LDAP authentication

By configuring the LDAP (Lightweight Directory Access Protocol) authentication, the password is validated first by an LDAP server and then, if it fails, on the local authentication database.

Important: For SaaS offerings, the LDAP configuration varies per the environment set up. Therefore, the LDAP configuration must be evaluated through a support ticket.

To enable the LDAP authentication, edit the authentication section in <PM_HOME>/etc/processmining.conf as in the following example:

Warning: When you introduce changes to the processmining.conf file, make sure that you do it correctly. For more information, see Configuration file editing guidelines.
authentication: {
        mode: "**ldap**",       # ldap | basic | saml
        
        limiting: {
                enabled: false,
                maxFailures: 3,
                timeFrame: 600000
        }
        
        ldap: {
          url: "ldap://<server>:<port>",
    type: "standard" # basic | query
    searchBase : "" # ou=quality,o=mycompany.com
    filter:"", # the attribute that represents the username, i.e. mail
    domain: "", # valid for Active Directory integration
    backupurl: "",# valid for Active Directory integration
    domainexclude: [],# valid for Active Directory integration
    domainRemove: false, # true if the username is stored with no domain

        }
  bcrypt : true,
  maxInactiveIntervalInMinutes: 30,
},

The following table contains the descriptions of the different properties.

Property Description Values
url Sets the URL of the server in either LDAP or LDAPS protocol. If the protocol is LDAP, it is required to add the certificate to the Java certificate store <IP Address Format> For example: ldap://172.16.1.19:389
Type Sets the server to run as either a basic function or a query function.
  • basic (Default): typically used with LDAP systems like Microsoft Active Directory, authenticating to LDAP by user and password.
  • query: More complex option that uses a query string that is defined by searchBase into the directory by using an attribute as username that can be defined by the filter parameter (that is, the email)
searchBase Sets the server to use the given URLS depending on whether the type is basic or query. If the type is query, the system carries out this query to retrieve the account object. If the type is basic, it is used to manage particular LDAP server requirements that need a query string as the username. <Search-base keys>For example: ou=users,o=mycompany.com
  • "empty" (Default)
filter Required if the type is query. Identifies the attribute that is used as username. <Username> For example: mail
  • "empty" (Default)
domain Sets the Windows domain name that is used for web interface authentication. Typically used when the LDAP server is implemented by systems such as MS Active Directory. <URL Format> For example: mydomain.com When concatenated with the given username "user1", the web interface authentication is run with "user1@mydomain.com"
  • "empty" (Default)
Backupurl Sets the second domain controller URL for backup purposes. Typically used when the LDAP server is implemented by systems such as MS Active Directory. <IP-Address Format> For example: ldap://172.16.1.20,390
  • "empty" (Default)
domainRemove Used when the LDAP server is implemented by systems like MS Active Directory. Must be true if the user who is registered in LDAP contains the domain (for example, user1@mydomain.com) but the user who is registered in Process Mining is not (for example, "user1")
  • false (Default)
  • true
domainexclude Sets the Windows domain name to be excluded for a list of usernames. Typically used when the LDAP server is implemented by systems such as MS Active Directory. <URL Format> For example: mydomain.com
  • "empty" (Default)
maxInactiveIntervalInMinutes The maximum interval of inactivity in minutes for the web session timeout. If you change this attribute value, the web session times out after the time you set in minutes. <Time in minutes>
  • "empty" (Default)

The users must be manually added to the system in the Admin Console.

The following example shows an LDAP Authentication configuration scenario:

  1. Set up the application without LDAP.
  2. Add a user and assign administrator privileges to that user.
  3. Configure and enable the LDAP configurations.
  4. Manage more users with the created admin account.

Import certificate for Secured LDAP

If you use LDAP, you must import the server certificate that is published by your LDAP provider into the Java Virtual Machine (JVM). If you do not provide the certificate, the following error is displayed in the logs: javax.naming.CommunicationException: simple bind failed

To import your LDAP provider server certificate into JVM:

  1. Use the following keytool command of the embedded Java Development Kit (JDK) to trust the certificate in JVM:
    cd /opt/processmining/jdk/linux/ibm-openjdk-semeru/bin
    ./keytool -import -keystore ../lib/security/cacerts -trustcacerts -alias "LdapCert" -file <PATH TO YOUR FILE>.pem
    
  2. Restart the PMWeb module.

User provisioning for LDAP

By default, the auto-provisioning is enabled. The account is automatically created if a user does not exist in the IBM Process Mining database.

You can also make mappings between your organization user groups and groups in IBM Process Mining in the Administration page inside the IBM Process Mining application. For more information, see Managing groups - Details. If there are no changes made in the Administration page, then group mappings from this configuration file are used.

The following table contains descriptions of properties that are used in user provisioning:

Property Description Values
bindON Optional - use only if the server requires authentication. Default value: empty Example: uid=admin,ou=system
bindPassword Optional - must be stored encrypted. Use only if the server requires authentication. Default value: empty Example: SUD+qxiBriyRrChmw/Aykw=
userFilter Required - search query for the user. Default value: (&(emailAddress=%s)(objectclass=person)) Example: (&(mail=tester1@tester1.com)(objectclass=inetOrgPerson))
groupFilter Optional - if defined, obtain user groups from groupOfUniqueNames object. Otherwise, obtain the user's group from a different attribute. Default value: empty Example: (&(cn=%s)(objectclass=groupOfUniqueNames))
groupMemberIDmap Optional - the attribute of the group object that stores the user DN. Default value: empty Example: uniqueMember

IBM Process Mining obtains the following user properties from the LDAP server:

  • Email
  • First name
  • Last name

Configure the mapping and the corresponding property in the directory after each of the user properties.


 provisioning : {
        attributes : {
                username: "emailAddress" # sAMAccountName for ADFS, emailAddress for Ibm
                email : "EmailAddress",
                firstName : "givenname"
                lastName : "sn", 
                groups : "memberOf"
        },
        groupMapping: {
                owner : "",
                administrator : "myCompanyGroup"
        }
  }

Tip: You can obtain the user groups from LDAP and map it to IBM Process Mining groups.

You can add one user each to the Administration group and the Owner group (Analytics user). However, if a user does not belong to a group, then IBM Process Mining can only grant the basic user permission with the read-only access (Business User).

The group can be obtained in two ways:

  • From a Person object attribute (that is, memberOf) - The property groupFilter must be empty
  • From a link relationship between a "group" object (that is, the attribute uniqueMember of an groupOfUniqueNames object) - The property groupFilter must be populated - The uniqueMember attribute must be the user's DN

Examples

Microsoft Active Directory

The following example shows how to configure a connection to a secure LDAP server exposed by Microsoft Active Directory:

ldap: {
    url: "ldaps://ldapsrv.mycompany.com:636", 
    type: "basic" 
    searchBase : "" 
    filter:"",  
    domain: "MYDOMAIN", 
    backupurl: "",
    domainexclude: [],
  },

Generic LDAP server case 1

The following example shows a generic LDAP server case:

ldap: {
    url: "ldaps://ldap.intranet.group.eu:636", 
    type: "standard" 
    searchBase : "uid={USERNAME},ou=people,dc=group,dc=eu" 
    filter:"uid", 
    domain: "", 
    backupurl: "",
    domainexclude: [],
  },

Generic LDAP server case 2

The following example shows another generic LDAP server case:

 ldap: {
    url: "ldaps://myserver.company.com:636" 
    type: "query" 
    searchBase: "ou=myorganization,o=company.com"
    filter: "mail", 
    domain: "", 
    backupurl: "",
    domainexclude: [],
  },