Version 4.9 and Above
With the LDAP authentication mechanism, users (and passwords) and roles (or groups) are loaded from an Active Directory or LDAP domain.
Encrypting Credentials in the Configuration
To encode credentials defined in dvserver-standalone.xml, do the following:
1. Encrypt the password via a CLI command:
CALL SYSADMIN.executeCli(script => '/subsystem=elytron/expression=encryption:create-expression(resolver=dv-encryption-resolver, clear-text=Password123)', "maskInLogs" => true) ;;
The output will be like the following:
{
"outcome" => "success",
"result" => {"expression" => "${ENC::dv-encryption-resolver:RUxZAUMQ42XclErCI4BDa6nzzp/r/aqx31Cu/aNwUjvCgr5Tofw=}"}
}
2. Copy the expression value to use in the configuration file like this:
<dir-contexts>
<dir-context name="ldap-connection" principal="CN=Administrator,CN=Users,DC=mydomain,DC=local" url="ldap://192.168.222.102/">
<credential-reference clear-text="${ENC::dv-encryption-resolver:RUxZAUMQ42XclErCI4BDa6nzzp/r/aqx31Cu/aNwUjvCgr5Tofw=}"/>
</dir-context>
</dir-contexts>
Configuration
To configure LDAP authentication, please modify dvserver-standalone.xml as follows:
1. Configure authentication realm. Replace the following code:
<custom-realm class-name="com.datavirtuality.dv.core.teiid.users.DVLoginModule" module="com.datavirtuality.dv" name="DataVirtualityRealm"/>
To search for this line, use "custom-realm" as your search term as the actual order of elements may differ.
with a snippet like this:
<ldap-realm dir-context="ldap-connection" direct-verification="true" name="DataVirtualityRealm">
<identity-mapping rdn-identifier="cn" search-base-dn="DC=mydomain,DC=local" use-recursive-search="true">
<attribute-mapping>
<attribute filter="(member={1})" filter-base-dn="OU=Users,DC=mydomain,DC=local" from="cn" to="Roles"/>
</attribute-mapping>
</identity-mapping>
</ldap-realm>
Filter-based authentication can be set up as follows
<ldap-realm dir-context="ldap-connection" direct-verification="true" name="DataVirtualityRealm">
<identity-mapping filter-name="(userPrincipalName={0}@mydomain.local)" rdn-identifier="userPrincipalName" use-recursive-search="true" search-base-dn="DC=mydomain,DC=local">
<attribute-mapping>
<attribute filter="(member={1})" filter-base-dn="OU=Users,DC=mydomain,DC=local" from="cn" to="Roles"/>
</attribute-mapping>
</identity-mapping>
</ldap-realm>
Adapt the values in the above fragment to the settings of your environment.
2. Find the </expression-resolver> closing tag and paste the following code after it, first replacing the required parts with your values:
<dir-contexts>
<dir-context name="ldap-connection" principal="CN=Administrator,CN=Users,DC=mydomain,DC=local" url="ldap://192.168.0.68/">
<credential-reference clear-text="Password123"/>
</dir-context>
</dir-contexts>
3. Find the </policy-decider-module> closing tag and insert the following code after it:
<ldap>
<property name="defaultAdminGroup" value="super-group"/>
<property name="displayUserName" value="cn"/>
<property name="roleRecursion" value="5"/>
</ldap>
Other properties supported by DVLdapExtContext
and DVLdapContext
can be added in this section.
For example, to set a conditional rule for displaying user names in the system, you can configure the following property:
<property name="displayUserName" value="has('userPrincipalName') ? stripDomain(userPrincipalName) : distinguishedName"/>
Version 4.11 and Above: Authorization and Authentication Realms Stacking
Authentication and authorization realms can be combined to authenticate and authorize users, and to load users and roles. For example, you can use LDAP authentication while managing roles and permissions internally. Follow these steps:
Start the server as usual and log in with admin/admin.
Create internal user accounts matching the usernames of LDAP users. Assign them roles and permissions, but use placeholder passwords.
SQL-- Create a user with admin role call SYSADMIN.addUser("name" => 'ad_user1', "pwd" => '123', "role_name" => 'admin-role') ;; -- Create a user wiht connect role call SYSADMIN.addUser("name" => 'ad_user2', "pwd" => '123', "role_name" => 'connect-dv-role') ;;
Stop the server and update the configuration as above except for the authentication realm. For the authentication realm, please configure as follows. In the example below, the authentication is performed via DataVirtualityRealmLDAP while DataVirtualityRealmCustom is used for authorization:
CODE<aggregate-realm name="DataVirtualityRealm" authentication-realm="DataVirtualityRealmLDAP" authorization-realm="DataVirtualityRealmCustom"/> <custom-realm class-name="com.datavirtuality.dv.core.teiid.users.DVLoginModule" module="com.datavirtuality.dv" name="DataVirtualityRealmCustom"/> <ldap-realm dir-context="ldap-connection" direct-verification="true" name="DataVirtualityRealmLDAP"> <identity-mapping rdn-identifier="cn" search-base-dn="DC=mydomain,DC=local" use-recursive-search="true"/> </ldap-realm>
Restart the server.
Log in using the usernames created in step 2 to access the system.
Authorization and authentication realms stacking available since v4.11