Configuring Server Properties - Security

Documentation home

 

Introduction. 1

LDAP Connection Properties 1

Direct LDAP Connection Properties 1

Gateway LDAP Connection Properties 3

Legacy LDAP Properties 5

Advanced Security Properties 5

 

See also: Server Administration Application Home Page, User Authentication

 

Introduction

Click the Save button at the bottom of the page to save the properties. These properties are saved to file security.properties in the ebaseConf folder of the web application e.g. userdata/apps/<webappname>/ebaseConf/security.properties.

 

LDAP Connection Properties                 

These properties are use to connect to an LDAP Server e.g. Active Directory. These properties are used by:

 

 

Direct LDAP Connection Properties

These properties are relevant when connecting directly to an LDAP service.

 

Label

Property Name

Requires

Restart

Description

Gateway Connection

 

No

This should be unchecked if connecting directly to a LDAP service.

Protocol

Ldap.protocol

No

This can be either

  • ldap - clear text and not secure. This is not recommended when communicating between different servers
  • ldaps – uses SSL and TLS communication. All data will be encrypted

Registry Host

Ldap.RegistryHost

No

Hostname or ip address of the LDAP registry system.

Registry Port

Ldap.RegistryPort

No

Port used by the LDAP registry system. The default is 389.

Registry URL

Ldap.RegistrUrl

No

The URL used to access the LDAP registry system. If specified, this overrides properties Registry Host and Registry Port. e.g. ldaps://hostname:389

 

 

 

 

User Key Attribute Name

Ldap.UserKeyAttributeName

No

The user attribute used to search the registry for user data. This attribute should uniquely identify the user.  Use sAMAccountName with Active Directory. The default is cn.

Binding Distinguished Name

Ldap.BindDistinguishedName

No

The full DN used by the system to connect to the repository. This parameter supplies the “userid” for connections to the LDAP Registry. If not specified, the system will bind as 'Anonymous'. Note that anonymous binding is only supported by LDAP V3 systems.

Binding Password

Ldap.BindPassword

No

The password to be used with the previous property to connect to the repository.

Base Distinguished Name

Ldap.BaseDistinguishedName

No

The DN suffix to be applied to all LDAP attribute searches. This will be one or more key=value pairs separated by commas which should be specified in reverse order of the LDAP hierarchy tree, i.e. tree root appears last.

 

This parameter should specify the lowest point in the directory tree which is common for all userid searches e.g. if your registry contains a number of paths containing userid definitions, this parameter should specify a point in the directory that is common for all paths. The system searches use subtree scope for directory searches, so the root directory could be specified if necessary.

User Key Attribute Name

Ldap.UserKeyAttributeName

No

The user attribute used to search the registry for user data. This attribute should uniquely identify the user.  Use sAMAccountName with Active Directory. The default is cn.

 

Sample LDAP properties needed to connect to Active Directory using LDAPServices:

 

Ldap.RegistryHost=ebt9999

Ldap.BaseDistinguishedName=ou=development,o=ebase

Ldap.UserKeyAttributeName=sAMAccountName

Ldap.BindDistinguishedName=Admin@ebase

Ldap.BindPassword=xxxxx

 

Click the Test LDAP Connection button to test the parameters above. Note that this will test that the provided user (Bind Distinguished Name) and password are valid, but will not test whether the user is authorised to perform searches. Also the User Key Attribute Name property is not tested.

Gateway LDAP Connection Properties

These properties are relevant when connecting to an LDAP service over a Gateway Tunnel.

Label

Property Name

Requires

Restart

Description

Gateway Connection

 

No

This should be checked if connecting to a LDAP service over a Gateway Tunnel.

Gateway

 

No

Select the Verj.io Gateway.

Gateway Tunnel

 

No

Select the Gateway Tunnel to use to connect to the LDAP service.

 

 

 

 

User Key Attribute Name

Ldap.UserKeyAttributeName

No

The user attribute used to search the registry for user data. This attribute should uniquely identify the user.  Use sAMAccountName with Active Directory. The default is cn.

Binding Distinguished Name

Ldap.BindDistinguishedName

No

The full DN used by the system to connect to the repository. This parameter supplies the “userid” for connections to the LDAP Registry. If not specified, the system will bind as 'Anonymous'. Note that anonymous binding is only supported by LDAP V3 systems.

Binding Password

Ldap.BindPassword

No

The password to be used with the previous property to connect to the repository.

Base Distinguished Name

Ldap.BaseDistinguishedName

No

The DN suffix to be applied to all LDAP attribute searches. This will be one or more key=value pairs separated by commas which should be specified in reverse order of the LDAP hierarchy tree, i.e. tree root appears last.

 

This parameter should specify the lowest point in the directory tree which is common for all userid searches e.g. if your registry contains a number of paths containing userid definitions, this parameter should specify a point in the directory that is common for all paths. The system searches use subtree scope for directory searches, so the root directory could be specified if necessary.

User Key Attribute Name

Ldap.UserKeyAttributeName

No

The user attribute used to search the registry for user data. This attribute should uniquely identify the user.  Use sAMAccountName with Active Directory. The default is cn.

 

Other than specifying a Gateway and Gateway Tunnel instead of configuring the Protocol, Registry Host, Registry Port and Registry URL, connecting to a LDAP service over a Gateway Tunnel is the same as connecting to it directly.

Legacy LDAP Properties

 

Label

Property Name

Requires

Restart

Description

User Role Attribute Name

Ldap.UserRoleAttributeName

No

This property applies only when one of the deprecated LDAP login modules are used. It specifies the attribute within the LDAP system that contains a comma delimited list of security roles to be associated with the user.

Cache Refresh Period

Ldap.CacheRefreshPeriod

No

This property applies only when LDAP User Attributes are used. It specifies the number of minutes cached attribute data is kept in the cache before it is treated as stale and refreshed from the LDAP registry system. The default is 0 (no refresh takes place).

 

 

Advanced Security Properties               

 

These properties all have default values that should rarely, if ever, be changed.

 

Label

Property Name

Requires

Restart

Description

Logon Exit Servlet

Ufs.logonExitServlet

Yes

Specifies the relative URL of the logon exit program. This defaults to LogonExitServlet and should not normally be changed.

Login Module Entry Name

Ufs.loginModuleEntryName

Yes

This property applies only when the deprecated EbaseLogonExit program is used, and specifies the name of the login module entry.

User Manager Class Name

Ufs.userManager

Yes

Specifies the class to be used for the authentication manager component. This provides the opportunity to replace the authentication manager component of the Verj.io Security system.

Authorization Manager Class Name

Ufs.authorisationManager

Yes

Specifies the class to be used for the authorization manager component. This provides the opportunity to replace the authorization manager component of the Verj.io Security system.