Support > Repository > Account > Authentication with Windows Active Directory/LDAP
ja | en

You can use Windows Active Directory or LDAP for logon account password authentication. R7.5.2

For Windows Active Directory/LDAP support, Wagby is an open source single sign-on library Central Authentication Service (CAS) Are bundled.

When you set up authentication using CAS,

Http: // server name: 8921/wagby /

Once you have access to

Http: // server name: 8921/cas/login

It will be transferred to.Use the CAS logon screen shown below to authenticate.

Figure 1 Logon screen provided by CAS

Here, login authentication is performed using the user ID/password registered in Windows Active Directory/LDAP.After the authentication, it transits to the menu screen of the Wagby application.

Set "Environment> Server".

Figure 2 Setting up CAS (Windows Active Directory example)
  • Specify "external authentication (LDAP)" as "authentication method".
  • Specify the URL of the Windows Active Directory server or other LDAP server in "LDAP server URL".
    (Example) "ldap: //adserver.jasminesoft.co.jp/"
    Please do not forget the prefix "ldap:".
  • Specify the path of the directory where user information is registered in "DN of user information".The user name will be replaced with "% u".
    (Example) "% u @ B.com"
  • Set "search start entries for user information" as necessary.Leave it blank to use Windows Active Directory.
  • Set "Search range of user information" as necessary.Leave it blank to use Windows Active Directory.
  • "User for LDAP/AD connection" "Password for user for LDAP/AD connection"Setting is unnecessary if anonymous access is allowed.7.10
  • Specify the URL prefix of the CAS server.It is also possible to use an external CAS server.Standard uses WAS Cab supplied by Wagby.In this case, "/cas" is not changed.CAS runs on the same Tomcat (it runs as a web application built by developer).
    Figure 3 wagby application and cas application included in Tomcat

    Note: By default, the URL set according to the operational environmentyou have toPlease rewrite.It does not work with "localhost" as it is.
    Example) http://app.oki.jasminesoft.co.jp:8921/cas
  • Specify "the URL of the service to apply authentication" in the format of "protocol: // server name: port number".
    Note: By default, the URL set according to the operational environmentyou have toPlease rewrite.It does not work with "localhost" as it is.
    Example) http://app.oki.jasminesoft.co.jp:8921

Dsquery command

On the Windows Active Directory server, you can use the dsquery command to check the DN of user information. For example, the DN of the user admin can be examined as follows.

C:\Users\jasmine>dsquery user -name admin "CN=admin,CN=Users,DC=jasminesoft,DC=co,DC=jp"

Example of Windows Active Directory

We will assume the following environment as an example of application in the company.

  • Active Directory server name: ABcom
  • Domain name: B.com
  • Wagby application server name: app.B.com

The setting is as follows.

LDAP server URLldap://A.B.com/
DN of user information%u@B.com
Search start entry for user information(Blank)
Search range of user information(Blank)
CAS server URL prefixhttp://app.B.com:8921/cas
URL of the service to which authentication is appliedhttp://app.B.com:8921

LDAP example

As a usage example at university, we assume the following environment.

  • LDAP server name: ldap.sample.ac.jp
  • Domain name: sample.ac.jp
  • Wagby application server name: app.sample.ac.jp

The setting is as follows.

LDAP server URLldap://ldap.sample.ac.jp/
DN of user informationuid=%u
Search start entry for user informationdc=sample,dc=ac,dc=jp
Search range of user informationSubtree
CAS server URL prefixhttp://app.sample.ac.jp:8921/cas
URL of the service to which authentication is appliedhttp://app.sample.ac.jp:8921

In order to perform user authentication using Windows Active Directory/LDAP, it is necessary to register the same account/user in both Wagby and Windows Active Directory/LDAP.

Introduction Register account/user "admin".Because the account "admin" is registered as a standard in Wagby in advance, you can log on to Wagby by registering user "admin" in Windows Active Directory/LDAP.

After creating another user with Windows Active Directory/LDAP, please create the same account on Wagby side.

Register a user in Windows Active Directory

This section shows how to add user "admin" to Windows Active Directory of Windows Server 2008 Standard.As a precondition, it is assumed that the Windows Active Directory server and the domain "jasminesoft.co.jp" are already prepared.

  1. Open "Start"> "Control Panel"> "Administrative Tools"> "Server Manager".
  2. In Server Manager, open Role, Active Directory Domain Services, Active Directory Users and Computers, jasminesoft.co.jp, Users.
  3. Right click "Users" and specify "user" from "New".
  4. Enter "admin" in "User logon name".Click "Next".
  5. Enter "bus word" and "confirmation input of bus word".If necessary, check or uncheck the "User must change password at next logon", "User can not change password", "Password never expires", "Account disabled" checkbox I will.Click "Next".
  6. Click the "Finish" button to create the user.(If the password does not match the policy, the creation of the user is refused.Please click "Back" to set a different password.)

Register account in Wagby

Create an account (juser) in Wagby."Affiliated group" "Principal" can be set as usual.

As for the password, it is treated as follows.

  • For user authentication, the Windows Active Directory/LDAP bus word is used.You can not authenticate with Wagby's password.However, in order to register an account, a password is required as dummy data.
  • You can also enable "Force password change" when creating/updating account, but due to the reasons above, changed password will not be used.
  • The "account lock information" on the Wagby side is valid.If you set this value, the account will be locked.

Please register account/user information in both

The same account/user must be registered with Wagby and Windows Active Directory/LDAP.

Even if you register your account on the Wagby side, you can not log on unless you register the same account in Windows Active Directory/LDAP.

Wagby's password is not used

Wagby's account is used for authority setting of belonging group and principal, but password of user Active Directory/LDAP is used for user authentication.Password setting is necessary at the time of account registration, but it is ignored during operation.Therefore, please set the password as dummy data.

In addition, passwords set and changed by Wagby are not reflected in Windows Active Directory/LDAP.

Please disable password expiration setting

When using this setting, "Password valid days"as well as"Password valid days warningPlease specify "-1".(Disable password expiration setting.)

For the first logon authentication CAS will be displayed

With this setting, if the user logs on for the first time (instead of the logon screen Wagby provides as standard) the CAS screen will be displayed.

If you enter the Windows account and password here, it will transition to the Wagby menu screen after authentication.

Permission information set by Windows Active Directory/LDAP can not be used by Wagby.

Wagby's authority information is managed within Wagby.Please make authority setting of belonging group, principal etc. to account on Wagby.

The CAS configuration file is provided below.

wagbyapp/webapps/cas/WEB-INF/deployerConfigContext.xml

If you can not connect properly, please modify this file directly with reference to the CAS manual.

You can customize the CAS screen.

The logon screen and the screen after logoff are realized by the following files.

  • wagbyapp/webapps/cas/WEB-INF/view/jsp/default/ui/casLoginView.jsp
  • wagbyapp/webapps/cas/WEB-INF/view/jsp/default/ui/casLogoutView.jsp

You can customize the screen by rewriting this file.

After editing the file, by placing it in the customization folder below, the next build will be reflected automatically.

customize/tomcat/webapps/cas/WEB-INF/view/jsp/default/ui/

The CAS used by Wagby is a product for realizing single sign-on.Therefore, even if logging off with Wagby, CAS is still "logged on".This is to keep authentication to other systems using CAS.

Therefore, if you operate the Wagby application again without logging out of CAS, Wagby's logon process will be done automatically again.

Wagby logs off and CAS logs out at the same time

It is necessary to access to http: // xxx/cas/logout separately after Wagby logoff processing.For this reason we will modify logoff.jsp which Wagby provides as standard.

Specifically, logoff.jspAt the beginningAdd the following line.

<c:redirect url="http://xxx/cas/logout" />
Replace xxx with the host name to be operated.

Save the modified logoff.jsp in the customize/webapp/system folder.(Since the system folder is not prepared in the state immediately after installation, please also create a folder.) By doing this, logoff.jsp that has always been modified in the next build process will be used.

Notes on operation

From the security point of view, please close the browser after CAS logout.This is the method recommended by CAS.