LDAP authentication
By configuring the LDAP (Lightweight Directory Access Protocol) authentication, the password is validated first by an LDAP server and then, if it fails, on the local authentication database.
To enable the LDAP authentication, edit the
authentication section in
<PM_HOME>/etc/processmining.conf as in
the following example:
authentication: {
mode: "**ldap**", # ldap | basic | saml
limiting: {
enabled: false,
maxFailures: 3,
timeFrame: 600000
}
ldap: {
url: "ldap://<server>:<port>",
type: "standard" # basic | query
searchBase : "" # ou=quality,o=mycompany.com
filter:"", # the attribute that represents the username, i.e. mail
domain: "", # valid for Active Directory integration
backupurl: "",# valid for Active Directory integration
domainexclude: [],# valid for Active Directory integration
domainRemove: false, # true if the username is stored with no domain
}
bcrypt : true,
maxInactiveIntervalInMinutes: 30,
},
The following table contains the descriptions of the different properties.
| Property | Description | Values |
|---|---|---|
url
|
Sets the URL of the server in either LDAP or LDAPS protocol. If the protocol is LDAP, it is required to add the certificate to the Java certificate store | <IP Address Format>
For example: ldap://172.16.1.19:389
|
Type
|
Sets the server to run as either a basic function or a query function. |
|
searchBase
|
Sets the server to use the given URLS depending on whether the type is
basic or query. If the type is query, the system carries out this query to retrieve
the account object. If the type is basic, it is used to manage
particular LDAP server requirements that need a query string as the username. |
<Search-base keys>For example:
ou=users,o=mycompany.com
|
filter
|
Required if the type is query. Identifies the attribute that is
used as username. |
<Username>
For example: mail
|
domain
|
Sets the Windows domain name that is used for web interface authentication. Typically used when the LDAP server is implemented by systems such as MS Active Directory. | <URL Format> For example: mydomain.com
When concatenated with the given username "user1", the web interface authentication is
run with "user1@mydomain.com"
|
Backupurl
|
Sets the second domain controller URL for backup purposes. Typically used when the LDAP server is implemented by systems such as MS Active Directory. | <IP-Address Format> For example:
ldap://172.16.1.20,390
|
domainRemove
|
Used when the LDAP server is implemented by systems like MS Active
Directory. Must be true if the user who is registered in LDAP contains the domain
(for example, user1@mydomain.com) but the user who is registered in Process Mining is not (for example, "user1") |
|
domainexclude
|
Sets the Windows domain name to be excluded for a list of usernames. Typically used when the LDAP server is implemented by systems such as MS Active Directory. | <URL Format>
For example: mydomain.com
|
maxInactiveIntervalInMinutes
|
The maximum interval of inactivity in minutes for the web session timeout. If you change this attribute value, the web session times out after the time you set in minutes. | <Time in minutes>
|
The users must be manually added to the system in the Admin Console.
The following example shows an LDAP Authentication configuration scenario:
- Set up the application without LDAP.
- Add a user and assign administrator privileges to that user.
- Configure and enable the LDAP configurations.
- Manage more users with the created admin account.
Import certificate for Secured LDAP
If you use LDAP, you must import the server certificate that is published by your LDAP provider into the Java Virtual Machine (JVM). If you do not provide the certificate, the following error is displayed in the logs: javax.naming.CommunicationException: simple bind failed
To import your LDAP provider server certificate into JVM:
- Use the following keytool command of the embedded Java
Development Kit (JDK) to trust the certificate in JVM:
cd /opt/processmining/jdk/linux/ibm-openjdk-semeru/bin ./keytool -import -keystore ../lib/security/cacerts -trustcacerts -alias "LdapCert" -file <PATH TO YOUR FILE>.pem - Restart the PMWeb module.
User provisioning for LDAP
By default, the auto-provisioning is enabled. The account is automatically created if a user does not exist in the IBM Process Mining database.
You can also make mappings between your organization user groups and groups in IBM Process Mining in the Administration page inside the IBM Process Mining application. For more information, see Managing groups - Details. If there are no changes made in the Administration page, then group mappings from this configuration file are used.
The following table contains descriptions of properties that are used in user provisioning:
| Property | Description | Values |
|---|---|---|
bindON
|
Optional - use only if the server requires authentication. | Default value: empty Example:
uid=admin,ou=system
|
bindPassword
|
Optional - must be stored encrypted. Use only if the server requires authentication. | Default value: empty Example:
SUD+qxiBriyRrChmw/Aykw=
|
userFilter
|
Required - search query for the user. | Default value:
(&(emailAddress=%s)(objectclass=person))
Example: (&(mail=tester1@tester1.com)(objectclass=inetOrgPerson))
|
groupFilter
|
Optional - if defined, obtain user groups from
groupOfUniqueNames object. Otherwise, obtain the
user's group from a different attribute. |
Default value: empty Example:
(&(cn=%s)(objectclass=groupOfUniqueNames))
|
groupMemberIDmap
|
Optional - the attribute of the group object that stores the user DN. | Default value: empty Example: uniqueMember
|
IBM Process Mining obtains the following user properties from the LDAP server:
- First name
- Last name
Configure the mapping and the corresponding property in the directory after each of the user properties.
provisioning : {
attributes : {
username: "emailAddress" # sAMAccountName for ADFS, emailAddress for Ibm
email : "EmailAddress",
firstName : "givenname"
lastName : "sn",
groups : "memberOf"
},
groupMapping: {
owner : "",
administrator : "myCompanyGroup"
}
}
You can add one user each to the Administration group and the Owner group (Analytics user). However, if a user does not belong to a group, then IBM Process Mining can only grant the basic user permission with the read-only access (Business User).
The group can be obtained in two ways:
- From a Person object attribute (that is, memberOf) - The
property
groupFiltermust be empty - From a link relationship between a "group" object (that is, the
attribute
uniqueMemberof angroupOfUniqueNamesobject) - The propertygroupFiltermust be populated - TheuniqueMemberattribute must be the user's DN
Examples
Microsoft Active Directory
The following example shows how to configure a connection to a secure LDAP server exposed by Microsoft Active Directory:
ldap: {
url: "ldaps://ldapsrv.mycompany.com:636",
type: "basic"
searchBase : ""
filter:"",
domain: "MYDOMAIN",
backupurl: "",
domainexclude: [],
},
Generic LDAP server case 1
The following example shows a generic LDAP server case:
ldap: {
url: "ldaps://ldap.intranet.group.eu:636",
type: "standard"
searchBase : "uid={USERNAME},ou=people,dc=group,dc=eu"
filter:"uid",
domain: "",
backupurl: "",
domainexclude: [],
},
Generic LDAP server case 2
The following example shows another generic LDAP server case:
ldap: {
url: "ldaps://myserver.company.com:636"
type: "query"
searchBase: "ou=myorganization,o=company.com"
filter: "mail",
domain: "",
backupurl: "",
domainexclude: [],
},