Integration with Active Directory - LDAP

[Vircos]

It is possible to integrate Ebase with Active Directory if you use Apache Tomcat instead of IIS as webserver.
This is possible by using the JCIFS module made available by the people of samba.

This has been tested with Ebase version 3.4

1. You can download the JCIFS module, which is actually a JAR-file, from: http://jcifs.samba.org/src/docs/ntlmhttpauth.html
Put the file JCIFS.jar in the following directory: ../UfsServer/tomcat/webapps/ufs/WEB-INF/lib

2. The next step is editing the file: ../UfsServer/tomcat/webapps/ufs/WEB-INF/web.xml

Place the following code after <display-name>UFSWebModule</display-name>

Code: Select all

<filter>
    <filter-name>NtlmHttpFilter</filter-name>
    <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
    <init-param>
        <param-name>jcifs.http.domainController</param-name>
        <param-value>%IP-DOMAIN-CONTROLLER%</param-value>
    </init-param>
    <init-param>
        <param-name>jcifs.smb.client.domain</param-name>
        <param-value>%DOMAIN%</param-value>
    </init-param>
    <init-param>
        <param-name>jcifs.smb.client.username</param-name>
        <param-value>%USER%</param-value>
    </init-param>
    <init-param>
         <param-name>jcifs.smb.client.password</param-name>
         <param-value>%PASSWORD%</param-value>
     </init-param>
</filter>
<filter-mapping>
    <filter-name>NtlmHttpFilter</filter-name>
    <url-pattern>/ufsmain</url-pattern>
</filter-mapping>

Replace the following variables:

- %IP-DOMAIN-CONTROLLER% -> The IP-adres of your domaincontroller
- %DOMAIN% -> Your domain
- %USER% -> Username of a valid domain user
- %PASSWORD% -> The password of the domain user

You have to supply a username and password because Ebase needs to pre-authenticate itselfs at the domaincontroller.

In the same file put the following code between <!-- and -->

Code: Select all

<error-page id="ErrorCodeErrorPage_2">
    <error-code>401</error-code>
    <location>/ufs_authentication_error_page.htm</location>
</error-page>

This will disable the authentication error page, but if you leave it enabled Tomcat might crash if authentication fails.
At the moment I do not know why but I did find out that it is a common problem and that the latest version of tomcat should not have this problem.
(see the JCIFS mailing list at http://jcifs.samba.org).

3. Edit the file: ../UfsServer/tomcat/conf/server.xml

Find: <!-- Define a non-SSL HTTP/1.1 Connector on port 3030 -->
Add tomcatAuthentication="false" to this connector.

Find: <!-- Define an AJP 1.3 Connector on port 8009 -->
Add tomcatAuthentication="false" to this connector.


4. The final step is editing the file: ../UfsServer/tomcat/conf/context.xml

Remove the <!-- and --> entry before and after <Manager pathname="" />

5. Restart Apache Tomcat.

If everything works fine the Ebase variable $USER should supply the NT-username.

You can do a lot more with JCIFS.
For more information please see http://jcifs.samba.org/src/docs/ntlmhttpauth.html

[Andy McMaster]

It is also possible to integrate Ebase with Active Directory if you use Apache Tomcat instead of IIS as webserver.

Hi,

Been trying to set this up and not having much success. Followed the instructions in your post.

I'm trying to setup pulling in the current user logon id when running a form. However, when I run the form (I'm just using a local install at the moment) $USER always returns 'ebaseuser'

I'm not currently using AD/LDAP for authentication for ebase login. I just want to check the user details at runtime.

Am I missing something here or is the setup more involved?


Additional Info:

Server startup log says:

Code: Select all

LDAP Registry Properties:-
Attributes File Name: ../../tomcat/webapps/ufs/preferences/ldap_attrib
utes.xml
Host: null
Port: 389
Base Distinguished Name: null
Bind Distinguished Name: null
User Key Attribute Name: cn
Cache refresh period: 0

Not sure why host is null.

When I try to load a form that access say $USER_EMAIL I get:

Code: Select all

* Script SETLOGONID: Invalid SET expression set loginid = $USER_EMAIL - No LDAP registry host specified: UFSSetup.properties parameter ldap.registryHost *

And in UFSSetup.properties I have:

Code: Select all

#
# LDAP attributes : attributes to be made available from LDAP directory
#
ldap.registryHost=10.100.11.145

Any suggestions would be much appreciated, if only on ways to pin down the problem.

Andy

[Vircos]

JCIFS uses the NTLM protocol to retrieve the windows user id. It actually does the same as described by Sarah. So it is not really an integration with the Active Directory using LDAP. The NTLM protocol is only supported by Internet Explorer and FireFox.

If you follow the steps as described by me the Ebase $USER variable should return the windows user id. Do you get any errors regarding JCIFS or NTLM in the server log?

[ehmd]

Andy,

You will also need additional entries in your UFSSetup.properties file for AD Authentication.

Code: Select all

Ufs.ldapAttributesFileName=C:/ufs/server/tomcat/webapps/ufs/preferences/ldap_attributes.xml
ldap.registryHost=xxx.xxx.xxx.xxx
ldap.registryPort=389
ldap.baseDistinguishedName=DC=MY,DC=DOMAIN
ldap.userKeyAttributeName=samAccountName
ldap.userRoleAttributeName=memberOf
ldap.bindDistinguishedName=<AD User>@MY.DOMAIN
ldap.bindPassword=<User Password>
ldap.cacheRefreshPeriod=30
ldap.debug=true

The above specifies which Domain to connect to and also an AD User to logon with. This user only need minimum privileges to connect to the Domain to read from AD. You may need to talk to your AD Administrator to get the correct 'internal' domain name as the domain you see on your Windows login prompt does not always match the 'internal domain name'.

Also you need to configure you ldap_attributes.xml file to map various $USER_xxxx variables onto AD attributes. Sample I use here is :-

Code: Select all

<document type="LDAP_Attributes">
  <user-attributes>
     <attribute>
      <name>$USER_EMAIL</name>
      <directory-attribute-name>mail</directory-attribute-name>
      <directory-attribute-type>String</directory-attribute-type>
    </attribute>
    <attribute>
      <name>$USER_SURNAME</name>
      <directory-attribute-name>sn</directory-attribute-name>
      <directory-attribute-type>String</directory-attribute-type>
    </attribute>
    <attribute>
      <name>$USER_FORENAME</name>
      <directory-attribute-name>givenName</directory-attribute-name>
      <directory-attribute-type>String</directory-attribute-type>
    </attribute>
    <attribute>
      <name>$USER_JOB_TITLE</name>
      <directory-attribute-name>description</directory-attribute-name>
      <directory-attribute-type>String</directory-attribute-type>
    </attribute>
    <attribute>
      <name>$USER_FULLNAME</name>
      <directory-attribute-name>displayName</directory-attribute-name>
      <directory-attribute-type>String</directory-attribute-type>
    </attribute>
    <attribute>
      <name>$USER_PRINCIPAL_NAME</name>
      <directory-attribute-name>userPrincipalName</directory-attribute-name>
      <directory-attribute-type>String</directory-attribute-type>
    </attribute>
   <attribute>
      <name>$USER_MEMBER_OF</name>
      <directory-attribute-name>memberOf</directory-attribute-name>
      <directory-attribute-type>String</directory-attribute-type>
    </attribute>	
   </user-attributes>
</document>

You also mentioned that $USER was always returning 'ebaseuser'.
Are you running the form from the designer ? If you are, then the form will run as the designer user you are logged in as, not your Windows User.


Hope this helps,


Mark

[Andy McMaster]

JCIFS uses the NTLM protocol to retrieve the windows user id. It actually does the same as described by Sarah. So it is not really an integration with the Active Directory using LDAP. The NTLM protocol is only supported by Internet Explorer and FireFox.

If you follow the steps as described by me the Ebase $USER variable should return the windows user id. Do you get any errors regarding JCIFS or NTLM in the server log?

I'm using a standard setup at the moment and can't see anything in the log files. The only one that had any quantity of info in is log4j.log. ufsserver.log just has minimal startup info.

I'm new to Tomcat and Ebase so not sure exactly which is the relavent log or how best to configure them in the log4j.properties file.

Any suggestions on best practice would be appreciated.

Cheers

Andy

[Vanessa]

For information, I have split this topic (AD/LDAP authentication) from the original (windows user authentication) which had a misleading title "Integration with Active Directory - LDAP" because the two topics are not really the same. The original post by Sarah can be found in the new thread "How do I retrieve the Windows username?".

[Andy McMaster]

Have an account with access to AD now but server now needs IIS installing as I assume this must be used as Web Listener for this to work. Waiting on server team to sort this.

I've tried running the form outside of Designer and get no return value for $USER so I'm assuming once IIS is running it'll work.

Is there a simple way to test this. I've just created a form with a text box whose value is set to $USER. I'm not doing any form of login via AD. Is there away to check that the account is accessing AD successfully?

Cheers

Andy

[Vircos]

@Vanessa

For information, I have split this topic (AD/LDAP authentication) from the original (windows user authernitcation) which had a misleading title "Integration with Active Directory - LDAP" because the two topics are not really the same. The original post by Sarah can be found in the new thread "How do I retrieve the Windows username?".

Perhaps it is better to join the topics again. My solution does actually the same as the solution as described by Sarah. Sarah uses IIS as a weblistener where I use Apache as a weblistener. Both solutions uses NTLM to authenticate the Windows user.

It is not really integrating AD/LDAP authentication but more like winows user authentication. Allthough my solution does need an AD-account in order to validate other AD-users against a Domain Controller.

@Andy

My solution works on three servers here, each configured manually by me. It is not clear to me why it doesn't work at your server.

My solution is only able to deliver the $USER variable other AD attributes won't work.

[Andy McMaster]

Thanks for the response.

I need to access email address etc. as well so it looks like I need the full works.

I've been trying to get the Apache ISAPI redirection working and waiting for feedback from EBase re this. IIS works fine but I can't get it to redirect for some reason. I may disable the three instances of Ebase I have running , install a clean version and try from there to be sure the default settings are OK.

I'll post here if/when I get a solution. Well, let's be optimistic - WHEN I get a solution

Cheers

Andy

[Andy McMaster]

Hi again,

OK. Latest. Using a VM. Clean install of IIS and Ebase. Installed ISAPI redirector and that seems to work now - most of the time! I get the Ebase forms and documentation coming up without having to specifiy the port 3030.

Added the LDAP details to UFSSetup.properties.

Changed ebaselogin.config to

Code: Select all

Ebase
{
   com.ebasetech.ufs.security.authentication.LDAPLoginModule REQUIRED debug=true userManagerRoles=false;
};

and added

Code: Select all

Ufs.useUserManagerForDesignerAuthentication=true 

to UFSSetup.properties so it still uses the normal ebase authentication for Designer login.

Now I have added a text box called ldapuser to an existing form and a small script to set ldapuser=$user; in the before page events. When I run this via designer I get 'ebaseuser' for the $USER - as expected - and the log shows:

Code: Select all

LDAP debug list of attributes availabe for user ebaseuser :-
   No attributes found

which seems to suggest that the LDAP settings are correct. However, when I run the form outside of Designer I get nothing set - and this applies whether I use $USER or $USER_EMAIL.

Now, am I missing something in the config setups for this? Can't figure out why it's not picking up my domain login name?

Just to confirm, I don't want to be prompted for a login at runtime. Any users should be logged in to their AD account. All I want is to be able to display their login name, real name and pull the email address so I can email them a confirmation.

Cheers

[Andy McMaster]

OK. Have user name showing but nothing for attributes. Logs show:

Code: Select all

Ebase Server successfully initialised in 3 seconds
LDAP debug list of attributes availabe for user amcm2309 :-
   No attributes found
LDAP debug list of attributes availabe for user amcm2309 :-
   No attributes found
LDAP attributes refreshed for user amcm2205

I'm wondering if it has something to do with what attribute is being used to search AD? It defaults to cn but I'm not sure which attribute is being returned to go into $USER?

Cheers

Andy

[Wai]

Following these instructions and setting up LDAP connection and attributes as per the Ebase instructions, I have managed to get this to work.

Following Vircos' initial post above will give you the Windows id in the $USER variable in Ebase.

To additionally return LDAP attributes you need to do the following:

1. LDAP configuration in Ebase

Add the following in UFSSetup.properties and replace the values:

ldap.registryHost=ebt999
ldap.baseDistinguishedName=dc=ebasetech,dc=com
ldap.registryPort=389
ldap.userKeyAttributeName=sAMAccountName
ldap.bindDistinguishedName=Admin@ebase
ldap.bindPassword=xxxxx
Ufs.ldapAttributesFileName=../webapps/ufs/preferences/ldap_attributes.xml
ldap.cacheRefreshPeriod=60
ldap.debug=true

This is an example for Active Directory. The baseDistinguishedName specifies from where to look in the directory, in this case it is the domain which represents the root of where the users are located.


2. Define attributes in ldap_attributes.xml file located under ..\UfsServer\tomcat\webapps\ufs\preferences

For example:

Code: Select all

<document type="LDAP_Attributes">
  <user-attributes>
    <attribute>
      <name>$USER_NAME</name>
      <directory-attribute-name>name</directory-attribute-name>
      <directory-attribute-type>String</directory-attribute-type>
    </attribute>
    <attribute>
      <name>$USER_EMAIL</name>
      <directory-attribute-name>mail</directory-attribute-name>
      <directory-attribute-type>String</directory-attribute-type>
    </attribute>
    <attribute>
      <name>$USER_ROLE</name>
      <directory-attribute-name>description</directory-attribute-name>
      <directory-attribute-type>String</directory-attribute-type>
    </attribute>
  </user-attributes>
</document>

This should be all that is required.


3. Debug

You can view all the LDAP attributes which are returnable to Ebase by switching on the Debug option in UFSSetup.properties file:

ldap.debug=true

and then performing a command like:

SET USER = $USER

will result in execution log:

Execution Log:

Mon Apr 14 15:30:34: Info : executing SET USER = waich
LDAP debug list of attributes availabe for user waich :-
Attribute: objectCategory
Attribute: userParameters
Attribute: whenCreated
Attribute: badPwdCount
Attribute: codePage
Attribute: mail
Attribute: objectGUID
Attribute: adminCount
Attribute: memberOf
..........

Only user attributes in LDAP that have values will be displayed.


4. In IE and Firefox, when you first try to access the Ebase form, you will be prompted for a login. To prevent this you have to configure the browsers. In IE, simply add the domain to IE's security trusted sites. To allow integrated authentication in Firefox follow the instructions on: http://www.mozilla.org/projects/netlib/ ... -auth.html

[Andy McMaster]

Hi,

I've got AD access working OK but get an error when trying to access the memberOf attribute. I've defined it in ldap_attributes.xml but when I try to pull this value out I get an error in the log:

Code: Select all

Fri May 02 09:29:41: Unexpected error occurred - see server log
java.lang.NullPointerException
	at com.ebasetech.ufs.utility.Utility.getFieldValue(Utility.java:673)
	at com.ebasetech.ufs.utility.Utility.evalExpression(Utility.java:224)
	at com.ebasetech.ufs.utility.Utility.evalExpression(Utility.java:53)
	at com.ebasetech.ufs.validation.CommandProcessor.isSetFieldValue(CommandProcessor.java:2568)
	at com.ebasetech.ufs.validation.CommandProcessor.process(CommandProcessor.java:3439)
	at com.ebasetech.ufs.validation.Node.execute(Node.java:261)
	at com.ebasetech.ufs.validation.ActionScript.execute(ActionScript.java:148)
	at com.ebasetech.ufs.validation.Event.execute(Event.java:474)
	at com.ebasetech.ufs.kernel.Page.runBeforePageEvent(Page.java:3221)
	at com.ebasetech.ufs.kernel.FormsProcessor.startPage(FormsProcessor.java:1569)
	at com.ebasetech.ufs.kernel.FormsProcessor.runForm(FormsProcessor.java:1146)
	at formservlets.FormClient.runForm(FormClient.java:827)
	at formservlets.FormClient.process(FormClient.java:571)
	at formservlets.FormClient.doGet(FormClient.java:287)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
	at formservlets.EbaseFilter.doFilter(EbaseFilter.java:209)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
	at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200)
	at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283)
	at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:773)
	at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703)
	at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:895)
	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
	at java.lang.Thread.run(Unknown Source)

I'm assuming memberOf returns a list of groups user is a member of but I'm not sure in what format and how EBase should handle this?

Cheers

Andy

[Wai]

The case in FPL is important.

Change $user_group to $USER_GROUP. At least the $USER_ part needs to match the case of the property name in the ldap_attributes.xml file.

[Andy McMaster]

Sorted. Thanks.

[Vircos]

When I enable LDAP I get the following error.
I cannot figure out why. Any suggestions?

Never mind, got it working already.

[Vircos]

I have noticed that Ebase is not able to retrieve all entries of the "memberOf" attribute, it only retrieves the last entry. Is it somehow possible to retrieve all entries?

[Wai]

It should return all entries into a single string, for example, mine returns something like:

Memberof CN=TEST_CC Live,OU=Client Groups,OU=Security Groups,OU=Ebase Users and Groups

ETC.

Each member of group is separated by a comma.

Then I guess you can process the string in Ebase.

[ehmd]

Using the memberOf attribute only returns the first entry in the list and always has done, as far back as I can remember.

The string that is returned is the full hierarchic name of the attribute.

There are other attributes within AD which can have multiple entries, so I would expect Ebase to return the whole list as a string.

Perhaps this this a bug ?

[Vircos]

Code: Select all

CN=TEST_CC Live,OU=Client Groups,OU=Security Groups,OU=Ebase Users and Groups 

This is a distinguished Name and a single entry of the memberOf attribute. It shows how the object is positioned within the Active Directory just like ehmd said.

Like this:

Code: Select all

Ebase Users
    |- Security Groups
           |- Client Groups
                   |- TEST_CC Live

It would be nice to get all memberOf entries.

[Vircos]

Code: Select all

CN=TEST_CC Live,OU=Client Groups,OU=Security Groups,OU=Ebase Users and Groups 

This is a distinguished Name and a single entry of the memberOf attribute. It shows how the object is positioned within the Active Directory just like ehmd said.

Like this:

Code: Select all

Ebase Users
    |- Security Groups
           |- Client Groups
                   |- TEST_CC Live

It would be nice to get all memberOf entries.

Please Ebase will you take a look at this?
I would really appreciate it.

[Wai]

Hi Vircos,

One of my colleagues have recently been working on an LDAP plugin which will effectively allow you to retrieve all the values in the memberOf attribute back into an Ebase table. Each memberOf value will be a separate record in the database.

It is being packaged up with instructions, so we should be able to send you something sometime next week.

Kind regards,

Wai

[ehmd]

Could I also have a copy of the LDAP plugin when it becomes available ?


Thanks,


Mark

[Vircos]

Hi Vircos,

One of my colleagues have recently been working on an LDAP plugin which will effectively allow you to retrieve all the values in the memberOf attribute back into an Ebase table. Each memberOf value will be a separate record in the database.

It is being packaged up with instructions, so we should be able to send you something sometime next week.

Kind regards,

Wai

That's great news. This will make autorisations based on Active Directory much easier. Many thanks for this great effort.

[Vircos]

Hi Vircos,

One of my colleagues have recently been working on an LDAP plugin which will effectively allow you to retrieve all the values in the memberOf attribute back into an Ebase table. Each memberOf value will be a separate record in the database.

It is being packaged up with instructions, so we should be able to send you something sometime next week.

Kind regards,

Wai

Hi Wai,

Do have any news regarding your post?

[Wai]

Hi Vircos,

Just spoken with my manager Ian and the code is done but we just need to write up some instructions.

Regards,

[Vircos]

Hi Vircos,

Just spoken with my manager Ian and the code is done but we just need to write up some instructions.

Regards,

Haha, that's good news. Well I guess we have to wait a little bit longer

[Vircos]

Any news?

[andyhinds]

The upload function may fail after you have configured NTLM authentication.

It could be resolved with this code:

Adding the following filter-mapping resolve sthe issue:

***
<filter>
<filter>NtlmHttpFilter</filter>
<url>/Uploader</url>
</filter>
***

See log 333613 for more detail.