Page History

...

• General
  • LDAP Server URL: The LDAP Server URL specifies the protocol, e.g. ldap:// for Plain Text and TLS connections, ldaps:// for SSL connections. The protocol is added the hostname (FQDN) and port of the LDAP Server.
  • LDAP Start TLS: This switch makes TLS the protocol for the connection to the LDAP Server.
  • LDAP Host Name Verification: This switch has to be active to verify if hostnames in the LDAP Server URL and in the LDAP Server certificate match.
  • LDAP Truststore Path: Should the LDAP Server be configured for TLS/SSL protocols then the indicated truststore has to include an X.509 certificate specified for the Extended Key Usage of Server Authentication.
    • For connections to well known LDAP Identity Providers such as Azure® users should specify the path to the Java cacerts truststore file that ships with the Java JDK used with JOC Cockpit.
    • The truststore can include a self-signed certificate or a CA signed certificate. Typically the Root CA certificate is used as otherwise the complete certificate chain involved in signing the Server Authentication Certificate has to be available with the truststore.
    • If the LDAP Server is operated for TLS/SSL connections and this setting is not specified then JOC Cockpit will use the truststore that is configured with the JETTY_BASE/resources/joc/joc.properties configuration file. This includes use of settings for the truststore password and truststore type.
    • The path to the truststore is specified relative to the JETTY_BASE/resources/joc directory. If the truststore is located in this directory then specify the file name only, typically with a .p12 extension. Other relative locations can be specified using e.g. ../../joc-truststore.p12 if the truststore is located in the JETTY_BASE directory. No absolute path can be specified and no path can be specified that lies before the JETTY_BASE directory in the file system hierarchy.
  • LDAP Truststore Password: If an LDAP truststore is used and the LDAP truststore is protected by a password, then the password has to be specified.
  • LDAP Truststore Type: If an LDAP truststore is used then the type of the indicated truststore has to be specified as being either PKCS12 or JKS (deprecated).
• Authentication
  • LDAP User DN Template: The Distinguished Name (DN) identifies a user account. The value {0} can be used for Active Directory LDAP Servers and will replaced by the user account specified during login. Alternatively an LDAP query can be specified, for example uid={0},OU=Operations,O=IT,O=Users,DC=example,DC=com.
• Authorization
  • LDAP Search Base: The Search Base for looking up user accounts in the hierarchy of LDAP Server entries, for example OU=Operations,O=IT,O=Users,DC=example,DC=com.
  • LDAP Group Search Base: Similarly to the Search Base the Group Search Base is used to find Security Groups which a user account has membership of. This setting specifies the hierarchy starting from the Security Groups which are looked up.
  • LDAP Group Search Filter: This filter specifies an LDAP query which is used to identify Security Groups the user account is a member of. The filter is applied to search results provided starting from the Group Search Base.
  • LDAP User Search Filter: This filter specifies an LDAP query that is used to identify the user account in the hierarchy of LDAP entries.
  • LDAP Group Name Attribute: This attribute provides the name of the Security Group that a user account is a member of, for example the CN (Common Name) attribute.
  • LDAP User Name Attribute: This attribute provides the name of the user account, frequently the CN (Common Name) attribute is used.
• Group/Roles Mapping
  • The LDAP Group/Roles Mapping is in fact a mapping of Security Groups which the user account is a member of and JS7 roles. Security Groups have to be specified depending on the LDAP Group Search Attribute as Distinguished Names, e.g. CN=js7_admins,OU=Operations,O=IT,O=Groups,DC=example,DC=com, or as Common Names, e.g. js7_admins.

...