and attributes of the users managed in Active Directory are different from those managed in other LDAP directory servers. When the integrated user management framework library is used, use the user object class and specify the cn, unicodePwd, sAMAccountName, and userAccountControl attributes to create that user.
Assign the security account manager (SAM) account name to sAMAccountName. Generally, the account name is the same value as the user ID.
Assign the user account property flag to userAccountControl. To create the general user entry, assign 512. Note that users cannot be created when the minimum password length is set to one character in the security policy of the server on which Active Directory is installed. Take either of the following measures so that user entries can be created.
-
Change the minimum password length to zero or more characters in the security policy and then assign 512 to userAccountControl.
-
Assign 544 to userAccountControl without changing the minimum password length in the security policy.
-
- Organization of this subsection
(1) Setting jaas.conf
The settings in jaas.conf are as follows.
(a) Designating the login module
Specify WebPasswordLDAPLoginModule when password authentication is used. To use client certificates, specify WebCertificateLoginModule.
(b) Specifying the login module option (when using password authentication)
Assign ldap.w to the WebPasswordLDAPLoginModule option. Or, assign sso.ldap.w when single sign-on is used.
(2) Setting ua.conf
The settings in ua.conf are as follows.
(a) Specifying the user identifying attribute
Assign cn (full user name) or sAMAccountName to the user identifying attribute.
The setup examples are as follows:
- Example 1: cn is used as the user identifying attribute.
com.cosminexus.admin.auth.ldap.attr.userid.0=cn
- Example 2: sAMAccountName is used as the user identifying attribute.
com.cosminexus.admin.auth.ldap.attr.userid.0=sAMAccountName
When the user identifying attribute is set to sAMAccountName, it is necessary to search repository user entries (RDN). The following is the setting example of properties needed for the search.
- Example:
java.naming.security.principal.0=cn=Administrator,cn=Users,dc=cosminexus,dc=com java.naming.security.credentials.0=adminpassword com.cosminexus.admin.auth.ldap.search.userrdn.0=true com.cosminexus.admin.auth.ldap.search.scope.0=onelevel
When the user identifying attribute is set to sAMAccountName, it is not possible to use the addUserData (String uid, UserData userData) method of the LdapUserDataManager class. To add users, use the addUserData (String uid, UserData userData, String name, String value) method and assign cn to the attribute name argument (String name).
(b) Specifying the attribute name used as the user ID in the DN (when using client certificates)
When client certificates are used, disassemble the DNs stored in the client certificates (requesting user's distinguished names in the client certificates) and set the attribute names used as the user IDs. The setup example is as follows:
- Example:
com.cosminexus.admin.auth.ldap.certificate.attr.userid.0=cn
The above attribute name is different from the user identifying attribute specified in (a) Specifying the user identifying attribute.
(c) Specifying the password attribute (when using password authentication)
Assign unicodePwd to the password attribute. The setup example is as follows:
- Example:
com.cosminexus.admin.auth.ldap.attr.password.0=unicodePwd
(d) Specifying the type of LDAP directory server (when using password authentication)
Add a line that specifies AD as the type of destination LDAP directory server. The following is an example of when the LDAP number is 0.
- Example:
com.cosminexus.admin.auth.ldap.directory.kind.0=AD
(e) Changing the URL protocol
Specify ldaps as the URL protocol of the destination LDAP directory server. The setup example is as follows. Note that the port number can be omitted.
- Example:
-
Before: java.naming.provider.url.0=ldap://localhost:389
After: java.naming.provider.url.0=ldaps://localhost:636
(3) Setting connections over SSL
Register the certificate to establish SSL communication between the J2EE server and Active Directory. The following describes how to register the certificate.
-
Create and register the digital certificate to the server on which Active Directory is installed (LDAP server).
For details about how to create and register digital certificates, see the Active Directory documentation.
-
Register the certificate authority (CA) certificate to the J2EE server.
The CA certificate can be registered to the J2EE server by using keytool, which comes with Cosminexus Developer's Kit for Java. For details about keytool, see the Java 2 SDK Standard Edition documentation. The following is an example of executing keytool. Although the example is composed of multiple lines, the actual statement is in one line.
Windows:
keytool -import -alias cakey -file C:\temp\cacer.cer -trustcacerts -keystore "Cosminexus installation directory\jdk\lib\security\cacerts"
UNIX:
/opt/Cosminexus/jdk/bin/keytool -import -alias cakey -file /tmp/cacer.cer -trustcacerts -keystore /opt/Cosminexus/jdk/lib/security/cacerts
If the J2EE server is running when registering the certificate by using keytool, restart the J2EE server.
(4) Notes
Please note:
-
When unicodePwd is specified as the attribute value representing the user password in ua.conf, the password.encrypt and password.encrypt.ex password format option settings are disabled.
-
Active Directory does not support changes to the existing user entry object class. When com.cosminexus.admin.auth.ldap.directory.kind.0=AD is specified in ua.conf, the object class at the time of creating the user entry will be applied even if the existing user entry is updated after a new object is added in the LdapUserDataManager class constructor.