Skip to main content
Version: 16.0

Migrate System Users

In ADONIS 15.0 and earlier, Windows users could be manually imported from the Microsoft Active Directory directory service via the desktop application Administration Toolkit. These so-called "system users" were authenticated directly against Active Directory and could be used for secure authentication with ADONIS and the Administration Toolkit.

With the release of ADONIS 16.0, support for logging in with "system users" was phased out. To continue authenticating users against Active Directory in ADONIS 16.0 with relatively little configuration effort, LDAP authentication can be configured. Alternatively, the authentication mechanisms IDM, SAML, or OIDC can be used.

Set Up LDAP Authentication for "System Users"

To configure LDAP authentication so that "system users" can authenticate against Active Directory, you need to complete the following steps:

  1. Adapt Global LDAP Settings

  2. Adapt Connector-Specific Settings

  3. Start Authenticating Users

note

This guide covers only the essential parameters needed to enable authentication for former "system users" in ADONIS 16.0. For information on additional parameters, check the template which you can download from the General Settings and the Set Up Login with LDAP Coupling section.

caution

To configure this authentication mechanism, you need experience with JSON. If you need help, reach out to your ADONIS consultant.

Adapt Global LDAP Settings

To migrate "system users", you need to configure general LDAP parameters and domain-specific LDAP Parameters:

The configuration parameters that have to be adapted are listed below.

General LDAP Parameters

First, set the general parameters that apply to all domains:

  • Edit the LDAP Settings.

Adapt the following parameters:

  • enabled

    Specifies whether the LDAP mechanism is enabled globally. Set this parameter to "true".

  • default_domain

    Specify the domain used for authentication and querying user data.

  • array "properties" (properties: name etc.)

    Define the LDAP properties that should be available for all users. The property sAMAccountName must be included as it is used to uniquely identify users and serves as the login name within ADONIS. Other properties are optional.

    Example

    "properties": [ { "name": "sAMAccountName" }]

    Specifies the LDAP property "sAMAccountName", which corresponds to the Active Directory attribute "Security Account Manager (SAM) Account Name".

Minimum Configuration

For a minimum working configuration, replace the existing settings with the following JSON, and then replace the placeholder <domain name> with your domain name:

{

"allow_client_action": false,

"default_domain": "<domain name>",

"enabled": true,

"environment": {},

"properties": [

{

"name": "sAMAccountName",

"recursiveNodeLookup": false

}

]

}

Domain-Specific LDAP Parameters

Now set the domain-specific parameters:

  • Under Domains, click the New connector button to add a new domain.

  • Click the Edit connector button to edit your new domain.

The new domain will already include a number of properties. Adapt the following parameters:

  • defaultConnector

    The value of the property defaultConnector must be the ID of the Standard connector (by default "Standard Login").

  • login_base_dn

    The base domain specification where the user objects are located.

  • login_filter

    This mandatory filter option includes a placeholder for the username, used to precisely identify the relevant user object in the LDAP directory. The default configuration "login_filter": "(&(objectClass=user)(sAMAccountName=%username%))" is typically sufficient and usually does not require modification. When a user attempts to log in, ADONIS automatically replaces %username% with the entered username. The filter then searches the LDAP directory for a user object with an sAMAccountName attribute matching the provided username. If a corresponding entry is found, ADONIS confirms that the login credentials belong to a valid user in the directory.

  • name

    name represents the identifier of this domain.

  • password

    password represents the password of the principal user used to look up all other users in encrypted form. The password must be encrypted with an encryption tool which can be found in the directory "03 Web Application\02 Tools\02 Password Encryption Tool" in the installation package.

  • principal

    principal represents the login name of the principle user used to look up all other users. This user MUST have read access to all parts of the directory service that are used in ADONIS.

  • principal_domain

    principal_domain represents the domain of the principle user.

  • provider_url

    Specifies the URL for the LDAP directory server. This value takes the form "ldap://host:port". Note that it is recommended to use IP addresses instead of domain names to avoid the DNS lookup.

Minimum Configuration

For a minimum working configuration, you can replace the existing settings with the following JSON, and then replace the placeholders with your actual values:

{

"defaultConnector": "Standard Login",

"ignore_missing_objectSid": false,

"login_base_dn": "<base domain specification>",

"login_filter": "(&(objectClass=user)(sAMAccountName=%username%))",

"name": "<domain name>",

"page_size": 0,

"password": "<principal user encrypted password>",

"principal": "<principal username>",

"principal_domain": "<domain of principal user>"

"principal_format": "%principal%@%principaldomain%",

"provider_url": "<LDAP directory server URL>",

"sync_filter": "(objectClass=user)"

}

Adapt Connector-Specific LDAP Settings

Next, you need to configure LDAP coupling for the Standard connector ("Standard Login") to fetch additional user data and allow authenticating users against Active Directory.

  • In the ADONIS Administration, go to Home > More options, and then click General Settings.

  • On the right side of the Standard Login connector, click the Edit connector button .

This configuration represents the Standard connector. When this connector is applied, the standard login page will be displayed in which the user can enter his user name and password. If no LDAP coupling is configured, these credentials are used to authenticate the user against the available data in the database. If LDAP coupling is configured, the provided credentials will be used to authenticate the user against the configured directory service.

The configuration parameters that have to be adapted are listed below:

  • ldap (property: enabled)

    Specifies whether LDAP coupling for this connector is enabled or not. Set this parameter to "true".

  • user-mapping (property: autoCreateUser)

    Specifies whether users that log in to ADONIS for the first time will be created "on-the-fly" in the ADONIS database. Set this parameter to "true".

  • user-mapping (property: auto_sync_user)

    This object contains several properties that control which user data should be updated according to the information retrieved from the directory service every time the user data is synchronised (i.e. when the user logs in). Manual changes to the user by the ADONIS administrator are overwritten in this case. These properties are:

  • auto_sync_attributes: Specifies whether user attributes should be automatically synchronised between LDAP and ADONIS. Set this parameter to "true".

  • auto_sync_groups: Specifies whether the assignment of user groups updated every time the user data is synchronised. Set this parameter to "false" so existing group assignments are not overwritten.

  • auto_sync_nameduse: Specifies whether the assignment of named users for scenarios should beupdated every time the user data is synchronised. Set this parameter to "false" so existing scenario assignments are not overwritten.

  • auto_sync_repos: Specifies whether the assignment of repositories should be updated every time the user data is synchronised. Set this parameter to "false" so existing repository assignments are not overwritten.

  • auto_sync_roles: Specifies whether the assignment of system roles should be updated every time the user data is synchronised. Set this parameter to "false" so existing system role assignments are not overwritten.

  • enabled: Specify whether the automatic synchronisation feature is enabled. Set this parameter to "true".

Minimum Configuration

For a minimum working configuration, you can replace the existing settings with the following JSON:

{

"enabled": true,

"id": "Standard Login",

"index": 0,

"ldap": {

"domains": [],

"enabled": true,

"properties": []

},

"properties": {},

"type": "STANDARD",

"user-mapping": {

"autoCreateUser": true,

"auto_sync_user": {

"auto_sync_attributes": true,

"auto_sync_groups": false,

"auto_sync_nameduse": false,

"auto_sync_repos": false,

"auto_sync_roles": false,

"enabled": true

}

}

}

Start Authenticating Users

Save your changes in the ADONIS Administration. In order to start authenticating users, the Apache Tomcat web server has to be restarted for the configuration changes to become effective.

All users that can log in to the configured domain should also be able to log in to ADONIS. Furthermore, if users do not yet exist in the database, they are created automatically when they log in to ADONIS for the first time. However, such new users will still need to be manually assigned user groups, system roles, repositories, etc. – additional configuration steps are necessary to enable an automatic assignment of these elements based on LDAP data (see User Mapping for more details).

(Optional) Tracking Errors

Logging output is written to the files "<Tomcat installation>/logs/ADONIS16_0.log" and "<ADONIS installation/*_aworker.log>".