Versions Compared

Old Version 3

changes.mady.by.user Pericles Laros

Saved on

compared with

New Version Current

changes.mady.by.user Pericles Laros

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

 

Connecting to an Active Directory in CostOS

...

Setting

Description

Active

Active/Deactivated interval Synchronization

Hostname

The host name of your directory server. Examples:

  • ad.mydomain.com
  • ldap.mydomain.com
  • opends.mydomain.com
Port

The port on which your directory server is listening. Examples:

  • 389
  • 636 (for example, for SSL)
Bind Dn

The distinguished name of the user that the application will use when connecting to the directory server.

Examples: 

  • cn=administrator,cn=users,dc=ad,dc=example,dc=com
  • cn=user,dc=domain,dc=name
  • user@domain.name
Warningnote

By default, all users can read the uSNChanged attribute. The specific privileges required by the user to connect to LDAP are "Bind" and "Read" (user info, group info, group membership), which the user can obtain by being a member of the Active Directory's built-in administrators group.

Connecting via SSL

In many cases the Active Directory uses a Self-Signed Certificate, or a Signed Certificate that is Signed by a non-trusted Root Certificate. When the CostOS Server tries to connect using the SSL port it will fail, since it does not trust the connection.

To bypass this problem we can import the Certificate of the Active Directory directly to the keystore used by the CostOS Server.

Exporting the Certificate from the Active Directory

Run the following on the server hosting the Active Directory

  1. Go to Run and type the mmc.exe command.
  2. Go to File and choose the Add/Remove Snap-in option.
  3. In Add or Remove Snap-ins, select the Certificates snap-in, and click on Add.
  4. In the Certificates snap-in dialog box, choose the Computer account option and click on Next.
  5. In the Select Computer dialog box, choose the Local Computer option and click on Finish.
  6. Expand the Certificates option and look for the CA Certificate to be exported. This certificate is normally located under Personal > Certificates.
  7. Double-click on the CA certificate to be exported.
  8. In the Certificate dialog box, choose the Details tab and then choose Copy to File.
  9. The Certificate Export Wizard appears. Choose Next. Note that there is no need to export the private key.
  10. On the Export File Format page, select the Base-64 encoded binary X.509(.CER) option.
  11. Choose Next.
  12. In the File to Export box, choose the path and name for the certificate, and choose Next.
  13. Choose Finish. The .cer file will be created in the location specified in the previous step.
  14. Finally, a dialog box will appear to inform the user that the export was successful. Choose OK to finish

Importing the Certificate to CostOS Server

On the following commands

  • %COSTOS% is the installation folder of Costos Server
  • %JAVA_HOME% is the %COSTOS%\jdk\ folder or %COSTOS%\jre\ depending on the version
  • %ALIAS% is an alias that you can choose of your own
  • %CERT_FILE% is the full path to the certificate you have extracted from the first part

Run the following on the server hosting the Costos Server

"%JAVA_HOME%\bin\keytool" -import -alias %ALIAS% -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -file %CERT_FILE%

If the above command asks you for a password the default is 'changeit' without the quotes

...

PasswordThe password of the user specified above.
Base DN

The root distinguished name (DN) to use when running queries against the directory server. Examples:

  • o=example,c=com
  • cn=users,dc=ad,dc=example,dc=com
  • For Microsoft Active Directory, specify the base DN in the following format: dc=domain1,dc=local. You will need to replace the domain1 and local for your specific configuration. Microsoft Server provides a tool called ldp.exe which is useful for finding out and configuring the the LDAP structure of your server.
User Object Filter (optional)

The filter to use when searching user objects.

Example:

  • (memberOf=cn=MyGroup,cn=users,dc=example,dc=com)
Synchronisation IntervalSynchronization is the process by which the application updates its internal store of user data to agree with the data on the directory server. The application will send a request to your directory server every x minutes, where 'x' is the number specified here. The default value is10 minutes.
SSLCheck this if the connection to the directory server is an SSL (Secure Sockets Layer) connection. Note that you will need to configure an SSL certificate in order to use this setting. Rad More

Synchronize Application Groups from active directory

Application could obtain groups from Active Directory. The user should be member of the following groups where mapped with specific application roles.

Ad Role NameApplication Role
CESAdminAdministrator
CESProjectReaderOpen/Edit Projects
CESProjectWriterCreate Projects
CESDatabaseUserUser
CESParamItemWriterCreate/Edit Assemblies
CESAssemblyWriterCreate/Edit Resources
CESFunctionWriterCreate/Edit Functions
CESColumnFieldWriterField/Formula Customization
CESLocationFactorWriterLocation Factor Customization
CESOnlineDBUserOnline Database User
CESUserAdmin Create/Edit Users
CESEPS Create/Edit EPS
CESCosmoPublisherCOS.MO Publisher
CESGlobalPRJVariabledWriterCreate/Edit Global Project Variables Template
CESMasterLayoutWriterCreate/Edit Layouts (Master Database)
CESMediaLibraryWriterOpen/Edit Media Library (Master Database)
CESCostTeam1CostOS Team 1
CESCostTeam2CostOS Team 2
CESCostTeam3CostOS Team 3
CESCostTeam4CostOS Team 4
CESCostTeam5CostOS Team 5
CESCostTeam6CostOS Team 6
CESCostTeam7CostOS Team 7
CESCostTeam8CostOS Team 8
CESCostTeam9CostOS Team 9
CESCostTeam10CostOS Team 10

Content by Label
showLabelsfalse
max5
spacesCOST8
showSpacefalse
sortmodified
reversetrue
typepage
cqllabel in ("ldap","server","activedirectory","ssl") and type = "page" and space = "COST8"
labelsssl ldap activedirectory server

Page properties
hiddentrue
 
Related issues