Skip to Content

Configuration changes for LDAP

The last step in LDAP Authentication involves changing the Console Management administrator configuration manually.

To do that, you have to login to Linux, change directory and backup, and then view the current authentication configuration file, as follows:

cd /usr/iocinst/config/tomcat
cp auth-methods.xml auth-methods.xml.file
cat auth-methods.xml

 The current default setting for the authentication configuration file is:

<!-- This Realm uses the UserDatabase configured in the global JNDI
    resources under the key "UserDatabase".

    Template user files are supplied in /usr/tomcat/conf, each
    using a different encryption method for the stored passwords:

    SHA-256 tomcat-users.xml (default for new MVCM installs)
    MD5     tomcat-users-MD5.xml (legacy customers)
    SHA-512 tomcat-users-sha-512.xml
-->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase">
       <CredentialHandler
className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="sha-256" />
</Realm>


To enable LDAP Authentication, copy and paste the following lines immediately above the UserDatabaseRealm line:

<Realm className="org.apache.catalina.realm.JNDIRealm"
        connectionURL="ldaps://vw-aus-msm-dv11.mvcm.local"
        alternateURL="ldaps://vw-aus-msm-dv12.mvcm.local"
        authentication="simple"
        adCompat="true"
        referrals="ignore"
        connectionName="CN=Ldap User,OU=AppIds,OU=Security,DC=mvcm,DC=local"
        connectionPassword="mvcm2Day"
        commonRole="IOCADMIN"
        userBase="OU=Domain Users,OU=Security,DC=mvcm,DC=local"
        userSearch="(sAMAccountName={0})"
        userSubtree="true"
/>

The entire file should now look as follows:

<!-- This Realm uses the UserDatabase configured in the global JNDI
    resources under the key "UserDatabase".

    Template user files are supplied in /usr/tomcat/conf, each
    using a different encryption method for the stored passwords:

    SHA-256 tomcat-users.xml (default for new MVCM installs)
    MD5     tomcat-users-MD5.xml (legacy customers)
    SHA-512 tomcat-users-sha-512.xml
-->
<Realm className="org.apache.catalina.realm.JNDIRealm"
       connectionURL="ldaps://vw-aus-msm-dv11.mvcm.local"
       alternateURL="ldaps://vw-aus-msm-dv12.mvcm.local"
       authentication="simple"
       adCompat="true"
       referrals="ignore"
       connectionName="CN=Ldap User,OU=AppIds,OU=Security,DC=mvcm,DC=local"
       connectionPassword="mvcm2Day"
       commonRole="IOCADMIN"
       userBase="OU=Domain Users,OU=Security,DC=mvcm,DC=local"
       userSearch="(sAMAccountName={0})"
       userSubtree="true"
/>
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase">    
       <CredentialHandler
className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="sha-256" />
</Realm>

Leaving both file and LDAP realms in the authentication configuration file is a valid setup for testing. If LDAP fails, in most cases Tomcat will then try the current administrators file to allow you to continue logging in the same way you do currently. After LDAP starts working correctly, you can remove the UserDatabaseRealm option.

You need to change the above JNDIRealm options to match your own Active Directory settings. Each setting is explained here. For more information, see Apache Tomcat online documentation.

The settings are described as follows:

<Realm className="org.apache.catalina.realm.JNDIRealm"
     connectionURL="ldaps://vw-aus-msm-dv11.mvcm.local"
     alternateURL="ldaps://vw-aus-msm-dv12.mvcm.local"

Your primary and backup Active Directory servers, the ldaps indicate encrypted LDAP to port 636.

 authentication="simple"
 adCompat="true"
 referrals="ignore"

Do not change the lines above.

 connectionName="CN=Ldap User,OU=AppIds,OU=Security,DC=mvcm,DC=local"
 connectionPassword="mvcm2Day"

The service account and password are fully specified as there is no option to encrypt the password. 

commonRole="IOCADMIN"

Make sure that the username and password verification is working before checking for roles in Active Directory. This option assigns the access everything IOCADMIN role to any valid Windows user.

userBase="OU=Domain Users,OU=Security,DC=mvcm,DC=local"
userSearch="(sAMAccountName={0})"
userSubtree="true"

Set userbase to specify the OU under which the administrator Windows accounts can be found. The userSearch value is where Tomcat substitutes {0} as the username entered by the administrator at the web login prompt.

After making the necessary changes save the file and exit the editor. Before stopping and restarting Tomcat, increase the amount of login in the primary Tomcat log. You can do it by editing the file.

/usr/tomcat/conf/logging.properties

At the bottom add the following lines:

# uncomment to troubleshoot web admin LDAP authentication

org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true

Save the file, then stop and restart the Tomcat.

systemctl stop tomcat
systemctl start tomcat

Access Console Management using a web browser to verify that Tomcat has started correctly. If you have any issues, examine the primary Tomcat log file, as follows:

/usr/tomcat/logs/catalina.out
Warning

Note

The diagnostic output in this file can be difficult to decipher. If you have an issue, you can open a BMC support case and attach a system snapshot generated from the admin home page.

Related topics

Administering

BMC-AMI-Console-Management-system-configuration




 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Console Management for zEnterprise, BMC AMI Console Automation for zEnterprise, and BMC AMI SecureHMC 4.0