Administer Transact users and groups

Transact supports Tomcat, OpenLDAP and Microsoft Active Directory protocols to maintain a roster of users and groups. OpenLDAP is the default management system that is enabled and configured following a clean installation of Transact. There are two main configuration files:

<Transact Folder>\Application\WEB-INF\classes\META-INF\dcma-user-connectivity\user-connectivity.properties: This file contains the settings necessary to populate groups names in Transact Batch Class Management. The file contains settings for LDAP, Tomcat and MS Active Directory.
<Transact Folder>\JavaAppServer\conf\server.xml: This file tells Transact how users should be authenticated when they log in to Transact.

Configuring Apache Tomcat

Apache Tomcat configuration is set in the following files:

<Transact Folder>\Application\WEB-INF\classes\META-INF\dcma-user-connectivity\user-connectivity.properties

This file contains the settings necessary to populate groups names in Transact Batch Class Management. The following settings should be set for Tomcat:

user.tomcatUserXmlPath=<Transact Folder>\\JavaAppServer\\conf\\tomcat-users.xml
user.connection=2

<Transact Folder>\JavaAppServer\conf\server.xml

This file tells Transact that users should be authenticated using Tomcat. The file should have the following Realm:

<Realm className="org.apache.catalina.realm.MemoryRealm"/>

<Transact Folder>\JavaAppServer\conf\tomcat-users.xml

This file contains user groups and users. For example, a group called "admin" and a user called "ephesoft" with password "demo" is defined as follows:

<role rolename="admin"/>
<user username="ephesoft" password="demo" roles="admin"/>

Configuring OpenLDAP

OpenLDAP Software is a free, open source implementation of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License. LDAP is a platform-independent protocol. To connect to the Transact LDAP database and modify groups, users, permissions, and other settings, administrators can use the bundled JExplorer tool at the following location:

<Transact Folder>\Dependencies\OpenLDAP\ldap-client\jxplorer-3.2.1\jxplorer.bat

Connection to LDAP configuration is enabled in these files:

<Transact Folder>\Application\WEB-INF\classes\META-INF\dcma-user-connectivity\user-connectivity.properties

This file contains the settings necessary to populate group names in Transact Batch Class Management. The following settings should be set for LDAP configuration:

user.ldap_url=ldap://localhost:389
user.ldap_config=com.sun.jndi.ldap.LdapCtxFactory
user.ldap_domain_component_name=ephesoft
user.ldap_domain_component_organization=com
user.ldap_username=cn=Manager,dc=ephesoft,dc=com
user.ldap_password=*******
user.connection=0

<Transact Folder>\JavaAppServer\conf\server.xml

This file tells Transact that users should be authenticated using Tomcat. The file should have the following Realm:

<Realm   className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://localhost:389"
connectionName="cn=Manager,dc=ephesoft,dc=com"
connectionPassword="secret"
userPattern="cn={0},ou=people,dc=ephesoft,dc=com"
roleBase="ou=groups,dc=ephesoft,dc=com"
roleName="cn"
roleSearch="uniqueMember={0}"
/>

Configuring Active Directory

To configure Active Directory, modify the user-connectivity.properties file, which is located in:

<Transact Folder>\Application\WEB-INF\classes\META-INF\dcma-user-connectivity

Set the following:

user.msactivedirectory_url to ldap://<Server-Name/IP>:<port>. The port is either of the following:
- 389 to use the standard LDAP port. See Configure Active Directory with the Standard LDAP Service port.
- 3268 to use the global catalog. See Configure Active Directory with the Global Catalog Service port.
user.msactivedirectory_context_path to empty.
user.msactivedirectory_group_search_filter to a single filter value. (Not multiple filters to be specified)

This setting will be in sync with the one done while setting the Realm.

Setting changes to LDAP

Normal LDAP service allows you to search on root domain without any further configuration. So there is not much change to be made in order to make LDAP work with root domain chosen as base. Following are the changes:

user.ldap_user_base to empty.
user.ldap_group_base to empty.

The following is a sample configuration for user-connectivity.properties file:

 user.ldap_url=ldap://localhost:389
    user.ldap_config=com.sun.jndi.ldap.LdapCtxFactory
    user.ldap_domain_component_name=ephesoft
    user.ldap_domain_component_organization=com
    user.ldap_username=cn=Manager,dc=ephesoft,dc=com
    user.ldap_password=secret
    user.ldap_user_base=
    user.ldap_group_base=
            user.msactivedirectory_url=ldap://msad.ephesoft.com:3268
            user.msactivedirectory_config=com.sun.jndi.ldap.LdapCtxFactory
            user.msactivedirectory_context_path=
            user.msactivedirectory_domain_component_name=ephesoft
            user.msactivedirectory_domain_component_organization=com
            user.msactivedirectory_user_name=CN=administrator,DC=ephesoft,DC=com
            user.msactivedirectory_password=Passw0rd
                  # filter can have |(OR), &(AND) and !(NOT)
                  # | (|(cn=a*))
                  # & (&(cn=a*))
                  # ! (!(cn=a*))
                  # complex example ((!(cn=a*))(|(cn=ephesoft*)(&(cn=b*)))
                  user.msactivedirectory_group_search_filter=(!(cn=*h*oft*))
                  user.tomcatUserXmlPath=C:\\Ephesoft\\JavaAppServer/conf/tomcat-users.xml
    # 0 for LDAP
    # 1 for MS Active Directory
    # 2 for Tomcat
    user.connection=1

Next, modify the Realm settings in the server.xml file located in:

<Transact Folder>\JavaAppServer\conf

<Realm   className="org.apache.catalina.realm.JNDIRealm"
               connectionURL="ldap://<Server-Name/IP>:3268"
               connectionName="<Authenticated-User-Name>"
               connectionPassword="<Authenticated-User-Password>"
                     userBase="<Any Chosen User Base>"
                     userSearch="<Unique Parameter for user search Suggested: (sAMAccountName={0})>"
                     userSubtree="true"
                     referrals="follow"
                          roleBase="<Any Chosen User Base>"
                          roleName="cn"
                          roleSubtree="true"
                          roleSearch="(member={0})"
                                 
    />

The following is a sample Realm configuration:

<Realm   className="org.apache.catalina.realm.JNDIRealm"
               connectionURL="ldap://msad.ephesoft.com:3268"
               connectionName="CN=administrator,DC=ephesoft,DC=com"
               connectionPassword="password"
                   userBase="DC=ephesoft,DC=com"
                   userSearch="(sAMAccountName={0})"
                   userSubtree="true"
                   referrals="follow"
                       roleBase="DC=ephesoft,DC=com"
                       roleName="cn"
                       roleSubtree="true"
                       roleSearch="(member={0})"
                                 
    />

Specify the Active Directory group as super admin

To specify the super admin, navigate to <Transact_Directory>\Application\WEB-INF\classes\META-INF and open application.properties. Set the following property:

user.super_admin=<GroupName>

The following is a sample application.properties file:

#Super admin group update disabled.
    ephesoft.product.version=3.0.2.0
    report.ant.buildfile.path=C:\\Ephesoft\\Report/ephesoft-reporting/build.xml
    enable.reporting=true
    enable.uploadBatch=true
  #default doc type view can be "dropdown_list" or "suggest_box"
    document.default_doc_type_view=suggest_box_view
    function_key_script_name=ScriptFunctionKey
  #This property value has become obsolete. No need to set its value from version 3.0.2.0 onwards.
    tesseract_version_3=C:\\Ephesoft\\Application/native/Tesseract-OCR
    field_value_change_script_name=ScriptFieldValueChange
    row_count=50
    zip_switch=true
    update_interval=5
    preloaded_image_count=3
  #0 for html cleaner(default)
  #any other value for Tidy parser (Support for EE 2.4 or earlier)
    html_parser=0
    custom_reports_url=http://www.ephesoft.com
    custom_reports_title=Ephesoft
    custom_reports_pop_up_xdimension=500
    custom_reports_pop_up_ydimension=500
    enable.restart_all_batch=false
    batchlist.table_row_count=15
    zoom_count=1
    create_batch_instance_backup=off
    plugin_upload_folder_path=C:\\Ephesoft\\SharedFolders/plugin-upload-folder
    user.super_admin=admin
    help_url=http://www.ephesoft.com/wiki/index.php?title=Special:Search
    batch_copy_timeout=3600
  # 1-RoundRobin (Default)
  # 0-BatchInstancePriority
    workflow.batchPickingAlgo=0
  # false for review panel as closed on Review-Validation screen for batches with READY_FOR_VALIDATION state
  # true for review panel as open by default on Review-Validation screen for batches with READY_FOR_VALIDATION state
    default_review_panel_open=false
  # 0 for limited/metered user
  # 1 for shared user(not implemented)
  # 2 for dedicated
    user_type=2
  # file size limit in KB.
    upload_batch_limit=1024
  # Set this property as true if super admin roles has been updated
    update_super_admin_group=false

If there are multiple users with the same name (as defined by CN), it could cause ambiguity when attempting to authenticate an account. To resolve this issue, see Resolving ambiguous user accounts.

Authorization of Transact URLs

Transact has several URLs, which include the following:

BatchList.html
BatchClassManagement.html
BatchInstanceManagement.html
ReviewValidate.html
WebScanner.html
Reporting.html

Administrators can authorize access to these URLs using group/role names defined in Tomcat, LDAP and MS Active Directory. Web.xml can be found here: <Transact Folder>\WEB_INF\web.xml

By default, all URLs are authorized by all groups by using * in the auth-constrain node:

<auth-constraint>
			<role-name>*</role-name>
</auth-constraint>

To authorize a specific security role or LDAP container, modify the role-name node. This example assigns the admin role to BatchInstanceManagement.html through the <auth-constraint> element.

<security-constraint>
         <web-resource-collection>
               <web-resource-name>batch instance management</web-resource-name>
               <url-pattern>/BatchInstanceManagement.html</url-pattern>
               <http-method>GET</http-method>
               <http-method>POST</http-method>
         </web-resource-collection>
         <auth-constraint>
               <role-name>admin</role-name>
         </auth-constraint>
 </security-constraint>

To allow multiple roles, add <role-name> elements in <auth-constraint> as shown below.

<security-constraint>
         <web-resource-collection>
               <web-resource-name>batch instance management</web-resource-name>
               <url-pattern>/BatchInstanceManagement.html</url-pattern>
               <http-method>GET</http-method>
               <http-method>POST</http-method>
         </web-resource-collection>
         <auth-constraint>
               <role-name>role2</role-name>
               <role-name>admin</role-name>
         </auth-constraint>
 </security-constraint>

The <security-role> tag need not to be modified. It can remain as a single entry (*) allowing all groups. It may give warnings if the <security-role> tag is not mapped to groups individually. These warnings can be eliminated by providing mapping for roles in the <security-role> tag.

<security-role>
            <role-name>*</role-name>
 </security-role>