The information on this page represents the experience of an NBIA user and is provided as a case study that you may find useful. It not meant to apply to all users.
Install OpenLDAP
Install OpenLDAP on Ubuntu.
These instructions are based on Ubuntu 18.04.
In a terminal window, issue the following commands:
sudo apt-get update sudo apt-get upgrade
In a terminal window, then issue the following command.
sudo apt install slapd ldap-utils
Modify the default Directory Information Tree (DIT) suffix by changing the DIT to fit your company's network needs. For example,
dc=<org name>, dc=org
. To do so, issue the following command.sudo dpkg-reconfigure slapd
- Enter the administrator's password.
Add initial data to the LDAP database from a file and create a single entry. In a terminal window, issue the following command.
vi ldap_data.ldif
The following information is returned.
dn: ou=People,dc=<org name>,dc=org objectClass: organizationalUnit ou: People dn: ou=Groups,dc=<org name>,dc=org objectClass: organizationalUnit ou: Groups dn: cn=DEPARTMENT,ou=Groups,dc=<org name>,dc=org objectClass: posixGroup cn: SUBGROUP gidNumber: 5000 dn: uid=nciadevtest,ou=People,dc=<org name>,dc=org objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: nciadevtest sn: Last name givenName: First name cn: nciadevtest displayName: Name uidNumber: 10000 gidNumber: 5000 userPassword: password gecos: Whole Name loginShell: /bin/bash homeDirectory: USERDIRECTORY
In this .ldif file, we created two organizationalUnit values, People and Groups.
Add the entities for these OU values. One entity must be nciadevtest for NBIA. The uid and cn must be this name. NBIA uses cn to as the default authentication. Some software applications use uid to authenticate.
Add the following entities to the LDAP server.
ldapadd -x -D cn=admin,dc=smab,dc=org -W -f ldap_data.ldif
Use this command to search the existing records. You can use the network loop IP address to test or use the real IP address.
ldapsearch -x -LLL -h 127.0.0.1 -p 389 -D cn=admin,dc=<org name>,dc=org -w <password>-b dc=<org name>,dc=org 'uid=nciadevtest' cn givenName gidNumber Result: dn: uid=nciadevtest,ou=People,dc=<org name>,dc=org givenName: First Name cn: nciadevtest gidNumber: 5000 ldapsearch -x -LLL -h 69.71.4.10 -p 389 -D cn=admin,dc=<org name>,dc=org -w <password> -b dc=<org name>,dc=org 'cn=nciadevtest' uid givenName gidNumber Result: dn: uid=nciadevtest,ou=People,dc=<org name>,dc=org uid: nciadevtest givenName: First Name gidNumber: 5000
Add the records. The LDAP server configuration looks similar to the following.
Title Value Base DN <org name>,dc=org Bind Admin admin,dc=<org name>,dc=org Bind Password <password> User name for NBIA nciadevtest
After installing the LDAP server, use an LDAP client such as Softerra LDAP administrator to make sure the LDAP server can be accessed. Sometimes the Linux firewall will block the LDAP server by default. If the LDAP can be accessed, it is easy for NBIA to access it.
Configuring the LDAP Administrator Client
You can add, modify, or remove records to or from the LDAP server in several ways.
- On a Linux server, use phpldapadmin to maintain the LDAP server. Refer to the following links to install phpldapadmin. (Note that phpldapadmin is not updated. There are some errors with php7.0 +).
- Use a Windows LDAP client such as Softerra LDAP Administrator to access the remote LDAP server.
To use Softerra LDAP Administrator
- Create a new profile.
- Add the server host (IP or domain), Base DN, and port.
- Add the bind admin information.
You use the LDAP client to create, delete, and modify entities with this information. Otherwise, you only have the read permission.
Troubleshooting Note
OpenLdap can be installed on an Ubuntu Server. The phpldapadmin can also work. Use ldapsearch to search the user information. You may find that when you try to use the LDAP client to access this LDAP server, the connection times out with no response from the LDAP server even if all ports are enabled. The user did not find any solution for this issue.
When installing OpenLDAP on Ubuntu (Desktop version), all LDAP functions worked without any issues. Any LDAP client can access the remote LDAP server.
NBIA LDAP Settings
In nbia.properties (Tomcat7.0/lib/nbia.properties), ldap.user and ldap.pass must be the administrator information of LDAP server. Modify nbia.properties as follows.
authentication.type=ldap-auth ldap.url=ldap://<ip address><port number> ldap.basedn=dc=<org name>,dc=org ldap.user=CN=admin,dc=<org name>,dc=org ldap.pass=<password> ldap.memberOf.attribute.name=isMemberOf ldap.mail.attribute.name=mail ldap.group.ignore.list=PwmAdmins,devTeam,nlst,testGroup public.collection.access.group.name=General User product.variation=NBIA
Modify jaas.conf (Tomcat7.0/conf/jaas.conf) as follows:
NCIA { gov.nih.nci.security.authentication.loginmodules.LDAPLoginModule Required ldapHost="ldap://<ip address><port number>" ldapSearchableBase="dc=<org name>,dc=org" ldapUserIdLabel="cn" ldapAdminUserName="CN=admin,dc=<org name>,dc=org" ldapAdminPassword=<password>; };
The jaas.conf is generated during NBIA installation. The default ldapUserIdLabel is cn, which means the LDAP server will search the cn value, then compare it to the login username. If the user name exists in the LDAP server, the LDAP server will authenticate this user.
Some LDAP servers may use another field to store the login username, such as uid. In this case, change the username value to uid. For example,ldapUserIdLabel="cn"
- Restart Tomcat for the change to take effect.