Configuring Server Properties - Security

Introduction

Click the Save button at the bottom of the page to save the properties. These properties are saved to file security.properties in the ebaseConf folder of the web application e.g. userdata/apps/<webappname>/ebaseConf/security.properties.

LDAP Connection Properties

These properties are use to connect to an LDAP Server e.g. Active Directory. These properties are used by:

Windows User Authentication using Active Directory (see User Authentication)
com.ebasetech.xi.services.LDAPServices API class accessible from Javascript
LDAP User Attributes
LDAP Login Module (deprecated)

Direct LDAP Connection Properties

These properties are relevant when connecting directly to an LDAP service.

Label	Property Name	Requires Restart	Description
Gateway Connection		No	This should be unchecked if connecting directly to a LDAP service.
Protocol	Ldap.protocol	No	This can be either ldap - clear text and not secure. This is not recommended when communicating between different servers ldaps – uses SSL and TLS communication. All data will be encrypted
Registry Host	Ldap.RegistryHost	No	Hostname or ip address of the LDAP registry system.
Registry Port	Ldap.RegistryPort	No	Port used by the LDAP registry system. The default is 389.
Registry URL	Ldap.RegistrUrl	No	The URL used to access the LDAP registry system. If specified, this overrides properties Registry Host and Registry Port. e.g. ldaps://hostname:389

User Key Attribute Name	Ldap.UserKeyAttributeName	No	The user attribute used to search the registry for user data. This attribute should uniquely identify the user. Use sAMAccountName with Active Directory. The default is cn.
Binding Distinguished Name	Ldap.BindDistinguishedName	No	The full DN used by the system to connect to the repository. This parameter supplies the “userid” for connections to the LDAP Registry. If not specified, the system will bind as 'Anonymous'. Note that anonymous binding is only supported by LDAP V3 systems.
Binding Password	Ldap.BindPassword	No	The password to be used with the previous property to connect to the repository.
Base Distinguished Name	Ldap.BaseDistinguishedName	No	The DN suffix to be applied to all LDAP attribute searches. This will be one or more key=value pairs separated by commas which should be specified in reverse order of the LDAP hierarchy tree, i.e. tree root appears last. This parameter should specify the lowest point in the directory tree which is common for all userid searches e.g. if your registry contains a number of paths containing userid definitions, this parameter should specify a point in the directory that is common for all paths. The system searches use subtree scope for directory searches, so the root directory could be specified if necessary.
User Key Attribute Name	Ldap.UserKeyAttributeName	No	The user attribute used to search the registry for user data. This attribute should uniquely identify the user. Use sAMAccountName with Active Directory. The default is cn.

Sample LDAP properties needed to connect to Active Directory using LDAPServices:

Ldap.RegistryHost=ebt9999

Ldap.BaseDistinguishedName=ou=development,o=ebase

Ldap.UserKeyAttributeName=sAMAccountName

Ldap.BindDistinguishedName=Admin@ebase

Ldap.BindPassword=xxxxx

Click the Test LDAP Connection button to test the parameters above. Note that this will test that the provided user (Bind Distinguished Name) and password are valid, but will not test whether the user is authorised to perform searches. Also the User Key Attribute Name property is not tested.

Gateway LDAP Connection Properties

These properties are relevant when connecting to an LDAP service over a Gateway Tunnel.

Label	Property Name	Requires Restart	Description
Gateway Connection		No	This should be checked if connecting to a LDAP service over a Gateway Tunnel.
Gateway		No	Select the Verj.io Gateway.
Gateway Tunnel		No	Select the Gateway Tunnel to use to connect to the LDAP service.

User Key Attribute Name	Ldap.UserKeyAttributeName	No	The user attribute used to search the registry for user data. This attribute should uniquely identify the user. Use sAMAccountName with Active Directory. The default is cn.
Binding Distinguished Name	Ldap.BindDistinguishedName	No	The full DN used by the system to connect to the repository. This parameter supplies the “userid” for connections to the LDAP Registry. If not specified, the system will bind as 'Anonymous'. Note that anonymous binding is only supported by LDAP V3 systems.
Binding Password	Ldap.BindPassword	No	The password to be used with the previous property to connect to the repository.
Base Distinguished Name	Ldap.BaseDistinguishedName	No	The DN suffix to be applied to all LDAP attribute searches. This will be one or more key=value pairs separated by commas which should be specified in reverse order of the LDAP hierarchy tree, i.e. tree root appears last. This parameter should specify the lowest point in the directory tree which is common for all userid searches e.g. if your registry contains a number of paths containing userid definitions, this parameter should specify a point in the directory that is common for all paths. The system searches use subtree scope for directory searches, so the root directory could be specified if necessary.
User Key Attribute Name	Ldap.UserKeyAttributeName	No	The user attribute used to search the registry for user data. This attribute should uniquely identify the user. Use sAMAccountName with Active Directory. The default is cn.

Other than specifying a Gateway and Gateway Tunnel instead of configuring the Protocol, Registry Host, Registry Port and Registry URL, connecting to a LDAP service over a Gateway Tunnel is the same as connecting to it directly.

Legacy LDAP Properties

Label

Property Name

Requires

Restart

Description

User Role Attribute Name

Ldap.UserRoleAttributeName

This property applies only when one of the deprecated LDAP login modules are used. It specifies the attribute within the LDAP system that contains a comma delimited list of security roles to be associated with the user.

Cache Refresh Period

Ldap.CacheRefreshPeriod

This property applies only when LDAP User Attributes are used. It specifies the number of minutes cached attribute data is kept in the cache before it is treated as stale and refreshed from the LDAP registry system. The default is 0 (no refresh takes place).

Advanced Security Properties

These properties all have default values that should rarely, if ever, be changed.

Label	Property Name	Requires Restart	Description
Logon Exit Servlet	Ufs.logonExitServlet	Yes	Specifies the relative URL of the logon exit program. This defaults to LogonExitServlet and should not normally be changed.
Login Module Entry Name	Ufs.loginModuleEntryName	Yes	This property applies only when the deprecated EbaseLogonExit program is used, and specifies the name of the login module entry.
User Manager Class Name	Ufs.userManager	Yes	Specifies the class to be used for the authentication manager component. This provides the opportunity to replace the authentication manager component of the Verj.io Security system.
Authorization Manager Class Name	Ufs.authorisationManager	Yes	Specifies the class to be used for the authorization manager component. This provides the opportunity to replace the authorization manager component of the Verj.io Security system.