Versions Compared

Old Version 16

changes.mady.by.user Geert Graat

Saved on

compared with

New Version Current

changes.mady.by.user Tijmen Daatselaar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In the application.properties file, these properties are expected for an LDAP authentication provider:

Code Block
languagetext
titleapplication.properties
# Connection
blueriq.security.auth-providers.ldap01.type=ldap
blueriq.security.auth-providers.ldap01.connectionUrl=ldap://something.company.nl
blueriq.security.auth-providers.ldap01.userDn=cn=admin,ou=sysadmin,dc=mycompany,dc=com
blueriq.security.auth-providers.ldap01.password=<encryptedvalue_password>
blueriq.security.auth-providers.ldap01.useTls=true

# Connection protection (if 'useTls' is true)
blueriq.security.auth-providers.ldap01.tls.trustStoreUrl=file:///D:/location/to/your/certifactions.jks
blueriq.security.auth-providers.ldap01.tls.trustStorePassword=changeit
blueriq.security.auth-providers.ldap01.tls.trustStoreType=jks

# Search 
blueriq.security.auth-providers.ldap01.referralStrategy=follow
blueriq.security.auth-providers.ldap01.searchSubtree=true
# Search user
blueriq.security.auth-providers.ldap01.userSearchBaseDn=OU=users,DC=mycompany,DC=com
blueriq.security.auth-providers.ldap01.userSearchAttribute=sAMAccountName
# Search group
blueriq.security.auth-providers.ldap01.groupSearchBaseDn=OU=groups,DC=mycompany,DC=com
blueriq.security.auth-providers.ldap01.groupSearchFilterAttribute=cn
blueriq.security.auth-providers.ldap01.groupSearchFilterPattern=BQ_*, EVE_*,PRO - *,PRO -*
# role mapping
blueriq.security.auth-providers.ldap01.role-mapping.ldapGroup1=BlueriqRole1,BlueriqRole2
blueriq.security.auth-providers.ldap01.role-mapping.ldapGroup2=BlueriqRole3,BlueriqRole4ldapGroup\ with\ spaces=BlueriqRole with spaces,BlueriqRoleC

The following fields are not required:

...

Make sure the keystore contains the certificates (certificate chain) needed to connect to the LDAP server.

Role mapping

From Blueriq release 11.3 and onward, the The groups that are retrieved from the LDAP for a user need to be explicitly mapped to roles in Blueriq. The old behavior, in which all groups were mapped directly to roles, may lead to unwanted access for users that have certain groups  in LDAP that match Blueriq roles. To prevent this from happening, but also in the case that it does need to work this way, the role mapping needs to be defined explicitly. When no role mapping is defined, no roles will be mapped to the user, so when a flow requires a certain role, the user will not be able to access it.

The role mapping is defined by specifying the LDAP group and mapping it to a Blueriq role, separated with a comma if there are multiple, as shown in the property file above. Note that spaces in groups need to be escaped with a backslash (\). Roles can contain spaces.

Tooling tips

  • Please refer to Encrypting passwords with the BlueriqEncryptorProperty encryption when encrypting the LDAP password
  • Use ADExplorer (Active Directory Explorer) to perform LDAP operations on an Active Directory server
  • Use Keystore Explorer to see all the certificates in a keystore or to create your own keystore and fill it with certificates (instead of via command line tools like 'keytool') 

...