User connectivityLDAP and OpenLDAP resourcesIntegrate Transact with LDAP

Integrate Transact with LDAP

To integrate Transact with LDAP, you need to modify the following property files:

  • server.xml

  • user-connectivity.properties

  • application.properties

Before modifying these files, you need the following:

  • An understanding of how LDAP works, including an understanding of the directory structure.

  • The directory structure used to organize users.

  • The users in the directory.

  • Passwords for each user to be authenticated.

  • Information about where users and groups exist in LDAP.

  • Information on where groups exist in Active Directory.

  • How users are mapped with respective groups.

Using JXplorer or a similar tool can help you examine the directory structure and identify the users you want to assign to Transact.

Roles in Transact

Users and groups that are used in Transact are assigned to the one of the following roles:

  • Super Admin: Has full access to Transact, including System Configuration.
  • Administrator: Has access to all Transact screens except System Configuration.
  • Operator: Has specific access to non-administrator tasks, such as the batch list, validation, and review.

When configuring Transact components to use in LDAP, you need to consider which users and groups should be assigned to these roles.

Configure Transact components

Server.xml

The server.xml file defines information about Active Directory. The configuration in this file helps to authenticate the users and fetch users and groups from LDAP.

  • className: This must be set to org.apache.catalina.realm.JNDIRealm. This refers to JNDIRealm class in Tomcat.

  • connectionURL: Define the URL of the LDAP server in this format: ldap://<IP,DNS,FQDN>:<PORT> where the LDAP needs to be 389 or 636 for Secure LDAP (LDAPS).

  • connectionName: Define the Distinguished Name of any user who exists in the LDAP. For example, cn=Manager,dc=ephesoft,dc=com means that user with the name Manager exists under ephesoft sub-domain and com root-domain.

  • connectionPassword: Provide the password for the user defined in connectionName.

  • userBase: The relative path under which all the users' information will be located. This attribute defines where to look for a user. In the example above, you can look for users directly under the sub-domain. Therefore, it will look for the user under the sub-domain as well as in all the Organizational Units.

  • userSearch: This is the pattern specifying the LDAP search filter to use after substitution of the username. Possible values is "cn={0}".

  • roleBase: The relative path under which all the roles information will be located. This attribute defines where to look for a role corresponding to a user. For example, you can search for all roles and groups under sub-domain "ephesoft" as well as in all Organizational Units.

  • roleName: The attribute in a role entry containing the name of that role. In above example, the value of the cn attribute in Active Directory will be checked.

  • roleSearch: The LDAP search filter for selecting role entries. It optionally includes pattern replacements "{0}" for the Distinguished Name. In this example, the member property of the user in Active Directory will be looked up.

  • userSubtree: The search scope. Set to true to search the entire sub tree rooted at the userBase.

  • roleSubtree: The search scope. Set to true to search the entire sub tree rooted at the roleBase.

user-connectivity.properties

The user-connectivity.properties file configures authorization. This file defines the limitations on the groups and roles to be fetched from LDAP. Set the following properties:

  • user.connectivity_url: Specify the URL of the LDAP server in this format: ldap://<IP,DNS,FQDN>:<PORT> where the LDAP needs to be 389 or 636 for Secure LDAP (LDAPS).

  • user.connectivity_domain_component_name: Specify sub-domain information. If there is more than one sub-domain, like com.ephesoft.support, use this convention: user.connectivity_domain_component_name=support,dc=ephesoft.

  • user.connectivity_domain_component_organization: Specify the root level domain name.

  • user.connection: Set this property to 0 to use LDAP.

  • user.ldap_user_base: Use this property to define a specific OU if you only want to pick users from a specific context path. Example: user.ldap_user_base=ou=groups.

  • user.ldap_group_base: Use this property to define a specific OU if you only want to pick groups from a specific context path or organizational unit. Example: user.ldap_group_base=ou=people.

application.properties

The application.properties file sets Super Admin group details. The following properties need to be set:

  • user.super_admin: Assigns groups to Super Admin rights.

  • update_super_admin_group: Must be changed to true.

Access to specific screen and batch classes

Use Access Manager to control the specific rights to users in Transact. To use Access Manager, you must have Super Admin rights.

In Access Manager, you can select which screens different groups can access. Select the checkbox for that screen to enable access, or clear the checkbox to deny access.

You can also use Batch Class Management to specify which roles can access a batch class. Use the Roles column in the Batch Class Management screen to provide access control at the batch class and batch instance level. If you assign a group to a batch class, only users in that group can view that batch class and associated batch instances. For more information, see the Batch Instance Management screen topic in the Ephesoft Transact Administrator's Help.