Live Forms v6.3 is no longer supported. Click here for information about upgrading to our latest GA Release.

Configuring the LDAP Container Security Manager

Owned by Former user (Deleted)
Last updated: May 18, 2016 by Former user (Deleted)
3 min read

Sometimes, is deployed to an existing servlet container that is already handling user authentications through, for instance, LDAP. Here the authentication is the responsibility of the container, but is still responsible for the runtime authorization and the design time querying of user metadata. The LDAP Container Security Manager reuses the existing LDAP connector but relies on the container for user authentications.

 

 

On this page:

Active Directory Requirements

  • There must be a frevvo.User group in Active Directory
  • All the users in your LDAP-CSM tenant must be members of this group
  • The tenant admin must have the roles of frevvo.TenantAdmin, frevvo.Designer and frevvo.User. 

Configuration Steps

  1. Stop  if it is running.

  2. Modify the <frevvo-home>\tomcat\conf\server.xml file. Here is an example of the changes needed when using tomcat.

    1. Edit this file with a text editor.

    2. Search for 'ldap://localhost:389 - you should find this in the org.apache.catalina.realm.JNDIRealm section of the file. 

    3. Notice lines 98 - 107 are commented out.

    4. Uncomment this section. Replace the existing code with the code shown below: 

    5. Replace the connectionURL, connectionName and the connectionPassword default values with your LDAP server information. 

    6. Refer to this website for detailed information about the remaining parameters.

	<Realm className="org.apache.catalina.realm.JNDIRealm"
		connectionURL="ldap://test.windows.frevvo.com:389" connectionName="TEST\Administrator"
		connectionPassword="FrevvoTest00" adCompat="true" referrals="follow"
		
		userBase="CN=Users,DC=test,DC=windows,DC=frevvo,DC=com" userSearch="(&amp;(objectClass=user)(sAMAccountName={0}))"
		userSubtree="true" userRoleName="memberOf"
		
		roleBase="CN=Users,DC=test,DC=windows,DC=frevvo,DC=com" roleSubtree="true"
	    roleName="cn" roleSearch="(&amp;(objectClass=group)(member={0}))" /> 
     
      3. Start .

      5. Create a tenant with the LDAP Container Security Manager class.

     6.  Stop .

     7.  The <frevvo-home>\tomcat\webapps\frevvo.war file must be secure. This is done by enabling the <security-contraint/> found in the web.xml file included in the frevvo.war. 

 Follow these steps to secure web.xml: 

 a. Unzip  <frevvo-home>\tomcat\webapps\frevvo.war to a temporary directory on your desk top. 

 b. Edit frevvo.war!WEB-INF/web.xml and uncomment the BASIC <security-constraint/> fragment. 

 c. Re-zip frevvo.war

Here is the sample <security-contraint/> found in web.xml:

<!--  
		Security constraint BASIC AUTH
-->	
	<security-constraint>
		<web-resource-collection>
			<web-resource-name>Secure frevvo</web-resource-name>
			<url-pattern>/*</url-pattern>
		</web-resource-collection>
		<auth-constraint>
	 		<role-name>frevvo.User</role-name>
		</auth-constraint>
	</security-constraint>
	<security-constraint>
		<web-resource-collection>
			<web-resource-name>Public Access</web-resource-name>
			<url-pattern>/heartbeat/*</url-pattern>
			<url-pattern>/web/public/*</url-pattern>
			<url-pattern>/js/*</url-pattern>
			<url-pattern>/css/*</url-pattern>
			<url-pattern>/images/*</url-pattern>
			<url-pattern>/fonts/*</url-pattern>
		</web-resource-collection>
	</security-constraint>
	<login-config>
		<auth-method>BASIC</auth-method>
	</login-config>
	<security-role>
 		<role-name>frevvo.User</role-name>
    </security-role>

     8. Start .  

Check if the configuration is correct

Here are some quick tests to check if the LDAP Container Security Manager tenant configuration is correct:

  1. Browse 'http://<IP>:<PORT>/frevvo/web/tn/<tenant id>/login'. Substitute the ip address/port of the  server and the name of your LDAPCSM tenant for the tenant id. The browser authentication light-box displays.



  2. Login as the tenant admin for the LDAP-CSM tenant. This admin must have the frevvo.User role in addition to the frevvo.tenantadmin and frevvo.designer roles.
  3. Click Manage Roles. You should see a list of groups.



  4. Click the Back to Manage Tenant link.
  5. Click Manage Users. 
  6. Click All. You should see a list of LDAP users. 



  7. Now, click Back To Manage Tenant
  8. Log out from .
  9. Try to login with the user name and password of a user in the LDAP-CSM tenant. You do NOT need to specify the LDAP-CSM tenant when logging in. For instance, if nancy is a valid LDAP user you should log in as nancy. The password would be nancy's password in LDAP. User nancy's home page will display.



Since you are using LDAP to define users and roles (i.e., groups), you do not see an Add User icon or Add Role icon on the Manage Users or Manage Roles pages.

Troubleshooting

If the tenant admin user does not exist or it does not have the required roles, this error will display with the name of the tenant you are trying to add:



This error message can be seen in the <frevvo-home>\tomcat\logs\frevvo.log file if the LDAP-CSM tenant cannot be created.  

Application error processing /frevvo/web/tn?edit=true javax.servlet.ServletException: javax.servlet.ServletException: Tenant admin user 111 does not exist! 
or
Tenant admin user lll must have roles: [frevvo.TenantAdmin,frevvo.Designer] if the tenant admin exists but does not have the correct roles.