Replication - User and group import
Users module
User menu / User and group import
Intrexx offers several methods for replicating your existing IT infrastructure.
In the
Users module,
you can import
data from
- LDAP directories (e.g. Windows Active Directory)
- JDBC sources
- ASCII files (e.g. Linux/Unix Passwd>)
via
User menu / User and group import.
You can get more information about the
import dialogs
by pressing F1.
LDAP authentication
Before users can be replicated from LDAP sources, the LDAP server certificate
must be imported via the
portal properties.
So that the user can authenticate against the LDAP server, a user
replication should be performed via Intrexx. A replication is not absolutely
necessary for the authentication, but should be seen as the "first choice".
Alternatively,
users can be created manually in Intrexx
with the schema (username, domain, ...) of the LDAP server. When logging in,
an attempt to authenticate against the LDAP server
will be made first regardless of how the users are created.
When performing the replication, please proceed as follows:
-
Switch to the Users module
and select User menu / User and group import.
-
Click on
"Add".
-
Enter a name and select the option "LDAP".
Click on "Next".
-
Enter the connection data here.
Enter the server name or IP of the ADS and enter the port. Simple authentication
is usually sufficient. Specify the user who connects to the LDAP server
(e.g.: mail@example.org) and the corresponding password (login password for the
domain). Select the Base-DN by clicking on
"Search".
Select the corresponding profile for you LDAP server from the drop-down list.
Click on "Next".
If the entries are correct,
a further dialog
will open where you can define which values should be read. Additional properties such as
passwords can also be defined here.
 |
You personal user account needs to be added to the Administrators
group to receive all permissions in the Portal Manager with
your Windows account.
|
Authentication methods
The authentication methods used by Intrexx need to be redefined.
Please proceed as follows:
-
In the Users module
select User menu / Configuration.
-
Click on
"Edit binding" next to "Client".
-
Select the option "Generic authentication".
Close the dialog by clicking on "OK".
Afterwards, disconnect from your portal via the
File menu / Disconnect portal service.
Modify the configuration file
Open the file "LucyAuth.cfg" in the
portal directory internal/cfg
with a text editor of your choice. The address of the LDAP server and additional
connection data need to be added to this file. Please create a backup
of this file before you start editing.
Then navigate to the following section in the text editor:
GenericAuth
{
de.uplanet.lucy.server.auth.module.ldap.LdapBindLoginModule
sufficient
java.naming.provider.url="ldap://localhost:389"
java.naming.security.authentication="simple"
java.naming.security.principal="$[DN]"
debug=false;
de.uplanet.lucy.server.auth.module.anonymous.AnonymousLoginModule
sufficient
debug=false;
};
How the entry needs to be modified depends on whether users were replicated
from the LDAP server or created manually
and then authenticate against the LDAP server.
If you have performed a replication, please peform the following entries:
GenericAuth
{
de.uplanet.lucy.server.auth.module.ldap.LdapBindLoginModule
sufficient
java.naming.provider.url="ldap://ldapserver.example.org:389"
java.naming.security.authentication="simple"
java.naming.security.principal="$[DN]"
debug=false;
de.uplanet.lucy.server.auth.module.anonymous.AnonymousLoginModule
sufficient
debug=false;
};
Enter "ldap" in the provider URL if you do not use SSL encryption.
Instead of "ldapserver.example.org", enter the IP address or full qualified
name of the LDAP server followed by the port of the LDAP server
(default: 389, SSL default: 636). The setting "$[DN]" should not
be changed if the replication was successful. This distinguished
name should be used for OpenLDAP, Novell eDirectory, Sun ONE and Active Directory Server.
If the users were created manuall, modify the settings as follows:
GenericAuth
{
de.uplanet.lucy.server.auth.module.ldap.LdapBindLoginModule
sufficient
java.naming.provider.url="ldap://ldapserver.example.org:389"
java.naming.security.authentication="simple"
java.naming.security.principal="$[LOGIN_NAME]@$[LOGIN_DOMAIN]"
debug=false;
de.uplanet.lucy.server.auth.module.anonymous.AnonymousLoginModule
sufficient
debug=false;
};
Enter "ldap" in the provider URL if you do not use SSL encryption.
Instead of "ldapserver.example.org", enter the IP address or full qualified
name of the LDAP server followed by the port of the LDAP server
(default: 389, SSL default: 636).
$[LOGIN_NAME]@$[LOGIN_DOMAIN] is the composite principal name.
Please apply this pattern exactly as it is shown above.
In this way, the login only works in the Portal Manager at first.
If the variant should also work when accessing the portal in the browser,
the following change needs to be made to the file
"initlogin.vm" in the
portal directory internal/system/vm/html/login:
##Initparams for Intrexx Loginbox
##Module Subdirectory, depends on Loginmodule ## default "intrexxauth"
#set($l_strModuleSubDir = "intrexxauth")
Modify the line #set($l_strModuleSubDir = "intrexxauth") to
#set($l_strModuleSubDir = "ldapauth").
 |
Please note that login data is transferred as plain text during an
LDAP authentication between the browser (client) and the server.
It is there recommended to only use this method via HTTPS.
|