- LDAP: Enabling, Restricting, Configuring, & Adding Groups

Enabling SSL

To enable the use of SSL for LDAP authentication:

1) Install the required certification files on your WOW server.

• • Contact your LDAP administrator and acquire the necessary certificate files needed for

    • your server.

  • Determine the Java location used by Tomcat (if needed, run Monitor Tomcat => Configure).

  • Copy those certificate files to Java's security folder: ~C:\Program Files\Java\jre6\lib\security

  • Run Window's Command Prompt

  • (From the command prompt) change the current directory to correspond to Java's security folder:

cd “C:\Program Files\Java\jre6\lib\security”

• • (From the command prompt) For each certificate file, run the keytool command to import the file:

    • “C:\Program Files\Java\jre6/bin/keytool” -import -trustcacerts -alias certfile1

• • (From the command prompt) If more than 1 certificate file, repeat the above step

    • for each additional file, changing the changing the alias and file parameters.

  • Restart Tomcat (application restart will not work).

2) Change the port in the LDAP URL to the SSL port (default is 636).

Restricting Group Access to a WOW Application

You can limit which users can sign into an application by designating a specific LDAP group or

list of groups. To designate specific groups, edit the application. In the application properties,

if the “LDAP” property group does not already exist, you’ll need to add it.

Configure Group Search Properties

First you’ll need to add search configuration properties for groups for your LDAP system

(used to search for/extract groups from the LDAP system). If needed, contact your LDAP

administrator for the correct configuration values:

• • groupSearchBase – The search base to use for LDAP groups. E.g. "ou=people,o=mycompany".

    • This parameter must be specified for group extraction.

  • groupKey - The group attribute key. The default is "groupMembership".

  • groupOrgUnit - The Group Organizational Unit. E.g. “ou=groups,o= mycompany "

LDAP{ groupSearchBase: ou=people,o=mycompany;

groupKey: groupMembership; groupOrgUnit: ou=groups,o= mycompany;

}

Add Group Properties

Next, to designate the groups to restrict access to the application, add the “groups” property.

LDAP{ groupSearchBase: ou=people,o=mycompany;

groupKey: groupMembership; groupOrgUnit: ou=groups,o= mycompany;

groups:group1,group2;

}

If more than one group is to have access, separate them with commas. The list of

groups a user belongs to will be cross checked against the list of groups specified for

the groups property above.

Example:

TODO: Link in other LDAP related items such as property group. Add some screen shots if available. Add details and examples of securing operations and fields via LDAP.

Securing an Operation to an LDAP Group:

Securing Ability to Edit a Coumn to LDAP Group:

Individual database columns or fields can be secured in terms of who is allowed to view the data and edit the data.