Now we're going to add initial data to the LDAP database. We'll do this from a file and create a single entry. From your terminal window, issue the command:
vi ldap_data.ldif dn: ou=People,dc=smab,dc=org objectClass: organizationalUnit ou: People dn: ou=Groups,dc=smab,dc=org objectClass: organizationalUnit ou: Groups dn: cn=DEPARTMENT,ou=Groups,dc=smab,dc=org objectClass: posixGroup cn: SUBGROUP gidNumber: 5000 dn: uid=nciadevtest,ou=People,dc=smab,dc=org objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: nciadevtest sn: Last name givenName: First name cn: nciadevtest displayName: Name uidNumber: 10000 gidNumber: 5000 userPassword: password gecos: Whole Name loginShell: /bin/bash homeDirectory: USERDIRECTORY |
In this .ldif file, we created 2 organizationalUnit . One is People, the other is Groups.
Also add the entities for these OU. One entity is nciadevtest for the NBIA. The uid and cn must be this name. Because NBIA use cn to do the authentication be default. Some software use uid to do the authentication.
After adding these entities, we can use this command to search the exist record. You can use the network loop IP address to test or use the real IP address.
ldapsearch -x -LLL -h 127.0.0.1 -p 389 -D cn=admin,dc=smab,dc=org -w smab123456 -b dc=smab,dc=org 'uid=nciadevtest' cn givenName gidNumber Result: dn: uid=nciadevtest,ou=People,dc=smab,dc=org givenName: XIAOHUI cn: nciadevtest gidNumber: 5000 ldapsearch -x -LLL -h 69.71.4.10 -p 389 -D cn=admin,dc=smab,dc=org -w smab123456 -b dc=smab,dc=org 'cn=nciadevtest' uid givenName gidNumber Result: dn: uid=nciadevtest,ou=People,dc=smab,dc=org uid: nciadevtest givenName: XIAOHUI gidNumber: 5000 |
Final configuration. After we install the openldap and add the records. We got the LDAP server configuration below.
Title Value Base DN smab,dc=org Bind Admin admin,dc=smab,dc=org Bind Password Smab123456 User name for NBIA nciadevtest |
LDAP administrator client.
How to use Softerra LDAP Administrator
You can use LDAP client to create/delete/modify the entities with this information. Otherwise, you only have the read permission.
Troubleshooting:
NBIA LDAP settings.
1. In nbia.properties (Tomcat7.0/lib/nbia.properties)
authentication.type=ldap-auth
ldap.url=ldap://192.168.56.101:389
ldap.basedn=dc=smab,dc=org
ldap.user=CN=admin,dc=smab,dc=org
ldap.pass=smab123456
ldap.memberOf.attribute.name=isMemberOf
ldap.mail.attribute.name=mail
ldap.group.ignore.list=PwmAdmins,devTeam,nlst,testGroup
public.collection.access.group.name=General User
product.variation=NBIA
ldap.user and ldap.pass must be the administrator information of LDAP server.
3. In jaas.conf (Tomcat7.0/conf/jaas.conf)
NCIA
{
gov.nih.nci.security.authentication.loginmodules.LDAPLoginModule Required
ldapHost="ldap://192.168.56.101:389"
ldapSearchableBase="dc=smab,dc=org"
ldapUserIdLabel="cn"
ldapAdminUserName="CN=admin,dc=smab,dc=org"
ldapAdminPassword="smab123456";
};
NOTE that:
The jaas.conf is generated during the NBIA installation. The default ldapUserIdLabel is ‘cn’, which means the LDAP server will search ‘cn’ value, then compare to the login username. If the user name is exist in LDAP server, the LDAP server will do the authentication for this user.
Some LDAP server may use other field to store the login username like ‘uid’. So we have to change this value to ‘uid’ if the LDAP server use this field to store username.
ldapUserIdLabel="cn"
After changing that, we have to restart the Tomcat to take effect.