Release Automation

Back to discussions
Expand all | Collapse all

LDAP authentication of CA Release Automation is not working properly.

  • 1.  LDAP authentication of CA Release Automation is not working properly.

    Posted 07-07-2015 12:22 AM

    To start with, I would like to mention that this post is related to the following post:

    https://communities.ca.com/message/241805210

     

    For LDAP authentication to be working, I gave the following entries in distributed.properties file:

    use.general.ldap.authentication=true

    use.general.ldap.url=ldap://ipaddress:389

    use.general.ldap.user.fqdn=uid=admin,o=techmahindra

    use.general.ldap.user.password=xxxxx

     

    Also, I gave the following in the applicationContext-acegi-security.xml file:

       <b:bean id="ldapAuthProvider"

              class="com.nolio.platform.server.dataservices.services.auth.providers.NolioLdapAuthenticationProvider">

            <b:constructor-arg>

                <b:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">

                    <b:constructor-arg ref="ldapSecurityContextSource"/>

                    <b:property name="userDnPatterns">

                        <b:list>

                            <b:value>uid={0},ou=devops,o=techmahindra</b:value>

                            <b:value>memberOf=cn=cara-users,ou=groups,ou=devops,o=techmahindra</b:value>

                        </b:list>

                    </b:property>

                </b:bean>

            </b:constructor-arg>

     

    The above piece of code is not working as expected - that is, all the users registered in the LDAP are able to login into the CA Release Automation web application irrespective of whether the user is part of the aforementioned "cara-users" group or not. (It means that the above mentioned entry memberOf=cn=cara-users,ou=groups,ou=devops,o=techmahindra is not taking effect). I would like to change the settings such that only members of the "cara-users" group are able to login into the CA Release Automation web application.

     

    Not sure how to do that even after trying out various options. Your inputs are really appreciated.



  • 2.  Re: LDAP authentication of CA Release Automation is not working properly.

    Broadcom Employee
    Posted 07-09-2015 06:18 PM

    Hi Mahesh,

     

    I'll look into this further, but in the meantime, just to verify, I assume you're using something other than Active Directory for LDAP, hence usage of the use.general.ldap settings.  Is that correct?



  • 3.  Re: LDAP authentication of CA Release Automation is not working properly.

    Posted 07-13-2015 12:40 AM

    Yes, correct.



  • 4.  Re: LDAP authentication of CA Release Automation is not working properly.

    Broadcom Employee
    Posted 07-09-2015 07:28 PM

    Hi Mahesh,

    In addition to what James pointed out (that the config settings you are using are only for non active directory) I thought I would mention the following:

     

     

    1. The integration is only for authorizing users when logging into the system. The integration has no impact on any of the imports (users and/or groups). That is handled purely by the connection details they specify during the import. After users are imported, the AD/LDAP integration is not needed for those users to login. After groups are imported, the AD/LDAP integration IS REQUIRED for users to login. The integration is used to validate that the user trying to login is a member of that LDAP/AD group.

     

    2. Shortly after starting the nolio management service you can confirm that the ldap integration is setup correctly (or not) by searching the nolio_dm_all.log for "system user".

     

    3. I've only seen one case where updating the other file (where you put the ca-users group) is necessary. Usually all you need to do is configure the settings in the distributed.properties file and then login with a user that was added via the import ldap group feature (via asap user administration ui).

     

    Cheers,

    Gregg



  • 5.  Re: LDAP authentication of CA Release Automation is not working properly.

    Posted 07-13-2015 02:16 AM

    In addition, I would like to mention the following:

    • There are 2 portions of the CA Release Automation application - one is the Automation Studio and the other is the web application.
    • Import of user(s) / group(s) is done in the Automation Studio.
    • The web application directly authenticates with LDAP after LDAP integration (by means of the update of distributed.properties file etcetera).

     

    Your reply is really helpful. However, my question still remains unanswered. Appreciate if you could elaborate (regarding your point number 3) on the scenario where update of the applicationContext-acegi-security.xml file was done. That is where I am facing some issues now.

     

    Best Regards.



  • 6.  Re: LDAP authentication of CA Release Automation is not working properly.

    Broadcom Employee
    Posted 07-14-2015 09:14 AM

    Honesty, the details behind when changing that .xml file were necessary is unclear to me. The only solid detail I know for sure is that it was when they were using a non Active Directory LDAP. Can you confirm the type of LDAP Server you are using?

     

    One note regarding your bullet point:

    • The web application directly authenticates with LDAP after LDAP integration (by means of the update of distributed.properties file etcetera).

    Note: After the ldap integration, the web and asap can use ldap authentication. But it is purely based on the "Groups" (not users) imported via Automation Studio.

     

    Kind regards,

    Gregg



  • 7.  Re: LDAP authentication of CA Release Automation is not working properly.

    Posted 07-15-2015 05:09 AM

    The LDAP server that I am using is OpenLDAP.

     

    Best Regards.