Skip to main content
Kinetic Community

LDAP Identity Store

The LDAP Identity Store allows external user and group information to be utilized by Kinetic Task v4 without having to add the user and group data into Kinetic Task.  This has the following benefits: The same login credentials can be shared with other applications. There is a single place to manage users and groups. No need to keep the internal users database synced with the LDAP directory. Utilizes the existing / complex password policy rules that built-in to LDAP.

Installation

The LDAP Identity Store is contained in a Jar file that can be added to Kinetic Task v4.  Installation is very simple and can be accomplished with only a few steps.

Note: The following steps must be performed for each Kinetic Task web application instance in your environment.

  1. Stop the web server service (Tomcat, Websphere, etc…).
  2. Copy the LDAP Identity Strore jar file into the deployed Kinetic Task web application.  The jar file needs to be copied into the /kinetic-task/WEB-INF/lib/ directory.
  3. Start the web server service.
  4. Repeat steps 1-3 for each Kinetic Task web application instance in your environment.

​Setup

The LDAP Identity Store must be configured to connect to your LDAP server, so it knows how to find the User information within your organization’s LDAP directory.

Requirements before starting

  • Kinetic Task configuration user credentials
    • By default, these values are admin/admin
    • May have been changed in your environment
  • LDAP user account that can be used as a Proxy User for Kinetic Task.
    • Kinetic Task will connect to the LDAP server using a proxy account in order to search the directory based on your configuration.
    • Ideally this account is setup with a password policy that doesn’t require the password to be changed.  If that is not possible, it is necessary to update the credentials in Kinetic Task whenever the password does change.

Configuration

The default values used in the example configuration below work with a standard Active Directory implementation of LDAP.  If you are using a different LDAP application, the configuration values may be slightly different.

  1. The first step is to login to the Kinetic Task administration console using the built-in configuration user.  By default these user credentials are admin/admin, but they were probably changed during the installation.  Use the values for your environment.  The administration console is located at the following URL -  http://your-web-server/kinetic-task/

  2. Once logged in to the administration console, click the ‘Admin’ tab, then the ‘Setup’ tab, then the ‘Authentication’ tab.

    01-setup.png

  3. Change the Identity Store selection to LDAP Identity Store.  The identity store is basically terminology that defines where the User and Group information is stored.  By default the application looks to its own internal Users and Groups tables.  By changing the value to LDAP Identity Store, the system will look to an external LDAP directory.

    02-identity-store.png

  4. After the changing the Identity Store selection to LDAP Identity Store, the configurable properties for the identity store become active.  This is where you will need to enter the information specific to your location.

    1. Server - The LDAP server to connect with.  This can either be the IP address of the server, or the fully qualified DNS name of the LDAP server.

    2. Port - The TCP port the LDAP server is listening on.  The default Active Directory port is 389 (default 389).

    3. Use SSL - Indicates if the Kinetic Task server communicates to the LDAP server using the ldap: protocol or the ldaps: protocol.  SSL adds a layer of security by encrypting all traffic over the network, however it does potentially add extra configuration to the LDAP server and does add slightly degrade performance.  Note that changing this value may require the value of the Port property to be adjusted.  The default Active Directory SSL port is 636. (default No).

    4. User Login Attribute - The LDAP attribute that contains the value that users will login with (default sAMAccountName).

    5. User Display Name Attribute - The LDAP attribute that contains the User property that you want to display as the user’s name (default displayName).

    6. User Search DN - The query used to lookup the User object in the LDAP directory.  This setting will require you to at least change the ‘DOMAIN’ part in the default value to your corporate domain name.  It may require other changes to match your environment (default CN=Users,DC=DOMAIN,DC=com).

    7. User Search Filter - The filter has the ability to reduce the number of matches returned by the search query.  This allows you to add restrictions to what User objects are found.  The default filter doesn’t remove any users (default (CN=*)).

    8. Proxy Security Principal - The login for the proxy LDAP user account mentioned in the requirements section.

    9. Proxy Security Credentials - The password for the proxy user account.

  5. Repeat steps 1-4 for each Kinetic Task web application instance in your environment.

 

Policy Rules

Now that the system is configured to use LDAP instead of the local identity store, any user matching your configuration can authenticate to Kinetic Task.  The instructions below illustrate how to setup the system to restrict access to the different areas of the application.

  1. The first step is to change the system default policy rule to Deny All users.  This instructs Kinetic Task to deny access to any area of the application unless a policy rule has been applied to that area.  If a policy rule does exist, it will be evaluated and access will either be granted or denied based on the rule.  This is in contrast to the default system policy of Allow All users, which would grant access to all authenticated users if a policy rule was not applied to the area.

    From within the administration console, click the ‘Permissions’ tab, then the ‘Policy Rules’ tab, then the ‘System Default’ tab.

    04-policy-rules-default.png

  2. Change the System Default Rule selection to Deny All, and save the system default rule.

  3. You will now need to create policy rules to define which users have access to the various parts of the application, which you can find in the documentation on Kinetic Community: http://community.kineticdata.com/20_Kinetic_Task/Documentation/Kinetic_Task_4.0/User_Guide/Consoles/40_Permissions

  4. Policy rules can be defined just like they were with the Local Identity Store, except the groups will now be bound to the LDAP group names.

    As an example, say you want to create a console policy rule that allows access to any user in the newly created LDAP group “Kinetic Task Administrator”.

    1. In LDAP, create the LDAP group named “Kinetic Task Administrator”.

    2. In LDAP, assign the group to users that belong in the group.

    3. In the Kinetic Task administrator console, click the ‘Permissions’ tab, then the ‘Policy Rules’ tab, then the ‘Console’ tab.

    4. Add a new rule with details as depicted in the image below.

05-console-policy-rule.png

  1. Create as many rules as you need to correspond with your LDAP groups.

  2. Assign the rules on the Console Access page to define which users have access to each area of the application, click the ‘Permissions’ tab, then the ‘Console Access’ tab.  Alternatively, you can select each rule to multiple consoles by clicking on the policy rule.

  3. Repeat for each console, or each policy rule that you created.

Install File

Download the installation file.