In this blog, we will be covering how enterprises are authenticating users of IBM Sterling B2B Integrator (B2Bi)/Sterling File Gateway (SFG) using LDAP.
LDAP stands for Lightweight Directory Access Protocol. As the name suggests, it is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection-oriented transfer services.
The LDAP authentication is one of the most popular mechanisms around the world for enterprise application authentication.
Before deep diving into LDAP authentication on Active Directory, it is important to understand some basics about LDAP. Here are the some of the most commonly used terms while working with LDAP:
- Dn - Distinguished name, a unique name which is used to find the user in LDAP server.
- Ou - Organization Unit
- Bind - LDAP Bind is an operation in which LDAP clients send a bind request to LDAP users including username and password and if the LDAP server finds that the user and password are correct, it allows the user to access the LDAP server.
- Search - LDAP search is an operation which is performed to retrieve Dn of the user by using user credentials.
- Root - LDAP directory's top element (like the root of a tree)
- BaseDn - a branch in LDAP tree which can be used as a base for LDAP search operation like dc=IBM,dc=org
For this exercise, we have used Apache LDAP server.
Assuming that the user that we authenticate using LDAP is “ibmuser”, this needs to be present in the LDAP. We have highlighted the corresponding LDAP entries (explained above) in the image below which is the screenshot of our LDAP configuration.
One of the most common requirements that we come across while implementing B2Bi for our clients is - to have the application user authenticated by their centralized LDAP or LDAP over SSL (LDAPS). In order to implement LDAPS, we need to exchange the public keys/certificates with the LDAP team.
In order to achieve this in B2Bi, we need to work closely with the LDAP team because not every LDAP is configured in the same way. The LDAP tree structure differs from one organization to another.
The Pre-requisite is that the B2Bi application should be able to connect with LDAP, in other words, the ports (if any) should be open on firewall.
When any application connects to LDAP for user authentication, there can mainly be 2 modes/ mechanisms in which LDAP authenticates the user. Those 2 modes are Bind mode and Comparison mode. In this blog, we are covering the Bind Mode.
Let us understand the configuration required on B2Bi:
Create or modify the customer_overrides.properties file (after taking backup of existing one) to overrides the authentication_policy.properties as in the following example:
### LDAP without SEAS
authentication_policy.authentication_1.className=com.sterlingcommerce.woodstock.security.LDAPAuthentication
authentication_policy.authentication_1.connect_pool=false
authentication_policy.authentication_1.connect_pool_var=com.sun.jndi.ldap.connect.pool
authentication_policy.authentication_1.connect_timeout=50000
authentication_policy.authentication_1.connect_timeout_var=com.sun.jndi.ldap.connect.timeout
authentication_policy.authentication_1.server=<<LDAP SERVER IP>>
authentication_policy.authentication_1.port=<<LDAP PORT>>
authentication_policy.authentication_1.display_name=MY_LDAP <<This is the name visible on B2Bi UI under user authentication>>
authentication_policy.authentication_1.enabled=true
authentication_policy.authentication_1.jndi_factory=com.sun.jndi.ldap.LdapCtxFactory
authentication_policy.authentication_1.password_attribute=userPassword << Field which contains the user password in LDAP for the users to be authenticated>>
authentication_policy.authentication_1.principle=uid=admin,ou=system <<Location of bind user in LDAP tree >>
authentication_policy.authentication_1.credentials=secret <<Password of above bind user>>
authentication_policy.authentication_1.search_filter=(uid=<userid>) <<This is the parameter in LDAP under which user id is stored.>>
authentication_policy.authentication_1.search_root=ou=users,ou=system <<This is the DN minus userid in LDAP. UserId goes as a part of the LDAP authentication request. Please refer to the LDAP configuration image>>
authentication_policy.authentication_1.security_type=simple
authentication_policy.authentication_1.with_user_bind=true
#to enable SSL between B2Bi and LDAP
authentication_policy.LDAP_SECURITY_TRUSTSTORE=<< File system location of your KeyStore in .jks format. The Public certificate of LDAP goes in here for server authentication>>
authentication_policy.LDAP_SECURITY_TRUSTSTORE_PASSWORD=<<truststore password>>
authentication_policy.LDAP_SECURITY_KEYSTORE=<<File system location of your KeyStore in .jks format, Certificate which we provide to LDAP for two-way authentication goes in here. Required only if client authentication is enabled>>
authentication_policy.LDAP_SECURITY_KEYSTORE_PASSWORD=<<keystore password>>
where authentication_1 is your first LDAP server. To use multiple LDAP servers, copy the lines for authentication_1 and modify them for the properties for authentication_2. Continue for as many servers as you want to set up.
Restart the B2Bi for your changes in the customer_overrides.properties file to take effect over the authentication_policy.properties file.
Go to “User Accounts” and change the authentication type for the user as “External” and select the LDAP from the drop down menu as shown in the image below:
Here is the snippet of authentication.log which has information of the “ibmuser” successful login:
This completes the LDAP integration with Sterling B2Bi . Select the same Ldap while creating the user accounts. In the second part of the blog, we will discuss the integration between Sterling External Authentication Server (SEAS) with B2Bi via LDAP.
#Featured-area-1-home
#Featured-area-1
#DataExchange#IBMSterlingB2BIntegratorandIBMSterlingFileGatewayDevelopers