- 07 May 2021
- 2 Minutes to read
Directory Login Administrators - 2.14.2+ Migration
- Updated on 07 May 2021
- 2 Minutes to read
The administrator directory login feature requires a migration if configured prior to 2.14.2.
'Directory Login' feature allows Active Directory Users to login into SecureCircle Administrator Portal.
- Login Action Description
Active Directory User eligible to login if it is Member Of Administrative Active Directory Group.To check this condition SecureCircle server should do ldap search request with this logic:
ContainerCriteria query = query() .where("objectclass").is("user") .and("userPrincipalName").is(username) .and("memberOf").is(administrativeGroupDn);
username here is userPrincipalName attribute of Active Directory User, e.g. email@example.comGroupDn is distinguished name of Administrative Active Directory Group.
If Directory Login Integration was configured prior to 2.14.2 server this value was configured to group canonical name (CN), so it must be addressed by replacing this value to group distinguished name (DN) after 3.0 server deployment.
- Administrative Directory Login Integration configuration
To execute above ldap query set of configuration details should be provided:
- host - hostname (or ip address) of Active Directory Server. REQUIRED
- port - port of Active Directory Server. 389 is recommended for no security, 636 for ‘ssl' or 'tls’. **REQUIRED **
- security - one of ‘no’, ‘ssl’ or ‘tls’. If provided ‘ssl’ - ‘ldaps' scheme will be user, if ‘tls’ or ‘no’ - 'ldap’ scheme will be used. REQUIRED
- base - base for ldap search query. It means that Active Directory User MUST BE inside this base structure. E.g. if base is ‘DC=scdev,DC=local', distinguished name of user must be ‘CN=John Doe,DC=scdev,DC=local’. If Directory Login Integration was configured prior to 2.14 server ‘Organizational Unit’ may be configured. REQUIRED
Organizational Unit is obsolete now and must be included in base: e.g. ‘OU=Test Organizational Unit’ must be included into the base like 'OU=Test Organizational Unit,DC=scdev,DC=local’. so it must be addressed after 2.14.2 server deployment.
- administrative group - distinguished name (DN) of Administrative Active Directory Group. It must be a DN because all memberOf records of Active Directory Users is stored as Active Directory Group DN values. REQUIRED
To execute ldap query we need to provide username (userPrincipalName attribute) and password of Active Directory User who attempts to login.
This changes is not backward compatible with server prior and including to 2.14!!!
- Replace administrative AD group CN value with DN, e.g. SCAdministrativeGroup value should be replaced with CN=SCAdministrativeGroup,OU=SecureCircleAdministrators,DC=scdev,DC=local
- Make sure port and security fields are set
- If you previously had unit value, please add it to your base value. e.g. you had base value * DC=scdev,DC=local* and unit value OU=SecureCircleAdministrators, result should be base value OU=SecureCircleAdministrators,DC=scdev,DC=local
- username which was using in 2.14 server and before will no longer be stored
- unit which was using in 2.14 server and before will no longer be stored