Configuration for Using LDAP Authentication

« Precautions for Use | Using a Program Download Server »

Configuration for Using LDAP Authentication

This manual is in pilot operation.

To enable LDAP authentication in fusion_place, you need to add entries to the Tomcat configuration file on which the fusion_place server runs. When configuring, please check and consider the following items:

Host name and port number of the LDAP server
Whether to use security mechanisms such as TLS/SSL, SASL (Simple Authentication and Security Layer)^[1], or STARTTLS for connecting to the LDAP server
Format of the distinguished name (DN) used to bind to the LDAP server

Configuration Method

Modify Tomcat’s configuration file server.xml to support LDAP authentication. For the location of server.xml, refer to Location for Recording Installation Information.

The content of server.xml is in XML format. By adding several Environment elements (JNDI environment properties) under the single Context element, you can enable LDAP authentication. Below is an example configuration:

<Context docBase="fusionplace.war" path="/fusionplace">
  <Environment name="fusionplace/dbms" value="H2" type="java.lang.String"/>
  <Environment name="fusionplace/pivot_time_out" value="60000" type="java.lang.Integer"/>
  <!-- ... -->

  <!-- Configuration items for LDAP authentication start here -->
  <Environment name="fusionplace/authentication_scheme" type="java.lang.String" value="basic_authentication"/>
  <Environment name="fusionplace/identity_asserter" type="java.lang.String" value="ldap"/>
  <Environment name="fusionplace/identity_asserter_ldap/host" type="java.lang.String" value="directory.example.com"/>
  <Environment name="fusionplace/identity_asserter_ldap/username_format" type="java.lang.String" value="uid=${USERNAME},dc=example,dc=com"/>
  <!-- Configuration items for LDAP authentication end here -->
  <!-- ... -->
</Context>

List of Configuration Items

The configuration items for LDAP authentication (i.e., Environment elements specified in server.xml) are as follows:

name (JNDI Environment Property Name) type (JNDI Environment Property Type) Meaning of the Value to Set value (Permissible Values) Example Value

name (JNDI Environment Property Name)	type (JNDI Environment Property Type)	Meaning of the Value to Set	value (Permissible Values)	Example Value
fusionplace/authentication_scheme (Required when using LDAP authentication)	java.lang.String	HTTP authentication scheme applied to communication between fusion_place client and fusion_place server. When using LDAP authentication, this must be "Basic authentication".	basic_authentication Basic Authentication digest_authentication Digest Authentication Default: `digest_authentication`	`basic_authentication`
fusionplace/identity_asserter (Required when using LDAP authentication)	java.lang.String	Authentication method applied by the fusion_place server for backend authentication. When using LDAP authentication, this must be "LDAP authentication".	ldap LDAP Authentication If not using LDAP authentication, this item may be omitted. In that case, the backend authentication method will be the same as the HTTP authentication method.	`ldap`
fusionplace/use_ldap (fusion_place >= 14.0)	java.lang.Boolean	Set when the fusion_place server uses "LDAP authentication". Allows omission of the `fusionplace/authentication_scheme` and `fusionplace/identity_asserter` settings.	true Use false Do not use Default: `false`	`true`
fusionplace/identity_asserter_ldap/host (Required when using LDAP authentication)	java.lang.String	Host name or IP address of the LDAP server for authentication requests.	Appropriate string as host name or IP address.	`directory.example.com`
fusionplace/identity_asserter_ldap/port (Required when not using default port)	java.lang.Integer	Port number of the LDAP server.	Appropriate integer as port number. Default: `389` or `636` (when SSL is enabled)	`8389`
fusionplace/identity_asserter_ldap/ssl	java.lang.Boolean	Specifies whether to use LDAP over TLS/SSL (LDAPS). When using TLS/SSL or STARTTLS, the certificate of the CA that issued the LDAP server’s certificate must be added to the keystore of the Java runtime environment running the fusion_place server.	true Use false Do not use Default: `false`	`true`
fusionplace/identity_asserter_ldap/username_format (Required when using LDAP authentication)	java.lang.String	Format of the user name used for LDAP binding. In the format string, specify the fusion_place user account part as `${USERNAME}`. It will be replaced with the user account name at runtime.	String	`uid=${USERNAME},dc=example,dc=com`
fusionplace/authentication/system_identity_assertion_enforcement_user_account_names	java.lang.String	Comma-separated user account names for which an authentication method suitable for the HTTP authentication scheme is enforced. User accounts specified here are authenticated using passwords registered in fusion_place, not via LDAP binding.	String	`admin,sysadmin`
fusionplace/identity_asserter_ldap_sasl	java.lang.Boolean	Specifies whether or not to use SASL.	true Use false Do not use Default: `false`	`false`
fusionplace/identity_asserter_ldap/sasl/mechanism	java.lang.String	Specifies the SASL mechanism to use.	digest_md5 Use Digest-MD5 Default: `digest_md5`	digest_md5
fusionplace/identity_asserter_ldap/starttls	java.lang.Boolean	Specifies whether or not to use STARTTLS.	true Use false Do not use Default: `false`	true

fusionplace/authentication_scheme
(Required when using LDAP authentication)

java.lang.String

HTTP authentication scheme applied to communication between fusion_place client and fusion_place server.

When using LDAP authentication, this must be "Basic authentication".

basic_authentication: Basic Authentication
digest_authentication: Digest Authentication

Default: digest_authentication

basic_authentication

fusionplace/identity_asserter
(Required when using LDAP authentication)

java.lang.String

Authentication method applied by the fusion_place server for backend authentication.

When using LDAP authentication, this must be "LDAP authentication".

ldap: LDAP Authentication

If not using LDAP authentication, this item may be omitted. In that case, the backend authentication method will be the same as the HTTP authentication method.

ldap

fusionplace/use_ldap
(fusion_place >= 14.0)

java.lang.Boolean

Set when the fusion_place server uses "LDAP authentication".
Allows omission of the fusionplace/authentication_scheme and fusionplace/identity_asserter settings.

true: Use
false: Do not use

Default: false

true

fusionplace/identity_asserter_ldap/host
(Required when using LDAP authentication)

java.lang.String

Host name or IP address of the LDAP server for authentication requests.

Appropriate string as host name or IP address.

directory.example.com

fusionplace/identity_asserter_ldap/port
(Required when not using default port)

java.lang.Integer

Port number of the LDAP server.

Appropriate integer as port number.

Default: 389 or 636 (when SSL is enabled)

8389

fusionplace/identity_asserter_ldap/ssl

java.lang.Boolean

Specifies whether to use LDAP over TLS/SSL (LDAPS).

When using TLS/SSL or STARTTLS, the certificate of the CA that issued the LDAP server’s certificate must be added to the keystore of the Java runtime environment running the fusion_place server.

true: Use
false: Do not use

Default: false

true

fusionplace/identity_asserter_ldap/username_format
(Required when using LDAP authentication)

java.lang.String

Format of the user name used for LDAP binding.

In the format string, specify the fusion_place user account part as ${USERNAME}. It will be replaced with the user account name at runtime.

String

uid=${USERNAME},dc=example,dc=com

fusionplace/authentication/system_identity_assertion_enforcement_user_account_names

java.lang.String

Comma-separated user account names for which an authentication method suitable for the HTTP authentication scheme is enforced.

User accounts specified here are authenticated using passwords registered in fusion_place, not via LDAP binding.

String

admin,sysadmin

fusionplace/identity_asserter_ldap_sasl

java.lang.Boolean

Specifies whether or not to use SASL.

true: Use
false: Do not use

Default: false

false

fusionplace/identity_asserter_ldap/sasl/mechanism

java.lang.String

Specifies the SASL mechanism to use.

digest_md5: Use Digest-MD5

Default: digest_md5

digest_md5

fusionplace/identity_asserter_ldap/starttls

java.lang.Boolean

Specifies whether or not to use STARTTLS.

true: Use
false: Do not use

Default: false

true

About Security-Related Configuration Items

You can encrypt all or part of the communication between the fusion_place server and the LDAP server to protect authentication information. The available security mechanisms and their combinations in fusion_place are as follows:

	Security Mechanism Usage Patterns	Security Provided
Case	TLS/SSL (LDAPS)^[2]	SASL (SASL Mechanism)	STARTTLS^[2]	Scope of Encryption	Required LDAP Version^[3]
(1)				None	>= LDAPv2
(2)	Used			All communication	>= LDAPv2
(3)		Used (Digest-MD5)		Authentication information	>= LDAPv3
(4)	Used	Used (Digest-MD5)		All communication	>= LDAPv3
(5)			Used	Communication after TLS session starts	>= LDAPv3

Security Mechanism Usage Patterns

Security Provided

Case

TLS/SSL (LDAPS)^[2]

SASL (SASL Mechanism)

STARTTLS^[2]

Scope of Encryption

Required LDAP Version^[3]

(1)

None

>= LDAPv2

(2)

Used

All communication

>= LDAPv2

(3)

Used (Digest-MD5)

Authentication information

>= LDAPv3

(4)

Used

Used (Digest-MD5)

All communication

>= LDAPv3

(5)

Used

Communication after TLS session starts

>= LDAPv3

Example Configurations

Examples for each case in the table above.

(1) No encryption

<Environment name="fusionplace/authentication_scheme" type="java.lang.String" value="basic_authentication"/>
<Environment name="fusionplace/identity_asserter" type="java.lang.String" value="ldap"/>
<Environment name="fusionplace/identity_asserter_ldap/host" type="java.lang.String" value="directory.example.com"/>
<Environment name="fusionplace/identity_asserter_ldap/username_format" type="java.lang.String" value="uid=${USERNAME},dc=example,dc=com"/>

(2) TLS/SSL (LDAPS)

<Environment name="fusionplace/authentication_scheme" type="java.lang.String" value="basic_authentication"/>
<Environment name="fusionplace/identity_asserter" type="java.lang.String" value="ldap"/>
<Environment name="fusionplace/identity_asserter_ldap/host" type="java.lang.String" value="directory.example.com"/>
<Environment name="fusionplace/identity_asserter_ldap/ssl" type="java.lang.Boolean" value="true"/>
<Environment name="fusionplace/identity_asserter_ldap/username_format" type="java.lang.String" value="uid=${USERNAME},dc=example,dc=com"/>

(3) SASL + Digest-MD5

<Environment name="fusionplace/authentication_scheme" type="java.lang.String" value="basic_authentication"/>
<Environment name="fusionplace/identity_asserter" type="java.lang.String" value="ldap"/>
<Environment name="fusionplace/identity_asserter_ldap/host" type="java.lang.String" value="directory.example.com"/>
<Environment name="fusionplace/identity_asserter_ldap/username_format" type="java.lang.String" value="${USERNAME}"/>
<Environment name="fusionplace/identity_asserter_ldap_sasl" type="java.lang.Boolean" value="true"/>

(4) SASL + Digest-MD5 + TLS/SSL (LDAPS)

<Environment name="fusionplace/authentication_scheme" type="java.lang.String" value="basic_authentication"/>
<Environment name="fusionplace/identity_asserter" type="java.lang.String" value="ldap"/>
<Environment name="fusionplace/identity_asserter_ldap/host" type="java.lang.String" value="directory.example.com"/>
<Environment name="fusionplace/identity_asserter_ldap/ssl" type="java.lang.Boolean" value="true"/>
<Environment name="fusionplace/identity_asserter_ldap/username_format" type="java.lang.String" value="${USERNAME}"/>
<Environment name="fusionplace/identity_asserter_ldap_sasl" type="java.lang.Boolean" value="true"/>

(5) STARTTLS

<Environment name="fusionplace/authentication_scheme" type="java.lang.String" value="basic_authentication"/>
<Environment name="fusionplace/identity_asserter" type="java.lang.String" value="ldap"/>
<Environment name="fusionplace/identity_asserter_ldap/host" type="java.lang.String" value="directory.example.com"/>
<Environment name="fusionplace/identity_asserter_ldap/username_format" type="java.lang.String" value="uid=${USERNAME},dc=example,dc=com"/>
<Environment name="fusionplace/identity_asserter_ldap/starttls" type="java.lang.Boolean" value="true"/>

Example Setting for use_ldap (fusion_place >= 14.0)

From v14.0 onward, fusionplace/use_ldap was added. By using this setting, you can omit the fusionplace/authentication_scheme and fusionplace/identity_asserter settings. Previous settings are still available, but the new setting is recommended.

<Environment name="fusionplace/authentication_scheme" type="java.lang.String" value="basic_authentication"/>
<Environment name="fusionplace/identity_asserter" type="java.lang.String" value="ldap"/>

↓

<Environment name="fusionplace/use_ldap" type="java.lang.Boolean" value="true"/>

1. Currently, the only available SASL mechanism is Digest-MD5 (setting value: digest_md5). Other SASL mechanisms, GSSAPI (Kerberos v5), and others are not supported at this time.

2. When using TLS/SSL or STARTTLS, the certificate of the CA that issued the LDAP server’s certificate must be present in the keystore of the Java runtime environment running the fusion_place server. If you are using fusion_place cloud, your LDAP server must be configured to allow communication via LDAPS for access from our cloud. Please provide a public host name that can be resolved via external DNS, and prepare a certificate linked to a trusted root CA for the host name.

3. The LDAP version of the LDAP server.