This article covers configuring Quality Modeller for Active Directory / LDAP / LDAPs Authentication.
1 - Obtain Active Directory Details
You'll need to know the DOMAIN and URL of your Active Directory environment.
2 - Edit The Docker Environment Variables
The package folder comes with a file called docker-compose-ad.yml - we will want to copy that file into a new file called docker-compose-custom.yml and then edit this newly created file. If you already have a docker-compose-custom.yml file with some custom configuration elements, we will simply be editing that file instead.
cp docker-compose-ad.yml docker-compose-custom.ymlNext, we will edit the api section of the docker-compose-custom.yml file to include the correct values for the following environment variables, replacing the right-hand side of each line with the actual values:
api:
environment:
AUTH_METHOD: ActiveDirectory
AD_URL: [Active Directory URL e.g. ldap://hostName:389 – ldaps://[hostname]:[port] for ldaps]
AD_DOMAIN: [ActiveDirectory Domain e.g. curiosity.software]
AD_FILTER: [Optional LDAP filter for User Groups e.g. for members of a TechAdmins group (memberof=CN=TechAdmins,OU=Tech ,DC=curiosity,DC=com)]
AD_ADMIN_FILTER: [Optional LDAP filter for initial admin Groups e.g. Admins, TechAdmins]
AD_NEW_USER_STRATEGY: [One of RequiresInvitation|AddAsReader|AddAsEditor - defaults to RequiresInvitation if not specified]Note: for the AD_FIlter you can use full search filter syntax
https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax
AD_ADMIN_FIlter only supports lists of groups
3 - Use Correct docker-compose file to start the application
When starting the application using the run.sh script, the docker-compose-custom.yml file which we edited will be used instead of the default basic configuration.
./run.sh4 - LDAPS Support (Optional)
For an application server to trust your directory's certificate, the certificate must be imported.
The certificate must be imported into the Java runtime environment of the API docker container. The JDK stores trusted certificates in a file called a keystore. The default keystore file is called cacerts.
In the following examples, we use server-certificate.crt to represent the certificate file exported by your directory server. We will need to alter the instructions below to match the name of your certificate. See docker-compose-ldaps.yml for an example.
Firstly, we need to map a volume to your device which is where your certificate is stored.
To do that we edit the api service in the docker-compose-custom.yml file with the following volume.
volumes: |
We then need to update the initial runtime command to perform import of your certificate to the Java runtime using keytool.
https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html
command: [sh, -c, "keytool -keystore /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts -storepass changeit -noprompt -importcert -file /data/cert/server-certificate.crt && /user/utilities/wait-for-it.sh postgres_db:5432 -t 0 – java -jar graph_api-1.0-SNAPSHOT.jar"] |
5 - Start The Quality Modeller Services
Refer to section 3 in this article: Quality Modeller Core linux Installation
6 - Log Into Quality Modeller UI
Once the API starts up for the first time, log in with an Active Directory user.
The first user that logs in will be the owner of the workspace and by default an administrator.
Note: only users with Active Directory credentials under the LDAP filter for user groups will be able to log into Quality Modeller.
7 - LDAP Groups
LDAP groups are synchronised by default to Quality Modeller. You can specify the associated roles per group within the Quality Modeller administration panel.