To be able to grant JetPatch Manager access to Active Directory users and groups, you need to first specify one or more Active Directory domains.
To specify a domain, In the Users tab, by User Directories, click Add User Directory:
Provide the following information:
-
- Connection to Active Directory server: Hostnames (line-separated resolvable names or IP addresses of one or more LDAP domain controllers, to be tried in order), Port (usually 389, 636 if SSL), whether the connection should Use SSL and/or Enforce validity of server certificate
- For SSL Communication (Minimum JAVA version requirement is 1.8.250):
- In JetPatch server add the FQDN of the AD server in /etc/hosts
- Take the .cer, .pxf file and place it in the common folder and make sure you have the password of the certificate
- Import the .cer in the .pfx file and copy it to the JetPatch application server
- Run the below command to import the certificate in keystore
keytool -import -trustcacerts -keystore /usr/java/<jre-version>/lib/security/cacerts -storepass <Password> -noprompt -alias <Alias-name> -file /<Path of cer file>/<file>.cer
- Run the below command to check the validity
-
echo -n | openssl s_client -connect <LDAP SERVER>:636 2>/dev/null | openssl x509 -noout -text | grep Subject:
- For Enforce validity of server certificate. This means two things:
-
The certificate must be issued by a known CA
-
The server you talk to is the server this specific certificate was given to - hostname verification
-
- For SSL Communication (Minimum JAVA version requirement is 1.8.250):
- Active Directory Domain name (Add all the domains UPN that need to be used to access your users)
- Credentials of an Active Directory User account with read-access to target (All / Partial) users from Active Directory. The format of the 'Directory User' field should be either: 1. user-name@domain-name 2. domain-name\user-name 3. User’s full DN
- Users Base DN / Groups Base DN (OPTIONAL)- specify LDAP query if needed.
-
A base DN is the point from where a server will search for users. ... An ldap search for the user admin will be done by the server starting at the base DN ( dc=example,dc=com ). When the user is found, the full DN ( cn=admin,dc=example,dc=com ) will be used to bind with the supplied password.
-
The user or group DN is added onto the base DN, and will be used as the starting place to look for users and groups. This is helpful when your users are located at a different location to the groups they're a part of. For example, consider the following: Base DN: dc=example,dc=local. ... User DN: ou=Users.
-
- Click OK
- Connection to Active Directory server: Hostnames (line-separated resolvable names or IP addresses of one or more LDAP domain controllers, to be tried in order), Port (usually 389, 636 if SSL), whether the connection should Use SSL and/or Enforce validity of server certificate
You can edit or remove already-specified domains. Poll refreshes domain entries in JetPatch for role assignment; to view the refreshed entries you may need to refresh your browser.
You can disable all permissions given to a domain's groups and users while retaining the domain's information by editing the domain and clearing Enabled.
Example of a configuration with 1 principal domain and 1 subdomain:
In this example, the subdomain is configured as the user principal name to access. (users@
-Add user for principal domain 1:
- Hostnames: AD servers
- Domain: YourDomain1.net
- Port:389
- DirectoryUser: JetPAtchUser@
YourSubDomain.com - UserBaseDN: DC=YourDomain1,DC=
net - GrousBaseDN: DC=YourDomain1,DC=
net
-Add user for subdomain :
- Hostnames: AD servers
- Domain: YourSubDomain.com
- Port:389
- DirectoryUser: JetPAtchUser@
YourSubDomain.com - UserBaseDN: DC=YourDomain1,DC=
net - GrousBaseDN: DC=YourDomain1,DC=
net
After you configure the Users directories, you need to add two users groups: "domain-group@YourSubDomain.com" you need also to add the same group as "domain-group@YourDomain1.net to be sure that all users can be identified.
Troubleshooting
If there is an issue and it is not clear what to do, please look at both the discovery.log and localhost.log file from the manager logs.
Comments
0 comments
Please sign in to leave a comment.