507. Integrate with LDAP

Foretify Manager supports LDAP (Lightweight Directory Access Protocol) and can be integrated with directory services such as openLDAP or Microsoft Active Directory for authenticating and authorizing users.

Foretify Manager's configuration uses LDAP terms and query syntax for retrieving information about users. For more information, go to: Glossary of LDAP terms.

Once integrated, users can log in to Foretify Manager using their existing directory service credentials.

507.1 Basic configuration

Assign each user to at least one of the two user groups:
- fmanager_user
- fmanager_admin
This setup should be done by the administrator responsible for the LDAP server configuration.

Edit the application.properties file to include the following parameters and values:

application.properties LDAP configuration keys

ldap.url=ldap://<IP>:<port>
ldap.baseDn=<...>
ldap.managerDn=<...>
ldap.managerPassword=<...>
ldap.userDnPattern=<..>
ldap.groupDn=ou=<...>
ldap.displayNamePattern=<...>
ldap.emailPattern=<...>

For example:

application.properties LDAP configuration example

ldap.url=ldap://123.45.67.89:389/
ldap.baseDn=DC=myOrg,DC=com
ldap.managerDn=CN=admin,DC=myOrg,DC=com
ldap.managerPassword=mypassword
ldap.userDnPattern=CN={0},CN=Users,OU=Groups
ldap.userSearchFilter=(&(objectClass=user)(CN={0}))
ldap.groupDn=OU=Groups
ldap.displayNamePattern={givenName} {SN}
ldap.emailPattern={mail}

If Microsoft Active Directory (AD) is used as LDAP, add also this configuration:

application.properties LDAP configuration example

ldap.serverType=active_directory

Option name	Description
ldap.url	URL of the LDAP server (e.g. "ldap://myldapserver.org:389"
ldap.managerPassword	Password for the LDAP Manager
ldap.baseDn	Distinguished Name which will be served as a base of users/organization search
ldap.managerDn	Distinguished Name for LDAP manager (used for accessing the LDAP server)
ldap.userDnPattern	Distinguished Name pattern for user search (e.g. to search users by CN: `ldap.userDnPattern=CN={0},CN=Users,OU=Groups`)
ldap.userSearchFilter	User search filter (e.g. to search users by `sAMAccountName`: `ldap.userSearchFilter=(&(objectClass=user)(sAMAccountName={0}))`)
ldap.groupDn	Distinguished Name of the organizational unit
ldap.displayNamePattern	Pattern of attributes to compose a user's display name, enclosed in curly braces, e.g. "{givenName} {sn}"
ldap.emailPattern	Pattern of attributes to compose a user's email address, enclosed in curly braces, e.g. "{mail}"

Launch (or restart) the Foretify Manager server.
Shell command: launch server
```
$ {RELEASE_DIRECTORY}/server/bin/fmanager_server  
```

507.2 Additional configuration for Secured LDAP (LDAPS)

Acquire the LDAP server's public SSL certificate.

Preferably, the certificate is provided as a file from the hosting domain administrators, but it can also be downloaded from the server:
Shell command
```
openssl s_client -showcerts -connect <LDAPS_HOSTNAME>:<PORT> </dev/null \
   | sed -n -e '/-.BEGIN/,/-.END/ p' > <CERTIFICATE_FILENAME>
```
Create a keystore file from the certificate:
Shell command
```
keytool -import -file <CERTIFICATE_FILENAME> -alias ldap_cert -keystore <KEYSTORE_FILENAME>
```
The program prompts for a password, which must later be configured in Foretify Manager.

It also prompts for trust verification. Type "yes".

Edit application.properties to include the keystore filename and password:

application.properties file syntax

fmanager.ssl.trustStore=<KEYSTORE_PATH_AND_FILENAME>
fmanager.ssl.trustStorePassword=<KEYSTORE_PASSWORD>

Verify that application.properties points to the correct LDAP server and port number.

The protocol should be ldaps and the port number should probably be 636.