If you have determined that the Active Directory authentication manager plug-in meets your ABL application's requirements, then configure the required and optional plug-in properties in the instance-name/webapps/webapp-name/WEB-INF/oeablSecurity.properties file for your ABL web application as explained in this topic.

Required properties

Property Description
ad.ldap.url

The fully qualified URL of the LDAP connection to the Active Directory host using the following syntax:

{ldap|ldaps}://host-name[:port]

Use the ldaps URL scheme if your organization requires the Active Directory connection to use a secure TLS connection. (Use ldap only if the Active Directory host does not support TLS connections.)

To facilitate failover high availability, you can specify multiple LDAP URLs as space-separated values in a single string.
ad.ldap.rootdn

The rootDN of the Active Directory service that contains the user accounts and group information that is used for authentication.
ad.user.domain

The userPrincipalName domain value that becomes automatically appended to the client's login user ID if the client does not provide one.

For example, if the user ID supplied by the client is jsmith, then the string @acme.com could be appended as the userPrincipalName value.

The default value is "", which corresponds to the blank domain. However, if you specify this property, but enter no corresponding value for it, then no userPrincipalName domain is appended to the input user ID, and the client is forced to specify a fully qualified domain, for example, jsmith@acme.com.

Optional properties

Property Description
ad.AuthoritiesMapper.prefix

The prefix that is used to distinguish a Spring role name from a user account name when validating URL access to an application resource.

By default, the prefix ROLE_ is used to remove ambiguity between a user ID name and a role name. (It is a Spring Security default convention, but its use is not a requirement.)

Change the prefix when you need to have role names that are exactly as they are defined in Active Directory.

ad.AuthoritiesMapper.convertToUpperCase

The property that forces Active Directory group object names to be converted to uppercase when Spring Security creates a role name.

The default value is true.

Change this value to false when the role names that get placed in the CLIENT-PRINCIPAL object, and are used for the URL access controls, must be exactly as they are defined in Active Directory.

Note that the uppercase conversion of the LDAP group attribute name is a default convention and is not a requirement.

Example

The following shows an example of the configuration of the Active Directory authentication manager plug-in:

http.all.authmanager=ad
ad.user.domain=acme.com
ad.ldap.url=ldap://vm-pasoeldap:389
ad.ldap.rootdn=dc=anytown,dc=acme,dc=com

In this example, note the property descriptions in the preceding configuration:

Property Description
http.all.authmanager Specifies ad, which corresponds to the Active Directory authentication manager plug-in.
ad.user.domain Specifies the userPrincipalName domain, acme.com, that gets automatically appended to the client-supplied user ID, if one is not provided by the client.
ad.ldap.url Specifies the fully qualified URL of the LDAP connection to the Active Directory host, including port number: ldap://vm-pasoeldap:389
ad.ldap.rootdn Specifies the rootDN of the Active Directory service where user account information is defined: dc=anytown,dc=acme,dc=com.

The effect of this example configuration is to search the Active Directory service for the client-supplied user ID, starting at the specified rootDN, dc=anytown,dc=acme,dc=com. If the client does not provide a domain specification, then acme.com is appended.