Set Up LDAP Authentication
During login to ADONIS using LDAP authentication, ADONIS users are authenticated directly against a directory service (e.g. Active Directory or eDirectory).
Depending on the configuration, users that log in to ADONIS for the first time will be created "on-the-fly" in the ADONIS database. They will be assigned to preconfigured user groups and system roles. Optionally, specific repositories will be assigned to them as their working place and they will be shared with these repositories to make them available as objects in modelling.
The following steps have to be taken to configure this authentication mechanism:
In this chapter, we focus on the minimum essential parameters needed for LDAP authentication setup. For a comprehensive overview of all configurable parameters, please see Authentication in the Administration Help.
This authentication mechanism is based on the LDAPv3 standard. Therefore a general compatibility to LDAP v3-compliant directory services is given.
Adapt LDAP Settings
To set up this authentication mechanism, you need to configure general LDAP settings and domain-specific parameters:
- Open the ADONIS Administration and go to Authentication > LDAP.
The configuration parameters that have to be adapted are listed below.
General LDAP Settings
First, you need to configure general LDAP settings that apply to all domains:
- Edit the LDAP Settings in the right pane.
Adapt the following parameters:
Enabled
Select this option to enable the LDAP mechanism globally.
Properties
Define the LDAP properties that should be available for all users. For Active Directory, these typically include attributes such as
mail
,sAMAccountName
,displayName
,givenName
,distinguishedName
,cn
,memberOf
,sn
, anddepartment
. These attributes are used in user mapping to assign system roles, user groups, repositories, and more.Example
Name:
cn
, Recursive node lookup:no
Specifies the LDAP property "cn", which refers to the Active Directory attribute "Common Name".
Usually, it should not be necessary to change the other general LDAP parameters.
Domain-Specific LDAP Parameters
Next, you need to set domain-specific parameters:
- In the left pane, under LDAP Domains, click Create to add a new domain.
Once you have added the domain, you can start working on the configuration right away. Adapt the following parameters:
Precedence
Represents the order in which domains are tried during an authentication request. Ensure that the new domain is given the highest priority by setting its precedence value to "1".
Name
Represents the identifier of this domain. You can choose any name.
Provider URL
Specifies the URL for the LDAP directory server. This value takes the form
ldap://host:port
. Note that it is recommended to use IP addresses instead of domain names to avoid the DNS lookup.Security protocol
In case you are using LDAPS, you need to enable SSL and upload an SSL (X509) certificate here.
Principal
This property represents the login name of the principal user used to look up all other users. This user MUST have read access to all parts of the directory service that are used in ADONIS.
Principal domain
This property represents the domain of the principal user.
Principal format
This field defines how to compose the principal's username and domain to authenticate with the directory. Placeholders (
%principal%
,%principaldomain%
) are used to represent the login name and domain, and their arrangement depends on the directory service you're using. For example, in Microsoft Active Directory, the format is typically%principal%@%principaldomain%
, while for IBM Tivoli, it'scn=%principal%,%principaldomain%
(whereprincipaldomain
follows a specific structure, e.g., "o=domain.com"). For more information, please refer to the info text associated with this setting.
Password
This property represents the password of the principal user. Will be stored in encrypted form.
Unique identifier
Select a property to serve as a unique identifier for internal use. You can select multiple properties to handle cases where different users might use different properties:
Example
cn, distinguishedName
Specifies the LDAP properties "cn" and "distinguishedName" as unique identifiers.
The different unique identifiers will be tried sequentially and the first one which is found will be used.
Login base DN
Represents the starting point in your directory structure from which the LDAP server begins searching for user objects during the authentication process. Replace
company
with your actual company or domain name, andcom
with the appropriate top-level domain (TLD) for your organisation.Login filter
This mandatory filter option includes a placeholder for the username, used to precisely identify the relevant user object in the LDAP directory. The default configuration
(&(objectClass=user)(sAMAccountName=%username%))
is typically sufficient and usually does not require modification. When a user attempts to log in, ADONIS automatically replaces%username%
with the entered username. The filter then searches the LDAP directory for a user object with ansAMAccountName
attribute matching the provided username. If a corresponding entry is found, ADONIS confirms that the login credentials belong to a valid user in the directory. For more information on the allowed filter types and Boolean operators, please refer to the info text associated with this setting.Default connector
An optional property to specify the connector with LDAP coupling that should be used to determine the user mapping when LDAP is used outside of a specific connector context, e.g. when synchronising users via a scheduled task. Select the standard connector ("Standard Login").
Usually, it should not be necessary to change the other domain-specific parameters.
Adapt Connector-Specific LDAP Settings
Each authentication mechanism (= connector) can be configured to use LDAP coupling to fetch additional user data. However, authentication against the specified directory service will only take place if LDAP coupling is configured for a connector of the STANDARD type:
In the ADONIS Administration, go to Authentication > Connectors.
Hover over the Standard Login connector, click More, and then select Edit. Now you can configure the connector.
When this connector is applied, the standard login page will be displayed in which the user can enter their username and password. If no LDAP coupling is configured, these credentials are used to authenticate the user against the available data in the database. If LDAP coupling is configured, the provided credentials will be used to authenticate the user against the configured directory service.
You need to adapt parameters on the LDAP Coupling and User Mapping pages of the connector configuration.
LDAP Coupling
Adapt the following parameter on page 3 of the connector configuration, LDAP Coupling:
Enable/Disable LDAP coupling
Select this option to enable LDAP coupling for this connector.
Usually, it should not be necessary to change the other parameters on the LDAP Coupling page.
User Mapping
The following parameters on page 4 of the connector configuration, User Mapping, allow you to control how the authentication process handles users who log in. For example, you can specify whether a user should be created if it does not yet exist, or which LDAP properties should be processed to assign system roles, user groups, etc.
Only properties previously defined in the general LDAP Settings can be selected.
Properties
Map LDAP properties to user attributes in ADONIS.
Example
Name:
sn
, Attribute:Last name
The value of the LDAP property "sn" is assigned to the ADONIS attribute "Last name" .
Roles
Assign system roles to users in ADONIS.
Default roles: Define default system roles for users if no other role assignments apply.
Roles: Assign system roles based on LDAP properties:
Property: Select the property for assigning the system role.
Type: Choose a method to match values (see Possible Methods to Match Values).
Match: Define the value to match.
Target name: Select the ADONIS system role to assign.
Groups
Assign user groups to users in ADONIS.
Default groups: Define default user groups for users if no other group assignments apply.
Groups: Assign user groups based on LDAP properties:
Property: Select the property for assigning the user group.
Type: Choose a method to match values (see Possible Methods to Match Values).
Match: Define the value to match.
Target name: Select the user group in ADONIS to assign.
Example
User group: Modeller
, Property: department
, Type: contains
, Match: Designer
The value of the property "department" must contain "Designer", then the user is assigned to the ADONIS user group "Modeller".
Repository
Assign repositories to users in ADONIS as their working place. Simultaneously, the users will be made available as objects in modelling.
Baseline assignments: Define baseline repositories that will be automatically assigned to every user. While you can still configure conditional repository assignments, these repositories will serve as the baseline for all users. Choose "All repositories" or a specific repository. For specific repositories, you can also specify an object group in which the assigned user objects should be located.
Conditional assignments: Configure custom repository assignments using:
Property: Select the property for assigning the repository.
Type: Choose a method to match values (see Possible Methods to Match Values).
Match: Define the value to match.
Target name: Select the repository in ADONIS to assign. Choose to target either "All repositories" or a specific repository. For specific repositories, you can also specify an object group in which the assigned user objects should be located.
Named Use
Assign named access to scenarios to users in ADONIS.
Default scenarios: Define the scenarios to which users should have named use access by default if no other scenario assignments apply.
Scenarios: Configure custom scenario assignments using:
Property: Select the property for assigning the scenario.
Type: Choose a method to match values (see Possible Methods to Match Values).
Match: Define the value to match.
Target name: Select the scenario in ADONIS that should be assigned.
Mapped user handling
Can be used to specify cases where already authenticated users should be mapped to (= treated as) alias users. These alias users will represent the authenticated user when they log in to ADONIS. An example of this might be mapping a specific group of users to a user with access to the Organisation Portal.
Default mapped user: Define a default alias user that users should get assigned to if no other mapping applies (new users only).
Mapped users: Configure custom alias user assignments using:
Property: Select the property for assigning the alias user.
Type: Choose a method to match values (see Possible Methods to Match Values).
Match: Define the value to match.
Map existing users: Optionally, specify how existing users are handled. When enabled, the authenticated user will always be treated as the alias user if the mapping criteria are met. If disabled, this mapping only applies to new users who do not already exist in the ADONIS database and cannot be automatically created.
Target name: Select the alias user in ADONIS that should be assigned.
Synchronize users
Control user creation and synchronisation:
Create user automatically: Specify whether users that log in to ADONIS for the first time will be created "on-the-fly" in the ADONIS database.
Synchronize automatically: Specify whether user data should be updated according to the information retrieved from Active Directory every time the user logs in and/or every time a periodic synchronisation task is performed. Manual changes to the user by the ADONIS administrator are overwritten in this case.
What user data is synchronised can be defined in the child properties of this parameter:
Synchronize attributes (= Properties)
Synchronize roles
Synchronize groups
Synchronize repositories
Synchronize named use
Deletion handling
Specify what should happen with users which are not found during synchronisation.
Delete not found users: Specify whether not found users should be deleted.
Move undeletable users to group: Specify whether not found users which cannot be deleted during synchronisation should be moved to a specific user group. If enabled, you must select a specific group to move these undeletable users to Otherwise, the users will not be moved.
Which users are undeletable?
Users who are logged in.
Users that have been shared with a repository (= to make them available as objects in modelling) when they are being used in a model or have incoming references.
Usually, it should not be necessary to change the other parameters on the User Mapping page.
Start Authenticating Users
Save your changes in the ADONIS Administration. All users that can log in to the configured domain(s) should also be able to log in to ADONIS now. Furthermore, if a user does not yet exist in the database, it is created and also assigned to the corresponding user groups and system roles according to the mapping definition within the configuration.
(Optional) Tracking Errors
Logging output is written to the files "<Tomcat installation>/logs/ADONIS16_1.log" and "<ADONIS installation/*_aworker.log>".