LDAP Authentication

LDAP

For stronger security and management, Consider using other authentication and authorisation mechanisms such as your organisation's Lightweight Directory Access Protocol (LDAP) Service e.g. Microsoft Active Directory. This ensures that passwords and usernames are not stored in the application server but managed, as normal, by an IT department.

Authenticate using LDAP

The default configuration of storing passwords as plain text is not recommended for production use. To configure 1Integrate to use your organisation's LDAP service, perform the following configuration:

Configure an LDAP service

Find the settings.properties file, to locate this go to: [1Integrate_Directory]\SETTINGS\.
Add the following and fill with your LDAP values:

#ldap.authentication.enabled=true
#ldap.host=
#ldap.principal=
#ldap.credential=
#ldap.username.attribute=
#ldap.user.base.dn=
#ldap.group.attribute=
#ldap.group.base.dn=

Parameter	Expected Value
`ldap.host`	The hostname for the LDAP server.
`ldap.principal`	The principal (username) used for authentication with the LDAP server.
`ldap.credential`	The credential (password) used for authentication with the LDAP server.
`ldap.username.attribute`	The LDAP attribute to be used for 1Integrate login names e.g. samAccountName
`ldap.user.base.dn`	The LDAP search root for users.
`ldap.group.attribute`	The group name attribute to be used from your LDAP server e.g. samAccountName
`ldap.group.base.dn`	The LDAP search root for groups.

Change default ldap settings

Depending on your particular LDAP implementation, you may need to change some of the default LDAP settings.


#ldap.protocol=ldap
#ldap.port=389
#ldap.referral.mode=IGNORE
#ldap.direct.verification=true
#ldap.recursive.search=true
#ldap.group.member.attribute=member
#ldap.authentication.level=simple

To do this:

Find the settings.properties file, to locate this go to: [1Integrate_Directory]\SETTINGS\.
Enter the settings that need changing for your active directory.

Parameter	Expected Value
`ldap.protocol`	The protocol the connection will use (ldap or ldaps).
`ldap.port`	The port number for your LDAP.
`ldap.referral.mode`	Set to FOLLOW if you have multiple LDAP servers that refer to eachother.
`ldap.direct.verification`	Set to FALSE if 1Integrate should query the users password out of the LDAP server for user credential verification. Note: For most installations direct verification will be sufficient.
`ldap.recursive.search`	Recursive search will search through nested groups. If this setting is unnecessary for your environment, setting to `false` may improve performance.
`ldap.group.member.attribute`	The attribute on the group object that contains the members of that group.
`ldap.authentication.level`	Set to none if you want to bind to the LDAP server anonymously. Note: For security we would recommend all connections are authenticated.

Mapping LDAP groups to 1Integrate roles

Once you have completed your LDAP configuration, any users assigned to LDAP groups named the same as 1Integrate Permissions (e.g.1int-repository) will be authenticated and authorised by your LDAP system.

Authorisation

It is possible to configure authentication so that usernames and passwords are managed by LDAP and the authorisation (permissions assigned to specific LDAP groups) is managed within the configuration files. This removes the need for the LDAP service to know anything about 1Integrate specific permissions.

Note: In order to authorise in LDAP and authenticate in 1Integrate, the roles.properties file must be populated with the groups that match those from the LDAP directory with the associated permissions(s). e.g. LDAPGroup = 1int-repository.

Note: You can only map LDAP Groups to roles if using this method.

Example of the roles.properties file which is mapping LDAP groups to the relevant roles:

ADMIN\ USERS=1int-admin
ENGINEERS=1int-user,1int-grid-write
WORKERS=1int-user