Configuring LDAP to Use Active Directory (AD) for User Group Privileges
This attribute enables administrators to control access to APTARE IT Analytics privileges through user creation and group membership assignments in their enterprise LDAP. Create AD user groups with the same name in the Portal, add the following parameters, then when new users are added to AD, they will be automatically added to the corresponding portal-based user groups and inherit the group privileges.
Prerequisites and Assumptions
• Either OpenLDAP or external LDAP may be used. Both cannot be used.
• User groups with the same names must exist in both Active Directory and the APTARE IT Analytics portal.
• If a user is assigned to a User Group they acquire all associated privileges of that User Group.
LDAP authorization is enabled by adding two lines to the portal.properties:
• portal.ldap.authorization - Indicates if Active Directory user groups should be used for authorization. When set to true, the user permissions from a group perspective are derived solely from the AD groups they belong to that have a corresponding group defined within APTARE IT Analytics. If set to false (the default), user permissions are derived from APTARE IT Analytics.
• portal.newUser.domain - Must be a domain that exists in the APTARE IT Analytics portal. This is assigned during user creation and is based on the domain of the user's home group.
Note: When portal.ldap.external=true and portal.ldap.authorization=false, AD users must be manually created in portal so that they can login successfully using AD credentials. When portal.ldap.external=true and portal.ldap.authorization=true, AD users will be automatically created in portal.
1. Enable LDAP authorization using the portal.properties file:
Linux:
/opt/aptare/portalconf/portal.properties
Windows:
C:\opt\aptare\portalconf\portal.properties
2. Add the following lines:
portal.ldap.authorization=true
portal.newUser.domain=<string>
3. Restart the Tomcat Portal services.