GWME-7.1.1-11 - Foundation update with Advanced LDAP

Key
This line was removed.
This word was removed. This word was added.
This line was added.

Changes (12)

View Page History
Further we are rolling up the changes incorporated in other patches which alter war and jar files touched in this patch, these patches are no longer required and should not be applied once this patch has been deployed:
* [GWME-7.1.1-1 - LDAP Caching|GWME-7.1.1-1 - LDAP Patch]
* [GWME-7.1.1-8 - Status Viewer auto-refresh|GWME-7.1.1-8 - Status Viewer auto-refresh]

h1. Solution
h2. Configuration

Application of this upgrade on a system using the default authentication requires no further configuration.

For LDAP support, "josso-gateway-config.xml" must reference "josso-gateway-ldap-stores.xml" and not the "josso-gateway-gatein-stores.xml".

Application on a system previously configured with Josso Ldap store will result in continued operation using the legacy credentials in the "josso-gateway-ldap-stores.xml" file.

To take advantage of the new facilities you can make changes to "foundation.properties". If ldap configurations are found in this file, configuration settings in "josso-gateway-ldap-stores.xml" are ignored.

To take advantage of the new facilities you can make changes to "foundation.properties". If ldap configurations are found in this file, configuration settings in "josso-gateway-ldap-stores.xml" are ignored.

Details for updating these files are below.

* If NO domains are configured in foundation.properties, the JOSSO configuration is loaded into the LDAP Aggregator as the default domain.

Each specified endpoint is searched separately; the credentials and OU/CN directory in one endpoint have no bearing on the others.

h4. Enabling domain prefixes in usernames

The requirement of using a domain in the user name is controlled by a parameter in foundation.properties whose default is false, no domain required.
{noformat:title=/usr/local/groundwork/config/foundation.properties - line 294}

h4. Domain property naming considerations

Note that domain names in the endpoint definitions have *no relationship to the actual DN domain*. In fact, the domain names these endpoints are known by cannot contain the '.' character. Valid names might be 'Demo' or 'Windows2012'. These generally look like Windows NetBios domain names and are used as prefixes on the principle name during login. So if the actual DN domain name is a simple string you might use it, but observe the rule.


h4. Available LDAP configuration properties

Normally, only these property names need to be specified for each domain endpoint:
* server_type
* users_ctx_dn

h4. Security credential encryption.

The security credential is still required as an encrypted string. Use the following command lines to generate the string, substituting the actual password for the example PASSWORD
{noformat}

h4. LDAPS connections

When connecting to an LDAP provider that is protected by SSL or TLS two changes are needed:
# Install the certificates from the CA into the certificate store: