Notes on integrating UrbanCode Deploy with Active Directory

I haven’t had too much to do with Active Directory since writing an article on integrating RTC 3.x on WAS with AD back in 2010 and I decided to test how UCD’s integration to LDAP worked. With RTC (or CLM) I found setting up the integration to LDAP with Websphere Application Server “annoying”, having to specify properties twice, once in WAS and then again in the JTS.  Setting up the CLM integration to LDAP with Tomcat is a little less annoying.

At first glance I found the Urbancode Deploy Infocentre topic on security a little confusing. This is probably because of the way that Roles, Teams, Types, Permissions, Identities and Authorities are all somehow related. A second (or third!) reading helped me make sense of the relationships, but I always like to see things in action rather than just read about them. So I set off to try out the following 3 steps out of the 5 listed in the  topicGuidelines for setting up security topic:

  1. Create an authorization realm.
  2. Create an authentication realm.
  3. Create and import users and groups.

The roles, teams, security types and permissions I decided to leave for another time.

I first created the following structure in Active Directory.

adsetup

A simple enough structure, with 2 groups and one or more users in each group, with both all users and groups within the same OU. Production AD (or LDAP) setups will never be as simple as this and that’s where the practice of giving gifts to AD/LDAP administrators comes in useful;-)

1. Create an authorization realm

Logging in as “admin” I navigate to Home .. Settings .. Security .. Authorization .. Authorization Realms and click “Create Authorization Realm”. Based on my AD setup above the dialog is filled out as follows:

authorrealm

Most of the settings are self-explanatory. I use the first option “Roles in LDAP reference their members…” for searchTypeLabel as I’m not using any AD attributes to capture roles for my users. The Group Search Filter I set to the value of the attribute that holds the Distinguished Names of users when querying a group. For example running dsquery to list a groups attributes shows that user DNs are listed in the “member” attribute:

dsquerygrp

At this point all I’ve done is configure the authorization part which tells UCD which groups a user is part of. Nothing really “happens” until the next step is completed.

2. Create an authentication realm

I navigate to Home .. Settings .. Security .. Authentication and click “Create New Realm”. Again based on my AD setup above the dialog is filled out as follows:

authenrealm

Note that this authentication realm (for users) maps to the authorization realm previously created (for groups).

3. Create and import users and groups

Now that I have both the Authorization and Authentication realms setup I can test the setup by attempting to login as one of the users I created in AD. So logging in as “Sudhakar Frederick” works fine. Well, not quite. The Authorization and Authentication realms work as I can log in just fine, but I can’t do anything as the user.

freddyloginLogging in again as “admin” I can see that the “Sudhakar Frederick” user has been imported into UCD.

freddyimportedThe group that “Sudhakar Frederick” belongs to has also been imported into UCD.

freddygrpimported

So far so good. However to be able to do anything useful as a new user I need to have the other two steps (Create roles and define permissions & Create teams and assign users and groups to them) done. That I will leave for another time.

Advertisements

4 thoughts on “Notes on integrating UrbanCode Deploy with Active Directory”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s