User management via LDAP/S
LUY matches its own roles with the user groups sent by LDAP. For example: User Alice has the groups "Admin" and "Employee" assigned in the company's user directory. In LUY the roles of "Admin" and "Architect" are already present. When Alice logs into LUY, the group "Admin" gets matched to the LUY role "Admin" because they have the same name. The group "Employee" as well as the LUY role "Architect" are ignored since there is no match for them. Alice then gets the permissions of LUY role "Admin" assigned.
Use the LUY installer to choose LDAP authentication in the installation process.
After you have deployed the final WAR file in Tomcat, you can find the luy-auth.properties in the $TOMCAT_HOME/webapps/<LUY>/WEB-INF/classes
folder.
Set the luy_Supervisor role
Initially, your LDAP groups need to be linked with the LUY roles because no users have any permissions.
To grant the luy_Supervisor role to e.g. “Alice” the following steps are necessary:
Choose one LDAP group that Alice is a member of. In this example, the group is called Generic_Admin.
Create the role Generic_Admin by executing the following SQL statements in LUY's database:
insert into ROLE (ID, VERSION, NAME, LAST_MOD_USER, LAST_MOD_TIME) values (
(select next_val from hibernate_sequences where sequence_name like 'role'),
1,
'Generic_Admin',
'SQL',
CURRENT_TIMESTAMP);
update hibernate_sequences set next_val=next_val+1 where sequence_name like 'role';
Run the following SQL statement in LUY's database to the role Generic_Admin into the luy_Supervisor role:
insert into ROLE_ROLE (ID_SUPER, ID_SUB) values (
(select ID from ROLE where NAME like 'Generic_Admin'),
(select ID from ROLE where NAME like 'luy_Supervisor'));
Alice should now be able to log into LUY and have supervisor permissions.
Now Alice can create and manage the other roles you need.
Configure LDAPS
Some LDAP servers offer secured communication over SSL. In order to active LDAP-over-SSL, specify your server with an ldaps://
URL and import the respective CA certificate that is required to verify the LDAP server certificate.
Obtain the certificate of the CA that issued the SSL certificate of the LDAP server. It is best if the certificate file is in PEM format. Import the certificate into the Java key management. Please check and adjust the path and name of the certificate file if necessary.
CMD:
"%JAVA_HOME%\bin\keytool" -importcert -file ca.crt -keystore "%JAVA_HOME\lib\security\cacerts" -storepass changeit -alias LdapCA
when the "JRE" is used
"%JRE_HOME%\bin\keytool" -importcert -file ca.crt -keystore "%JRE_HOME\lib\security\cacerts" -storepass changeit -alias LdapCA
Linux Terminal:
keytool -importcert -file ca.crt -keystore $JRE_HOME\lib\security\cacerts -storepass changeit -alias LdapCA
Loglevel
If the login does not work, then a higher log level is very useful for diagnosis. Add the following four lines to the file $TOMCAT_HOME\webapps\luy-ldap\WEB-INF\classes\log4j2.xml
, within the section "Spring logging" in that file:
<Logger name="org.springframework.security.ldap" level="debug">
<Logger name="org.springframework.security.ui.webapp" level="debug">
<Logger name="org.springframework.security.web.authentication" level="debug">
<Logger name="org.springframework.ldap" level="debug">
At the beginning of this file you can also see into which file LUY is logging. Additionally, $TOMCAT_HOME\logs\catalina-YYYY-MM-DD.log and $TOMCAT_HOME\logs\localhost-YYYY-MM-DD.log can be useful for a diagnosis.
If you have increased the log level, be sure to reduce it again by removing the relevant lines!