If you determined that the generic LDAP authentication manager plug-in meets your ABL application's requirements, then configure the required and optional plug-in properties in the instance-name/webapps/webapp-name/WEB-INF/oeablSecurity.properties file for your ABL web application, as explained in this topic.

Required properties

Property Description
ldap.url

The fully qualified URL of the LDAP connection to the Active Directory host using the following syntax:

{ldap|ldaps}://host-name[:port]

Use the ldaps URL scheme if your organization requires the Active Directory connection to use a secure TLS connection. (Use ldap only if the Active Directory host does not support TLS connections.)

To facilitate failover high availability, you can specify multiple LDAP URLs as space-separated values in a single string.
ldap.rootdn

The rootDN of the Active Directory service that contains the user accounts and group information that is used for authentication.
ldap.manager-dn

A valid Active Directory account ID that is used to bind to Active Directory and search for the corresponding LDAP user account object DN of the user being authenticated.

Note: The Active Directory account ID is a userPrincipalName object, for example, safe-user@acme.com.
ldap.manager-password

The password for the user that corresponds to the ldap.manager-dn property, described in the preceding row.

For production environments, Progress strongly recommends that you specify this password as an encrypted value that you have obtained using the DLC/bin/stspwdutil utility. For details, see STS Password Utility (stspwdutil).

Optional properties

Property Description
ldap.usersearch.base

The LDAP object DN where the search for LDAP user account objects is initiated.

The default value is blank, which causes all user searches in Active Directory to be initiated from the RootDN object.

You can specify a valid LDAP server object DN (for example, a subtree) where the search starts. Setting a value for this property is appropriate when Active Directory has more than one account with exactly the same name, but in different subtrees.
ldap.usersearch.filter

LDAP search specification for locating the LDAP user account object that corresponds to the client’s login user ID.

The default value for Active Directory is ( | (userPrincipalName={0}) (sAMAccountName={0}) (mail={0}) (cn={0})).

Use this property to choose, at login time, which login ID type you want to use, allowing you to narrow the search for a given user account in Active Directory. For example, you could use this when want users to log in using only one ID type, such as their email name, or you want them to log in using some other kind of ID, such as their surname. The portion of the filter specification that designates the client's user ID must consist of the string {0}.
ldap.usersearch.searchSubtree

A boolean value that specifies whether to search the LDAP object hierarchy, starting at the user object search base DN, for an LDAP user account object that corresponds to the login user ID.

The default value is true.

If your search base in Active Directory is at a level where there are multiple subtrees of user accounts, you can set this property to false and use it together with ldap.usersearch.base to search for users within a specific subtree only.
ldap.groupsearch.base

The LDAP object DN where the search for LDAP group objects is initiated.

A blank value initiates all searches from the rootDN object. Otherwise, this must be a valid LDAP server object DN.

The default value is "".

Setting a value for this property is appropriate when Active Directory has more than one group object with exactly the same name, but in different subtrees.
ldap.groupsearch.filter

The LDAP search specification to find the LDAP group objects that correspond to the LDAP user account’s granted roles.

The default value is (&(objectclass=group) (member={0})).

The portion of the filter specification that designates the client's user ID must consist of the string {0}.

Use this property to refine the selection of groups that a given user account is a member of. An account is a member of a group.
ldap.grouprole.attribute

The LDAP group object attribute name from which to derive the role name used in Spring and in OpenEdge security.

The value cannot be empty. See the Active Directory schema definition for alternatives to the usual cn attribute name.

The default value is cn. Change this when you want to use a different attribute of the group as the role name for the user.
ldap.authpopulator.searchSubtree

A boolean value to specify whether to search the LDAP object hierarchy, starting at the ldap.groupsearch.base, when finding LDAP group objects.

The default value is true.
ldap.authpopulator.ignorePartialResultException

A boolean value to specify whether to ignore Active Directory notifications if not all the results of an LDAP search are available.

The default value is true.

Change this when you detect that you are not receiving group objects in the user's list of roles, most likely owing to the the termination in Active Directory of further searching due to an excessive number of notifications having been returned.
ldap.authpopulator.convertToUpperCase

A boolean value to specify whether to follow LDAP server object referrals.

The default value is true.

Change this value to false when the role names that get placed in the CLIENT-PRINCIPAL object, and are used for the URL access controls, must be exactly as they are defined in Active Directory.
ldap.contextSrc.referral

Specifies whether to ignore LDAP referrals; that is, soft-links to LDAP object subtree storage in other Active Directory servers.

The default value is ignore.

Change this to follow when you want searches for an Active Directory user account to follow referrals. Note that following referrals may be slow, and can, in some directory services like Active Directory, return a PartialResultsException.

ldap.contextSrc.timeout

The number of milliseconds to wait for an Active Directory connection or read operations to complete. The purpose of this attribute is to prevent user logins from hanging, which results in hanging a user's login to an application.

The value specified must be a valid positive integer.

The default value is 5000. Change this when Active Directory account login operations may require more time than the default interval.

OEClientPrincipalFilter.loadAccntAttrList

OEClientPrincipalFilter.domainRoleFilter

OEClientPrincipalFilter.validateClientDomain

These properties apply to process of converting tokens that are generated by the Spring Security framework into CLIENT-PRINCIPAL tokens. These properties allow you to select attributes of the user account in Active Directory and add them as properties of the CLIENT-PRINCIPAL token.

In a multi-tenant architecture, the OEClientPrincipalFilter.domainRoleFilter property allows you to derive a domain name from the attributes assigned to a user account in Active Directory.

Using these properties allows you to set up pattern matching expressions as part of the direct login operations to determine, based on the groups that a user account as a member of, the group name that is used to extract the OpenEdge domain name.

The OEClientPrincipalFilter.validateClientDomain property is used when a CLIENT-PRINCIPAL token is received as a SSO token, and you need to validate that the user is correctly a member of the corresponding domain by verifying the appropriate user account attributes in Active Directory .

For more information about setting up domain role filters, see Set up CLIENT-PRINCIPAL token generation.

Note that the OEClientPrincipalFilter property is enabled by default, which is required for generating CLIENT-PRINCIPAL objects.

Example

The following shows an example of the configuration of the generic LDAP authentication manager plug-in:


http.all.authmanager=ldap
ldap.url=ldap://vm-pasoeldap:10389
ldap.manager-dn=uid=admin,ou=system
ldap.manager-password=secret
ldap.root.dn=anytown,dc=acme,dc=com
ldap.grouprole.attribute=cn
ldap.groupsearch.filter=(uniqueMember={0})
ldap.usersearch.filter=(uid={0})

In this example, note the property descriptions in the preceding configuration:

Property Description
http.all.authmanager Specifies the generic LDAP authentication manager plug-in, ldap.
ldap.url Specifies the fully qualified URL of the LDAP connection to the Active Directory host, including the port number: ldap://vm-pasoeldap:10389.
ldap.manager-dn Specifies the Active Directory account ID that is used for searching for the LDAP user account object DN of the client user being authenticated. In this example, the user account ID is admin, which is in the organizational unit system.
ldap.manager-password Specifies the password for the user account ID that corresponds to the ldap.manager-dn property.
ldap.root.dn Specifies the rootDN of the Active Directory service where user account information is defined: dc=anytown,dc=acme,dc=com.
ldap.grouprole.attribute Specifies the LDAP group object attribute, cn, that is used to derive the role name to be used in the Spring and CLIENT-PRINCIPAL tokens that are generated.
ldap.groupsearch.filter Specifies the LDAP search string for locating the LDAP group objects that correspond to the LDAP user account’s granted roles. In this example, (uniqueMember={0}) indicates that
ldap.usersearch.filter Specifies the LDAP search string for locating the LDAP user account object that corresponds to the client’s login user ID. In this example, (uid={0}) results in

The effect of this configuration is for this authentication manager plug-in to do the following when a client provides a user ID:

  1. Bind to the Active Directory service using the admin account DN and password, and set the rootDN to operate in.
  2. Starting at the rootDN, apply the LDAP user search filter to locate the user account being authenticated.

    If the user is not found, then generate an error, and unbind from the Active Directory service.

  3. Obtain the user account object’s DN, and unbind.
  4. Bind to the Active Directory service using the user account DN that is being authenticated, including password.

    If a bind error occurs, then return an authentication error and unbind.

  5. Load the user account object’s attributes, and filter by the specified property list.
  6. Starting at the rootDN, search the object tree to locate all group objects that have the user account’s DN as a member.
  7. From the group object attribute name, extract the root role name that will be appended to the configured role prefix (ROLE_).
  8. If an OpenEdge security domain is configured, then extract the domain name for the user, if the user has not supplied one on login.
  9. Unbind.
  10. Generate a CLIENT-PRINCIPAL token from user account information and role names.