I haven’t had too much to do with Active Directory since writing an article on integrating RTC 3.x on WAS with AD back in 2010 and I decided to test how UCD’s integration to LDAP worked. With RTC (or CLM) I found setting up the integration to LDAP with Websphere Application Server “annoying”, having to specify properties twice, once in WAS and then again in the JTS. Setting up the CLM integration to LDAP with Tomcat is a little less annoying.
At first glance I found the Urbancode Deploy Infocentre topic on security a little confusing. This is probably because of the way that Roles, Teams, Types, Permissions, Identities and Authorities are all somehow related. A second (or third!) reading helped me make sense of the relationships, but I always like to see things in action rather than just read about them. So I set off to try out the following 3 steps out of the 5 listed in the Guidelines for setting up security topic:
- Create an authorization realm.
- Create an authentication realm.
- Create and import users and groups.
The roles, teams, security types and permissions I decided to leave for another time.
I first created the following structure in Active Directory.
A simple enough structure, with 2 groups and one or more users in each group, with both all users and groups within the same OU. Production AD (or LDAP) setups will never be as simple as this and that’s where the practice of giving gifts to AD/LDAP administrators comes in useful;-)
1. Create an authorization realm
Logging in as “admin” I navigate to Home .. Settings .. Security .. Authorization .. Authorization Realms and click “Create Authorization Realm”. Based on my AD setup above the dialog is filled out as follows:
Most of the settings are self-explanatory. I use the first option “Roles in LDAP reference their members…” for searchTypeLabel as I’m not using any AD attributes to capture roles for my users. The Group Search Filter I set to the value of the attribute that holds the Distinguished Names of users when querying a group. For example running dsquery to list a groups attributes shows that user DNs are listed in the “member” attribute:
At this point all I’ve done is configure the authorization part which tells UCD which groups a user is part of. Nothing really “happens” until the next step is completed.
2. Create an authentication realm
I navigate to Home .. Settings .. Security .. Authentication and click “Create New Realm”. Again based on my AD setup above the dialog is filled out as follows:
Note that this authentication realm (for users) maps to the authorization realm previously created (for groups).
3. Create and import users and groups
Now that I have both the Authorization and Authentication realms setup I can test the setup by attempting to login as one of the users I created in AD. So logging in as “Sudhakar Frederick” works fine. Well, not quite. The Authorization and Authentication realms work as I can log in just fine, but I can’t do anything as the user.
So far so good. However to be able to do anything useful as a new user I need to have the other two steps (Create roles and define permissions & Create teams and assign users and groups to them) done. That I will leave for another time.