Integrate Transact with Active Directory

The server.xml file defines information about Active Directory. The configuration in this file helps to authenticate the users with Active Directory.

• className: This must be set to org.apache.catalina.realm.JNDIRealm. This refers to JNDIRealm class in Tomcat.

• connectionURL: Define the URL of the Active Directory server in this format: ldap://<IP,DNS,FQDN>:<PORT> where the Active Directory port needs to be 3268 (also called the Global Catalog Port) or 3269 (if Active Directory is configured with SSL).

• connectionName: Define the Distinguished Name of any user who exists in Active Directory. For example, CN=aj,OU=USERS,OU=EPHESOFT,DC=ephesoft,DC=com means that the user with the name aj exists in OU called USERS which is under ephesoft sub-domain and com root-domain. You can also define the connectionName here using a naming convention like aj@ephesoft.com.

• connectionPassword: Provide the password for the user defined in connectionName.

• userBase: The relative path under which all the users' information will be located. This attribute defines where to look for a user. For example, you can search for users directly under our sub-domain. Therefore, it will look for the user under the sub-domain as well as in all the Organizational Units.

• userSearch: This is the pattern specifying the Active Directory search filter to use after substitution of the username. Possible values are "(sAMAccountName={0})" or "cn={0}". If you are using sAMAccountName, it will look for the value in sAMAccountName property of Active Directory. If you use cn={0}, it will look for the value in the cn property in Active Directory.

• roleBase: The relative path under which all the roles information will be located. This attribute defines where to look for a role corresponding to a user. In the example above, you are searching for all roles and groups under sub-domain "ephesoft" as well as in all Organizational Units.

• roleName: The attribute in a role entry containing the name of that role. In the example above, the value of the cn attribute in Active Directory will be checked.

• roleSearch: The LDAP search filter for selecting role entries. It optionally includes pattern replacements "{0}" for the Distinguished Name. In the example above, the member property of the user in Active Directory will be looked up.

• userSubtree: The search scope. Set to true to search the entire sub tree rooted at the userBase

• roleSubtree: The search scope. Set to true to search the entire sub tree rooted at the roleBase.

The user-connectivity.properties file configures authorization. This file defines the limitations on the groups and roles to be fetched from the Active Directory. Set the following properties:

• user.connectivity_url: Specify the URL of the Active Directory server. It is of the form of ldap://<IP,DNS,FQDN>:<PORT> where the port in case of Active Directory needs to be 3268 (also called Global Catalog Port) or 3269 (if Active Directory is configured with SSL).

• user.connectivity_domain_component_name: Specify sub-domain information. If there is more than one sub-domain, like com.ephesoft.support, use this convention: user.connectivity_domain_component_name=support,dc=ephesoft.

• user.connectivity_domain_component_organization: Specify the root level domain name.

• user.connection: Set this property to 1 to use AD.

• user.ldap_user_base: This is an LDAP-related property. You do not need to define any value for this property if you are using Active Directory.

• user.ldap_group_base: This is an LDAP-related property. You do not need to define any value for this property if you are using Active Directory.

• user.connectivity_groupSearchAttributeFilter: This is usually set to the value cn. This property will look at the cn property in Active Directory and accordingly will pick the Group / Role name defined in this property.

• user.connectivity_userSearchAttributeFilter: Usually set to the value cn or sAMAccountName. This property will look at the cn or sAMAccountName property from Active Directory. This needs to be set according to the value set in the userSearch property in server.xml.

• user.msactivedirectory_context_path: Define the relative path where the groups exist. If groups exist in more than one OU, separate them using double semicolon (;;).

• user.msactivedirectory_group_search_filter: Define the pattern to only pick the groups which match this pattern. If the name of Super Admin group does not match the pattern, add the name of the group here.

  Example: (|(cn=EphesoftSupport*)(cn=Ephesoft-SystemAdministrator)). This pattern picks all groups starting with EphesoftSupport and followed by anything. If there is a Super Admin group that does not match this pattern, this example adds Ephesoft-SystemAdministrator separately in this filter.

The application.properties file sets Super Admin group details. The following properties need to be set:

• user.super_admin: Assigns groups to Super Admin rights.

• update_super_admin_group: Must be changed to true.