HSSM Active Directory or LDAP Authentication

Whenever you want to authenticate via an LDAP or Active Directory server you have to modify the login-handler.xml

Changes in the Login handler for using MS Active Directory

Make a copy of the original login-handler.xml before proceding.

You can change back to the original login-handler by swapping the modified one for the original and restart the AppStoreManager service.

First create a domain user in the AD. (Normal procedures > net user hssm <pwd> /add /domain). Do not give this user "Domain Admin" rights in the windows domain.

Put that user in the AdminAccountName section in the xml file

Comment and uncomment some sections in the xml so the login handler looks at the AD for authentication (See below, the pieces in RED have changed)

Restart the AppstorManagerservice.

Login using the username (domain\username) you created for mapping. This user now has Admin rights within HSSM. In the case below it is hdsnl\hssm. The original admin username in HSSM is no longer in use

Now add users in HSSM in the domain\username format. (beware that AD is not case sensitive but LDAP is)

Password can be ommited since this is retrieved from the AD domain controllers.

---------------------------------------------------------------------------------------------

<?xml version="1.0" encoding="ISO-8859-1"?>

<LoginHandler>

  <AdminAccountName>hdsnl\hssm</AdminAccountName>

  <!-- for the default, using database for authentication -->

  <!-- <LoginHandlerClass>com.appiq.security.server.BasicLoginHandler</LoginHandlerClass> -->

  <!-- LoginHandlerType>Default</LoginHandlerType -->

  <!-- uncomment the following to enable Active Directory login -->

  <LoginHandlerClass>com.appiq.security.server.ActiveDirectoryLoginHandler</LoginHandlerClass>

  <LoginHandlerType>ActiveDirectory</LoginHandlerType>

 

  <ActiveDirectory>

    <PrimaryServer port="389">172.10.10.1</PrimaryServer>

    <!-- <SecondaryServer>172.10.10.1</SecondaryServer> -->

    <ssl>false</ssl>

    <ShadowPassword>false</ShadowPassword>

    <CaseSensitiveUserName>false</CaseSensitiveUserName>

    <!-- provide SearchBase if full name and email attribute are to be synchronized

         between ActiveDirectory and the database -->

    <SearchBase>DC=HDSNL,DC=COM</SearchBase>

    <FullNameAttribute>displayName</FullNameAttribute>

    <EmailAttribute>mail</EmailAttribute>

  </ActiveDirectory>

  <!-- uncomment the following for generic LDAP login

  <LoginHandlerClass>com.appiq.security.server.LdapLoginHandler</LoginHandlerClass>

  <LoginHandlerType>LDAP</LoginHandlerType>

  -->

  <LDAP>

    <!-- same as java.naming.provider.url ldap://appiqdc02.appiq.com:389 -->

    <Server port="389">directory.hp.com</Server>

    <!-- LDAP env can be added, an example is shown below...

      <LDAPEnv name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</LDAPEnv>

    -->

    <ssl>false</ssl>

    <ShadowPassword>false</ShadowPassword>

    <CaseSensitiveUserName>false</CaseSensitiveUserName>

    <!-- multiple DN entries are allowed, they will be tried one at a time -->

    <DN>CN=$NAME$,OU=Engineering,DC=HP,OU=US,DC=COM</DN>

    <!-- provide FullNameAttribute and EmailAttribute if full name and email attribute

         are to be synchronized between LDAP and the database -->

    <FullNameAttribute>displayName</FullNameAttribute>

    <EmailAttribute>mail</EmailAttribute>

  </LDAP>

</LoginHandler>

 

  • Share this
  • Login or register to post comments
  • PDF version