Configuring LDAP ManuallyDatabase Authentication

on-site-related topic Configuring LDAP With the LDAP Wizard

The LDAP Wizard allows you to configure LDAP authentication for Redwood Server with much ease. The wizard will connect to the LDAP server and based on your input generate user and group search expressions. You access it from the Authentication Configuration step in the scheduler-admin web application, by choosing New LDAP Profile followed by Guided Configuration.

tip

If you use ActiveDirectory, you set the LDAP server URL to the name of your Windows AD domain, for example, at Example our ActiveDirectory domain is example.com, so our LDAP URL is the following: ldap://example.com:389.

If you make use of nested groups in ActiveDirectory, the default group search expression needs to be adapted. See Configuring LDAP Manually for more information.

Procedure

Creating an LDAP profile with the LDAP wizard

  1. Start the scheduler-admin web application, if it is not yet started.
  2. Choose Update & Connect, followed by Authentication Configuration and New LDAP Profile; you might have to wait for the database checks to be performed.
  3. Select Guided Configuration,your LDAP Server Type and choose Next.
  4. Fill in a Profile Name for the LDAP configuration, the LDAP URL with the syntax ldap[s]://: (IP address or FQDN and port of the LDAP server) and optionally username and password for the bind DN.
    1. With Active Directory, this may also be a Windows account such as \.
    2. (optional if anonymous bind is allowed). Choose Fetch DNs and select the appropriate Base DN, for example DC=example, DC=com Choose Next.
  5. On the Select a Scheduler User DN screen, navigate in the LDAP tree and select a user that is to use Redwood Server. Make sure the correct user was selected and choose Select. If you cannot find any users, you have selected the incorrect Base DN; in this case simply choose Back and try another Base DN and retry selecting a user.
  6. On the Select the Scheduler User group. screen, navigate to the group that should be mapped to the Redwood Server scheduler-user or redwood-login role. Users from this group are allowed to log, yet not see any objects (except public objects like time zones, for example). Choose Select.
  7. On the Select the Scheduler Administrator group. screen, navigate to the group that should be mapped to the Redwood Server scheduler-administrator role. Users from this group are super users. Choose Select.
  8. On the Select the Scheduler Isolation-Administrator group. screen, navigate to the group that should be mapped to the Redwood Server scheduler-isolation-administrator role. Isolation administrators are only allowed to manage users. Choose Select.
  9. On the Select the Scheduler Screen Reader group. screen, navigate to the group that should be mapped to the Redwood Server scheduler-screen-reader role. Users with visual deficiencies that use screen readers to access Redwood Server should be members of this group. Choose Select.
  10. On the Select the Scheduler IT User group. screen, navigate to the group that should be mapped to the Redwood Server scheduler-it-user role. Users with this role use the default Redwood Server ui. Choose Select.
  11. On the Select the Scheduler Business User group. screen, navigate to the group that should be mapped to the Redwood Server scheduler-business-user role. Users with this role use a simplified ui with process monitors and user messages instead of the default Redwood Server ui. Choose Select.
  12. Review the generated LDAP configuration, test it.
  13. To test your connection you choose the Test button (you might have to scroll down for this), enter a username and password, if the credentials are correct, the test succeeds and a green Banner is displayed.
  14. Choose Details on the banner and inspect the groups that were retrieved for the account; this is **very important** as you must verify that the group lookup works as expected. If no groups were found, you will not be able to log into Redwood Server. You need at the very least scheduler-user to be able to login.
  15. Add additional backup LDAP servers to the connection URL (space-separated) if applicable and when you are finished, choose Save.

Enabling the LDAP profile

  1. Start the scheduler-admin web application, if it is not yet started.
  2. Choose Connect (No Update), followed by Authentication Configuration.
  3. Select the desired LDAP profile in the list and choose Update.

Troubleshooting LDAP Search Queries

You troubleshoot LDAP search queries using either ldapsearch, command line utility on UNIX systems, or PowerShell as follows:

Using ldapsearch to list all effective groups of user jdoe:

ldapsearch -x -h example.com -D "jdoe@example.com" -W -b "dc=example,dc=com" \
-s sub "(member:1.2.840.113556.1.4.1941:=CN=John Doe,OU=Users,OU=Houston,DC=example,DC=com)" cn dn mail

Example: retrieve cn, dn, and mail properties all groups the user belongs to.

Equivalent in PowerShell (connects to ActiveDirectory of the domain the Windows client belongs to):

$strFilter = "(member:1.2.840.113556.1.4.1941:=cn=John Doe,ou=Users,ou=Houston,dc=example,dc=com)"

$objDomain = New-Object System.DirectoryServices.DirectoryEntry("ldap://dc=example,dc=com")

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"

$colProplist = "name", "distinguishedName", "mail"
foreach ($i in $colPropList)
{
  $objSearcher.PropertiesToLoad.Add($i);
}

$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults)
{
  $objItem = $objResult.Properties;
  foreach ($i in $colPropList)
  {
    ($i + ": " + $objItem.Item($i)
  }
}

ActiveDirectory users that have access to Active Directory Users and Computers Administrative Tool can test and save LDAP queries:

  1. Open to Administrative Tools > Active Directory Users and Computers.
  2. Choose New > Query from the context-menu of Saved Queries.
  3. Specify a name in the Name field, use the Browse button to select the search base to be used, then choose Define Query.
  4. Select Custom Search in the Find field (this field is set to Common Queries by default) and select the Advanced tab.
  5. Enter your query into the LDAP Query field.
  6. Choose Ok and choose Ok.
  7. Notice that your query is evaluated and the results are displayed.

See Also

onsiteTopic

Configuring LDAP ManuallyDatabase Authentication