| > Show on single page > Show on multiple pages |
By default, Squore Server uses its own authentication mechanism, storing user information in the PostgreSQL database. An existing directory can be used in addition, so that all existing users your the directory can log into Squore without having to create accounts manually, and the user's full name, e-mail address and department can be imported automatically. The process described in this section explains how to configure a Squore administrator, set up the server to authenticate all new users as standard users when they log in via with their LDAP credentials and finally lists the configuration files that need to be modified to turn on LDAP authentication. After you integrate with LDAP, you will still be able to create and use users that are only known to Squore and do not exist in your directory.
Before you start, ensure that you know:
The address of the LDAP server you want to connect to Squore.
The section(s) of the directory that contain the users that should be allowed to log into Squore.
The login and password of a user account allowed to browse the section(s) of the directory mentioned above.
Basic knowledge of your directory structure. Note that Squore was tested with Microsoft Active Directory on Windows Server 2008 and OpenLDAP on Ubuntu 12.04.
In order to enable LDAP authentication, follow these steps:
Decide which role will be associated to a user the first time they log into Squore. The default choices are:
STANDARD_USER: Standard users can view projects.
ADVANCED_USER: Advanced users can projects and create new ones.
ADMINISTRATOR: Administrators can view projects and administer the server. They cannot create projects.
If none of these choices fit your needs, you can create a specific profile later by logging into Squore and going to Administration > Profiles. If no profile is specified, then the user will be assigned the STANDARD_USER profile by default.
Decide which group new users will be part of the first time they log into Squore. The default choices are:
users: Users from this group can view and create projects.
admin: Users from this group can administer Squore and view projects but they cannot create projects.
If none of these choices fit your needs, you can create a specific group later by logging into Squore and going to Administration > Groups. If no group is specified, then the user will not be added to any group.
Configure JBoss: Edit <INSTALLDIR>/server/standalone/configuration/standalone.xml, and
locate the section providing the squore-server security domain, which by default looks like this:
<security-domain name="squore-server" cache-type="default">
<authentication>
<login-module code="Database" flag="sufficient">
<module-option name="dsJndiName"
value="java:jboss/datasources/squore"/>
<module-option name="principalsQuery"
value="SELECT password FROM users WHERE login = ? AND local_account"/>
<module-option name="rolesQuery"
value="SELECT 'squore-user', 'Roles' FROM users WHERE login = ?"/>
<module-option name="hashAlgorithm" value="SHA1"/>
<module-option name="hashEncoding" value="base64"/>
<module-option name="unauthenticatedIdentity" value="guest"/>
</login-module>
</authentication>
</security-domain>
Paste in the configuration LDAP and Active Directory before the default login module and uncomment the XML as needed.
The security-domain
should now look like this :
<security-domain name="squore-server" cache-type="default">
<authentication>
<!-- LDAP login module -->
<!--
<login-module code="com.squoring.squore.server.security.LdapLoginModule"
flag="sufficient">
<module-option name="java.naming.factory.initial"
value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url"
value="ldaps://domain-controller:636/"/>
<module-option name="java.naming.security.authentication"
value="simple"/>
<module-option name="baseCtxDN"
value="ou=people,dc=example,dc=com"/>
<module-option name="bindDN"
value="cn=admin,dc=domain,dc=com"/>
<module-option name="bindCredential" value="password"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="rolesCtxDN"
value="ou=groups,dc=example,dc=com"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeIsDN" value="false"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="userCompositeName" value="cn"/>
<module-option name="userMail" value="mail"/>
<module-option name="userOrganizationUnit" value="ou"/>
</login-module>
-->
<!-- Active Directory login module -->
<!--
<login-module code="com.squoring.squore.server.security.LdapLoginModule"
flag="sufficient">
<module-option name="java.naming.factory.initial"
value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url"
value="ldap://domain-controller:389/"/>
<module-option name="java.naming.security.authentication"
value="simple"/>
<module-option name="baseCtxDN"
value="OU=Users,DC=EXAMPLE,DC=COM"/>
<module-option name="bindDN"
value="CN=Administrator,OU=Administrators,DC=EXAMPLE,DC=COM"/>
<module-option name="bindCredential" value="password"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN"
value="OU=Users,DC=EXAMPLE,DC=COM"/>
<module-option name="roleFilter" value="(sAMAccountName={0})"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleNameAttributeID" value="CN" />
<module-option name="searchScope" value="ONELEVEL_SCOPE"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="userCompositeName" value="CN"/>
<module-option name="userMail" value="mail"/>
<module-option name="userOrganizationUnit" value="department"/>
</login-module>
-->
<login-module code="Database" flag="sufficient">
<module-option name="dsJndiName"
value="java:jboss/datasources/squore"/>
<module-option name="principalsQuery"
value="SELECT password FROM users WHERE login = ? AND local_account"/>
<module-option name="rolesQuery"
value="SELECT 'squore-user', 'Roles' FROM users WHERE login = ?"/>
<module-option name="hashAlgorithm" value="SHA1"/>
<module-option name="hashEncoding" value="base64"/>
<module-option name="unauthenticatedIdentity" value="guest"/>
</login-module>
</authentication>
</security-domain>
Edit the security domain properties to reflect your setup (LDAP or Active Directory). The LDAP administrator shall provide the following information:
java.naming.provider.url: The URL of the directory server.
baseCtxDN: The fixed DN of the context to start the user search from.
bindDN: The DN used to bind against the ldap server for the user and roles queries. This is some DN with read/search permissions on the baseCtxDN and rolesCtxDN values.
bindCredential: The password for the bindDN
rolesCtxDN: The fixed DN of the context to search for user roles. This is required to exist, even though it is not used by Squore at the moment.
userCompositeName (optional): the field in the LDAP account that Squore will import and user as the user's full name.
userMail (optional): the field in the LDAP account that Squore will import and user as the user's e-mail address.
userOrganizationUnit (optional): the field in the LDAP account that Squore will import and user as the user's department.
Note that for Active Directory, OU, DC and other keywords are all uppercase.
For more details on the JBoss AS configuration of the LDAP module and the more details about the available options, please refer to http://community.jboss.org/wiki/LdapExtLoginModule)
Start Squore Server.
Log in as administrator and configure the default group and profile information for users who log in for the first time in the LDAP configuration section of Administration > System.
Note: It is highly recommended to use LDAPS instead of LDAP. In the <INSTALLDIR>/server/standalone/configuration/standalone.xml
configuration file, configure the java.naming.provider.url property to use an
LDAPS server. The URL of an LDAPS Server will look like the following: ldaps://host:port/.
The java instance used by JBoss AS shall be able to check the certificate of the LDAP server. If the LDAP certificate has not been signed by an "official" CA (self-signed certificate, or the company issued its own root CA), please refer to the section called “Import a certificate”.
User accounts created before you configured the connection to the directory still exist and can still log in.
If you need to authenticate users on more than one branch in your directory, duplicate the login-module
block and change the baseCtxDN
and rolesCtxDN
accordingly.
The login module used has changed in Squore 2014-A-SP1 to support the import of extra user information, but you can
still revert to the legacy authentication module if you are experiencing compatibility issues. To do so, change
the login module code
attribute in <INSTALLDIR>/server/standalone/configuration/standalone.xml from
<login-module code="com.squoring.squore.server.security.LdapLoginModule" flag="sufficient">
to
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient">
.