Page History
...
In the application.properties file two , these properties are expected for an LDAP authentication provider:
| Code Block | ||||
|---|---|---|---|---|
| ||||
# connectionConnection blueriq.security.auth-providers.ldap01.type=ldap blueriq.security.auth-providers.ldap01.urlconnectionUrl=ldap://something.company.nl blueriq.security.auth-providers.ldap01.userDn=cn=LDAP readeradmin,ou=Systeembeheersysadmin,dc=everestmycompany,dc=nlcom blueriq.security.auth-providers.ldap01.password=<encryptedvalue_password> blueriq.security.auth-providers.ldap01.useTLSuseTls=true # Connection protection (if useTLS'useTls' is true) blueriq.security.auth-providers.ldap01.tls.trustStoretrustStoreUrl=file:///D:/location/to/your/certifactions.jks blueriq.security.auth-providers.ldap01.tls.keyStorePasswordtrustStorePassword=changeit blueriq.security.auth-providers.ldap01.tls.trustStoreType=jks # Search blueriq.security.auth-providers.ldap01.referralreferralStrategy=follow blueriq.security.auth-providers.ldap01.searchSubtree=true # Search user blueriq.security.auth-providers.ldap01.userSearchBaseuserSearchBaseDn=OU=Gebruikersusers,DC=everestmycompany,DC=nlcom blueriq.security.auth-providers.ldap01.userSearchAttribute=sAMAccountName # Search group blueriq.security.auth-providers.ldap01.groupSearchBasegroupSearchBaseDn=OU=Groepengroups,DC=everestmycompany,DC=nlcom blueriq.security.auth-providers.ldap01.groupSearchFilterAttribute=cn blueriq.security.auth-providers.ldap01.groupSearchFilterPattern=BQ_*, EVE_*,PRO - *,PRO -* # role mapping blueriq.security.auth-providers.ldap01.role-mapping.ldapGroup1=BlueriqRole1,BlueriqRole2 blueriq.security.auth-providers.ldap01.role-mapping.ldapGroup\ with\ spaces=BlueriqRole with spaces,BlueriqRoleC |
The To following fields are not required:
- 'trustStore' , 'keyStorePassword' and 'trustStoreType' (unless useTLS
trustStoreUrl,trustStorePasswordandtrustStoreType(unlessuseTlsis set to true) groupSearchFilterPattern(unless
groupSearchFilterAttributeis
set)
groupSearchFilterAttribute(unless
groupSearchFilterPatternis
set)
Setting TLS (Transport Layer Security)
UseTLS useTls can be set to true, By by doing so, 'trustStore' , 'keyStorePassword' and 'trustStoreType' need trustStoreUrl , trustStorePassword and trustStoreType need to be filled.
- trustStoretrustStoreUrl: The location to the keystore where certificates are searched for when setting up the TLS connection to the LDAP server
- trustStorePasswordkeyStorePassword: The password set for the keystore, by default this is 'changeit'
- trustStoreType: what type of key store is used, like: 'jks, ' or 'pkcs12'
Make sure the keystore has the required certifications which the LDAP server has.
Tooling tips
contains the certificates (certificate chain) needed to connect to the LDAP server.
Role mapping
The groups that are retrieved from the LDAP for a user need to be explicitly mapped to roles in Blueriq. The old behavior, in which all groups were mapped directly to roles, may lead to unwanted access for users that have certain groups in LDAP that match Blueriq roles. To prevent this from happening, but also in the case that it does need to work this way, the role mapping needs to be defined explicitly. When no role mapping is defined, no roles will be mapped to the user, so when a flow requires a certain role, the user will not be able to access it.
The role mapping is defined by specifying the LDAP group and mapping it to a Blueriq role, separated with a comma if there are multiple, as shown in the property file above. Note that spaces in groups need to be escaped with a backslash (\). Roles can contain spaces.
Tooling tips
- Please refer to Property encryption when encrypting the LDAP password
- Use ADExplorer (Active Directory Explorer) to perform LDAP operations on an Active Directory serverUse ADExplore to checkout the LDAP environment
- Use Keystore Explorer to see all the certifications certificates in a keystore or to create your own keystore and fill it certifications with certificates (instead of via command line tools like 'keytool')
Overview
Content Tools