1. Validate LDAP User Authentication Outside of ACE
You need to make sure your LDAP user can successfully authenticate against the LDAP server outside ACE. There is a java standalone tool provided on the Internet to help you accomplish that. Click here to download the tool.
We defined 3 users in the LDAP server as below:
“Ldap host” = ldap://localhost:389
“binding userid” : uid=myAceAdmin,ou=IIBAdmins,dc=afritec,dc=tg
“binding password” : passw0rd
“Ldap baseDN” : dc=afritec,dc=tg
“Ldap uid attr” : uid
“Admin userid” : myAceAdmin
“Admin passwd” : passw0rd
“Ldap host” = ldap://localhost:389
“binding userid” : cn=’My Dev,ou=finance,dc=afritec,dc=tg’
“binding password” : passw0rd
“Ldap baseDN” : dc=afritec,dc=tg
“Ldap uid attr” : cn
“Admin userid” : ‘My Dev’
“Admin passwd” : passw0rd
“Ldap host” = ldap://localhost:389
“binding userid” : cn=stdUsers,ou=IIBStdUsers,dc=afritec,dc=tg
“binding password” : passw0rd
“Ldap baseDN” : dc=afritec,dc=tg
“Ldap uid attr” : cn
“Admin userid” : stdUser
“Admin passwd” : passw0rd
Note that binding userid for myAceAdmin is uid=myAceAdmin,ou=IIBAdmins,dc=afritec,dc=tg and for the other users, it starts with cn. Though this is completely fine, it is not recommended as this might create a lot of trouble when setting up the ldapUrl in ACE.
Moreover, if your user failed to authenticate using the LDAP tool that means it would not work in ACE neither. At this point you need to engage your LDAP admin for further assistance because support for LDAP configuration is not ACE support team responsibility.
Finally, you should inquire from your OS admin which escape character applies to the underlying OS. Improperly escaping you LDAP configuration values might result in binding failure. If you notice in this example on Redhat 7, the escape character for values that include space is ‘ as in cn=’My Dev,ou=finance,dc=afritec,dc=tg’ or ‘My Dev’
2. Set the LDAP URL
The syntax for this task is outlined in the ACE knowledge center.
To use command, click here for instructions.
If you prefer to edit the node.conf.yaml file then click here.
mqsichangeproperties ACE11NODE -b webadmin -o server -n ldapUrl -v \”ldap://localhost:389/dc=afritec,dc=tg?cn\”
or
mqsichangeproperties ACE11NODE -b webadmin -o server -n ldapUrl -v \”ldap://localhost:389/dc=afritec,dc=tg?uid\”
Note: You should ONLY do steps 3 through 6 if you are going to authenticate a single user because once you set those binding credentials in the mqsisetdbparms security identity, ACE will always attempt to use those binding credentials no matter what other user credentials you provide. All servers that previously used anonymous bind by default start to use the details defined in an ldap::adminAuthentication entry. To make things easy, leave those as default, and you can authenticate as many users as defined on the LDAP server.
3. Set the LDAP Security Identity Using mqsisetdbparms Command
mqsisetdbparms ACE11NODE -n ldap::adminAuthentication -u uid=myAceAdmin,ou=People,dc=afritec,dc=tg -p passw0rd
4. Verify that the security identity is set correctly with mqsireportdbparms
mqsireportdbparms ACE11NODE -n ldap::adminAuthentication
5. Set the ldapBindDn
mqsichangeproperties ACE11NODE -b webadmin -o server -n ldapBindDn -v ldap::adminAuthentication
6. Set the ldapBindPassword
mqsichangeproperties ACE11NODE -b webadmin -o server -n ldapBindPassword -v ldap::adminAuthentication
In some cases, you would find that the binding userid and binding password are different than those of the LDAP baseDN and your LDAP password.
For example:
“Ldap host” = ldap://cisnet.mylearning.org:389
“binding userid” : CN=AFRITECDEV,OU=Service Accounts,OU=_Special Accounts,DC=corp,DC=tec,DC=com
“binding password” : “hU@t9^g4”
“Ldap baseDN” : OU=_People,DC=corp,DC=tec,DC=com
“Ldap uid attr” : emSaleDevOps
“Admin userid” : koliko
“Admin passwd” : ‘BD#4!#gu
In such case, you must implement step 3 through 6 as above. It is always recommended that you use the LDAP authenticator tool to determine the exact values for the configuration parameters.
For example:
java -jar LdapAuthentication.jar ldap://cisnet.mylearning.org:389 “CN=AFRITECDEV,OU=Service Accounts,OU=_Special Accounts,DC=corp,DC=tec,DC=com” “hU@t9^g4” “OU=_People,DC=corp,DC=tec,DC=com” emSaleDevOps koliko BD#4!#gu
If the command executes successfully, you should get something like below:
@WMBL3: successful bind
@WMBL3: successfull search
Starting Authentication
Found the user, DN is CN=Koliko Yomele,OU=Contractors,OU=_People,DC=corp,DC=tec,DC=com
@WMBL3 : check if the password is correct
@WMBL3: successful authentication
@WMBL3 : Commands for WebUI ldap authentication :
1. mqsisetdbparms ACENODE -n ldap:: adminAuthorization -u “cn= Koliko Yomele,OU=Contractors,OU=_People,DC=corp,DC=tec,DC=com” -p “hU@t9^g4”
Or
mqsisetdbparms ACENODE -n ldap::myLDAPServer -u “cn= Koliko Yomele,OU=Contractors,OU=_People,DC=corp,DC=tec,DC=com” -p “hU@t9^g4”
2. mqsichangeproperties ACENODE -b webadmin -o server -n ldapAuthenticationUri -v \”ldap://cisnet.mylearning.org:389/OU=_People,DC=corp,DC=tec,DC=com?emSaleDevOps\”
3. mqsiwebuseradmin ACENODE -c -u koliko -x -r
Now, you can directly edit the yaml file or run commands by implement steps 3 through 6 as above.
You can also update the yaml directly.
# Admin Security
# Authentication
basicAuth: true # Clients web user name and password will be authenticated when set true
ldapUrl: ldap:’ldap://cisnet.mylearning.org:389/OU=_People,DC=corp,DC=tec,DC=com?emSaleDevOps’ # ldap search url
ldapBindDn: ‘CN=AFRITECDEV,OU=Service Accounts,OU=_Special Accounts,DC=corp,DC=tec,DC=com’ # Resource alias
ldapBindPassword: ‘hU@t9^g4’ # Resource alias
# Authorization
adminSecurity: ‘active’ # Used to enable Authorization. Clients web user role will be authorized when set active
authMode: ‘mq’ # Set admin authorization mode. Choose 1 of : file or mq
If you do not want to provide the binding password in clear text, you must run the mqsisetdbparms command as below then use that DSN instead.
mqsisetdbparms ACE11NODE -n ldap::adminAuthentication -u “CN=AFRITECDEV,OU=Service Accounts,OU=_Special Accounts,DC=corp,DC=tec,DC=com” -p “hU@t9^g4”
Attention: If there is a special char in the password, it needs to be in quotes; single quotes or double quotes depend on your operating system.
Then if editing the yaml file directly, it should be similar to the below
# Admin Security
# Authentication
basicAuth: true # Clients web user name and password will be authenticated when set true
ldapUrl: ldap:’ldap://cisnet.mylearning.org:389/OU=_People,DC=corp,DC=tec,DC=com?emSaleDevOps’ # ldap search url
ldapBindDn: ldap::adminAuthentication # Resource alias
ldapBindPassword: ldap::adminAuthentication # Resource alias
# Authorization
adminSecurity: ‘active’ # Used to enable Authorization. Clients web user role will be authorized when set active
authMode: ‘mq’ # Set admin authorization mode. Choose 1 of : file or mq