ACTIVE DIRECTORY WITH WEBADM - RCDEVS Online ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
ACTIVE DIRECTORY
WITH WEBADM
The specifications and information in this document are subject to change without notice. Companies, names, and data used
in examples herein are fictitious unless otherwise noted. This document may not be copied or distributed by any means, in
whole or in part, for any reason, without the express written permission of RCDevs.
Copyright (c) 2010-2017 RCDevs SA. All rights reserved.
http://www.rcdevs.com
WebADM and OpenOTP are trademarks of RCDevs. All further trademarks are the property of their respective owners.
Limited Warranty
No guarantee is given for the correctness of the information contained in this document. Please send any comments or
corrections to info@rcdevs.com. Active Directory with WebADM Active Directory Proxy User LDAP 1. Installation Packages Firstly, we have to install OpenOTP and WebADM packages available through RCDevs Repository or on RCDevs Website. In this how-to, we will install all required packages through the RCDevs repository. So, your servers should have internet access to download every package. 1.1 For Redhat/CentOS On a RedHat, Centos or Fedora system, you can use our repository, which simplifies updates. Add the repository on your server(s) who will host WebADM/OpenOTP: yum install https://www.rcdevs.com/repos/redhat/rcdevs_release-1.1.0-1.noarch.rpm Clean yum cache and install WebADM with OpenOTP: yum clean all Install WebADM and OpenOTP packages: yum install webadm openotp You can also install Self-Service Desk, Self-Registration or Secure Password Reset apps if needed (optional): yum install selfdesk selfreg pwreset Run the setup script: /opt/webadm/bin/setup It initializes the WebADM PKI, etc… The WebADM setup script will allow you to make a choice between 2 scenarios for Active Directory: schema extended or schema not extended. Have a look on the next part of this documentation for more information about these 2 setup.
1.2 For Debian/Ubuntu On a Debian system, you can use RCDevs repository too. Add the repository with the following command: wget https://www.rcdevs.com/repos/debian/rcdevs-release_1.1.0-1_all.deb apt-get install ./rcdevs-release_1.1.0-1_all.deb Update cache and install WebADM with all WebApps & Services: apt-get update Install WebADM and OpenOTP packages: apt-get install openotp webadm You can also install Self-Service Desk, Self-Registration or Secure Password Reset apps if needed (optional): apt-get install selfdesk selfreg pwreset Run the setup script: /opt/webadm/bin/setup It initializes the WebADM PKI, etc… The WebADM setup script will allow you to make a choice between 2 scenarios for Active Directory: schema extended or schema not extended. Have a look on the next part of this documentation for more information about these 2 setup. 2. Scenarios allowed by WebADM setup script You have two ways to setup WebADM LDAP schema for Active Directory: With the WebADM schema extension (preferred). Without any schema addition (re-uses existing object classes and attributes as a replacement). In both scenarios, we advise you to create a blank Organizational Unit on your AD to store the WebADM configurations. In this documentation, the OU will be ou=WebADM and the domain is dc=mydomain,dc=com Follow below, the scenario that you prefer and skip the other one.
/opt/webadm/bin/setup
Checking system architecture...Ok
Setup WebADM as master server or slave (secondary server in a cluster) (m/s)? m
WebADM proposes 3 default configuration templates:
1) Default configuration (Novell, eDirectory, Oracle, OpenLDAP)
2) Active Directory with schema extention (preferred with AD)
3) Active Directory without schema extention
Choose a template number or press enter for default:
Options 2 and 3 are dedicated to Active Directory.
3. AD Schema Extended Configuration
3.1 Prerequisite & Overview
This option is preferred and WebADM will use the RCDevs IANA-registered Active Directory attributes to store additional LDAP data
in users and groups. The WebADM schema addition is very minimal and is composed of 3 new object classes (webadmAccount,
webadmGroup, webadmConfig) and 3 new attributes (webadmSettings, webadmData, webadmType).
If you choose this installation option, then you must connect WebADM to the domain controller having the Schema Master Role in
Active Directory to let WebADM register its schema additions. If you connect WebADM to two or more domain controllers in the
servers.xml file, the first one should be the one with the Schema Master Role. Without it, the WebADM graphical setup (explained
later) will not be allowed to add the required object classes to your Active Directory./opt/webadm/bin/setup
Checking system architecture...Ok
Setup WebADM as master server or slave (secondary server in a cluster) (m/s)? m
WebADM proposes 3 default configuration templates:
1) Default configuration (Novell, eDirectory, Oracle, OpenLDAP)
2) Active Directory with schema extention (preferred with AD)
3) Active Directory without schema extention
Choose a template number or press enter for default: 2
Enter the server fully qualified host name (FQDN): webadm.mycompany.com
Enter your organization name: my compagny
Generating CA private key... Ok
Creating CA certificate... Ok
Generating SSL private key... Ok
Creating SSL certificate request... Ok
Signing SSL certificate with CA... Ok
Adding CA certificate to the local trust list... Ok
Setting file permissions... Ok
Adding system user to dialout group... Ok
Do you want WebADM to be automatically started at boot (y/n)? y
Adding systemd service... Ok
Do you want to register WebADM logrotate script (y/n)? y
Adding logrotate scripts... Ok
Do you want to generate a new secret key in webadm.conf (y/n)? y
Generating secret key string... Ok
WebADM has successfully been setup.
3.2 WebADM Configuration File
In this file, we will configure LDAP containers for WebADM. This file is:
vi /opt/webadm/conf/webadm.conf
The file is full here but please, edit the 2nd block code, this is the only part that interests us here.
#
# WebADM Server Configuration
#
# Administrator Portal's authentication method.
# - PKI: Requires client certificate and login password.
# - UID: Requires domain name, login name and password.
# - DN: Requires login DN and password.
# - OTP: Like UID with an OTP challenge.
# - U2F: Like UID with a FIDO-U2F challenge.
# - MFA: Like UID with both OTP and FIDO-U2F challenge.# - MFA: Like UID with both OTP and FIDO-U2F challenge.
# Using certificates is the most secure login method. To use certificate login,
# you must log in WebADM and create a login certificate for your administrators.
# The UID mode requires a WebADM domain to exist and have its User Search Base
# set to the subtree where are located the administrator users. When using UID
# and if there is no domain existing in WebADM, the login mode is automatically
# forced to DN. You will also need to log in with the full user DN and set up
# a WebADM domain to be able to use the UID login mode.admin_auth UID
admin_auth UID
# Show the registered domain list when admin_auth is set to UID, OTP or U2F.
# And set a default admin login domain when auth_mode is set to these methods.
list_domains Yes
#default_domain "Default"
# Manager API's authentication method. Only UID, PKI and DN are supported here.
# If you set the admin_auth with multi-factor (PKI, OTP or U2F), then you must
# either use manager_auth PKI or UID with a list of allowed client IPs.
#manager_auth UID
#manager_clients "192.168.0.10","192.168.0.11"
# User level changes the level of feature and configuration for all applications.
# WebADM proposes three levels: Beginner, Intermediate and Expert. The default
# level (Expert) is recommended as it provides access to all the RCDevs features.
#user_level Expert
# If your LDAP directory is setup with a base DN (ex. dc=mydomain,dc=com on AD),
# you can optionally set the base_treebase suffix and omit the suffix in other
# LDAP configurartions like proxy_user, super_admins and containers.
ldap_treebase "dc=mydomain,dc=com"
# The proxy user is used by WebADM for accessing LDAP objects over which the
# admin user does not have read permissions or out of an admin session.
# The proxy user should have read permissions on the whole LDAP tree,
# and write permissions on the users/groups used by the WebApps and WebSrvs.
# The use of a proxy user is required for WebApps and WebSrvs.
# With ActiveDirectory, you can use any Domain Administrator DN as a proxy user,
# which should look like cn=Administrator,cn=Users,dc=mydomain,dc=com.
proxy_user "cn=Administrator,cn=Users"
proxy_password "Password1234"
# Super administrators have extended WebADM privileges such as setup permissions,
# additional operations and unlimited access to any LDAP encrypted data. Access
# restriction configured in the WebADM OptionSets do not apply to super admins.
# You can set a list of individual LDAP users or LDAP groups here.
# With ActiveDirectory, your administrator account should be is something like
# cn=Administrator,cn=Users,dc=mydomain,dc=com. And you can replace the sample
# super_admins group on the second line with an existing security group.
super_admins "cn=Administrator,cn=Users", \
"cn=Domain Admins,cn=Users"
# LDAP objectclasses
container_oclasses "container", "organizationalUnit", "organization", "domain",container_oclasses "container", "organizationalUnit", "organization", "domain",
"locality", "country", \
"openldaprootdse", "treeroot"
# user_oclasses is used to build the LDAP search filter with 'Domain' auth_mode.
# If your super admin user user does not have one of the following objectclasses,
# add one of its objectclasses to the list.
user_oclasses "user", "account", "person", "inetOrgPerson", "posixAccount"
group_oclasses "group", "groupOfNames", "groupOfUniqueNames", "dynamicGroup",
"posixGroup"
# With ActiveDirectory 2003 only, you need to add the 'user' objectclass to the
# webadm_account_oclasses and the 'group' objectclass to the webadm_group_oclasses.
webadm_account_oclasses "webadmAccount"
webadm_group_oclasses "webadmGroup"
webadm_config_oclasses "webadmConfig"
# LDAP attributes
certificate_attrs "userCertificate"
password_attrs "userPassword", "unicodePwd", "sambaNTPassword"
uid_attrs "uid", "samAccountName", "userPrincipalName"
member_attrs "member", "uniqueMember"
memberof_attrs "memberOf", "groupMembership"
memberuid_attrs "memberUid"
language_attrs "preferredLanguage"
mobile_attrs "mobile", "otherMobile"
mail_attrs "mail", "otherMailbox"
webadm_data_attrs "webadmData"
webadm_settings_attrs "webadmSettings"
webadm_type_attrs "webadmType"
# Find below the LDAP containers required by WebADM.
# Change the container's DN to fit your ldap tree base.
# WebADM AdminRoles container
adminroles_container "cn=AdminRoles,cn=WebADM"
# WebADM Optionsets container
optionsets_container "cn=OptionSets,cn=WebADM"
# WebApp configurations container
webapps_container "cn=WebApps,cn=WebADM"
# WebSrv configurations container
websrvs_container "cn=WebSrvs,cn=WebADM"
# Mount points container
mountpoints_container "cn=Mountpoints,cn=WebADM"
# Domain and Trusts container
domains_container "cn=Domains,cn=WebADM"
# Clients container
clients_container "cn=Clients,cn=WebADM"
# You can set here the timeout (in seconds) of a WebADM session.
# Web sessions will be closed after this period of inactivity.
# The Manager Interface cookie-based sessions are disabled by default.
admin_session 900
manager_session 0
webapps_session 600# You can set here the WebADM internal cache timeout. A normal value is one hour. cache_timeout 3600 # Application languages languages "EN","FR","DE","ES","IT","FI" # WebADM encrypts LDAP user data, sensitive configurations and user sessions with # AES-256. The encryption key(s) must be 256bit base64-encoded random binary data. # Use the command 'openssl rand -base64 32' to generate a new encryption key. # Warning: If you change the encryption key, any encrypted data will become invalid! # You can set several encryption keys for key rollout. All the defined keys are used # for decrypting data. And the first defined key is used to (re-)encrypt data. # Two encryption modes are supported: # Standard: AES-256-CBC (default) # Advanced: AES-256-CBC with per-object encryption (stronger) encrypt_data Yes encrypt_mode Standard encrypt_hsm No encrypt_key "49SkOTmgAEDB8O+rxwbBoUWzg5m+z6vvtix76QoKD1A=" # Hardware Cryptography Module # Yubico YubiHSM and RCDevs HSMHub are currently supported for hardware encryption. # Up to 8 HSM modules can be concurrently attached to the server. #hsm_model YubiHSM #hsm_keyid 1 # The data store defines which back-end is used for storing user data and settings. # By default WebADM stores any user and group metadata in the LDAP objects. By setting # the data_store to SQL, these metadata are stored in a dedicated SQL table. # LDAP remains the preferred option because it maximizes the system consistency. # SQL should be used only if you need read-only LDAP access for the proxy_user. data_store LDAP # The record store defines which back-end is used to store SpanKey records. # Choose SQL to store records in the database and NAS to store on a shared NAS folder. # With NAS, the store_path must be configured and accessible from all cluster nodes. record_store SQL #record_path "/mnt/records" # The group mode defines how WebADM will handle LDAP groups. # - Direct mode: WebADM finds user groups using the memberof_attrs defined above. # In this case, the group membership is defined in the LDAP user objects. # - Indirect mode: WebADM finds user groups by searching group objects which contain # the user DN as part of the member_attrs. # - Auto: Both direct and indirect groups are used. # - Disabled: All LDAP group features are disabled in WebADM. # By default (when group_mode is not specified) WebADM handles both group modes. group_mode Auto # LDAP cache increases a lot of performances under high server loads. The cache limits # the number of LDAP requests by storing resolved user DN and group settings. When # enabled, results are cached for 300 secs.
# enabled, results are cached for 300 secs. ldap_cache Yes # LDAP routing enables LDAP request load-balancing when multiple LDAP servers are # configured in servers.xml. You should enable this feature only if the LDAP server # load becomes a bottleneck due to a big amount of users (ex. more than 10000 users). #ldap_routing No # You can optionally disable some features if you run multiple WebADM servers with # different purposes. For example, if you don't want to provide admin portal on an # Internet-exposed WebApps and WebSrvs server. # By default, all the functionalities are enabled. enable_admin Yes enable_manager Yes enable_webapps Yes enable_websrvs Yes # Enable syslog reporting (disabled by default). When enable, system logs are sent # to both the WebADM log files and syslog. #log_debug No #log_format Default #log_mixsql No #log_syslog No #syslog_facility LOG_USER #syslog_format CEF # Alerts are always recorded to the SQL Alert log. Additionally, when alert_email # or alert_mobile is defined, the alerts are also sent by email/SMS. #alert_email "me@mydomain.com" #alert_mobile "+33 12345678" # Alert users via email when a login certificate or ActiveDirectory domain password # is near expiration. The templates are defined in ldap_expire_xxx and cert_expire_xxx. user_warning Yes # If your WebADM server is used behind a reverse-proxy or load-balancer, you need to # set the IP address(es) of your reverse-proxy server(s). Your proxy MUST create the # HTTP_X_FORWARDED_FOR and HTTP_X_FORWARDED_HOST headers. #reverse_proxies "192.168.0.100", "192.168.0.101" # If you use WebADM Publishing Proxy (WAProxy) for publishing applications on public # networks, then you must set the IP address(es) of the WAProxy server(s). # Enable this setting ONLY if you are using RCDevs WAProxy as reverse-proxy! #waproxy_proxies "192.168.0.102" # The public DNS name of your WAProxy server #waproxy_pubaddr "www.myproxy.com" # Check for new product versions and license updates on RCDevs' website. # These features require outbound Internet access from the server. check_versions Yes check_licenses Yes # WebApps theme (default or flat) # Comment the following line to disable the default theme.
# Comment the following line to disable the default theme. webapps_theme "default" # End-user message templates # The following variables are available: %USERNAME%, %USERDN%, %USERID%, %DOMAIN%, %APPNAME% # Additional variables are available depending on the context: %APPNAME%, %APPID%, %TIMEOUT%, %EXPIRES% app_unlock_subject "Unlocked access to %APPNAME%" app_unlock_message "Hello %USERNAME%,\r\n\r\nYou have a one-time access to the %APPNAME%.\r\nYour access will automatically expire %EXPIRES%." ldap_expire_subject "Login password near expiration" ldap_expire_message "Hello %USERNAME%,\r\n\r\nYour login password will expire %EXPIRES%.\r\nPlease reset your password before expiration!\r\n\r\nRegards" cert_expire_subject "Login certificate near expiration" cert_expire_message "Hello %USERNAME%,\r\n\r\nYour login certificate will expire %EXPIRES%.\r\nPlease renew your certificate before expiration!\r\n\r\nRegards" # Personalization options # You can customize your organization name, logo file and website URL. # The logo file must be PNG image with size 100x50 pixels. #org_name "RCDevs SA" #org_logo "rcdevs.png" #org_site "http://www.rcdevs.com/" # Misc options #treeview_width 300 #treeview_items 1500 #default_portal Admin #ldap_uidcase No #ntp_server "myserver.local" Adjust the LDAP containers with your configuration. Note You don’t have to change the first part of each container DN. You have to edit LDAP containers DN according to your domain and your OU. My Organizational Unit DN is ou=WebADM,dc=mydomain,dc=com . The ldap treebase (dc=mydomain,dc=com) is not required for LDAP containers, proxy_user and super_admin because of the setting ldap_treebase just above.
# Find below the LDAP containers required by WebADM.
# Change the container's DN to fit your ldap tree base.
# WebADM AdminRoles container
adminroles_container "cn=AdminRoles,ou=WebADM"
# WebADM Optionsets container
optionsets_container "cn=OptionSets,ou=WebADM"
# WebApp configurations container
webapps_container "cn=WebApps,ou=WebADM"
# WebSrv configurations container
websrvs_container "cn=WebSrvs,ou=WebADM"
# Mount points container
mountpoints_container "cn=Mountpoints,ou=WebADM"
# Domain and Trusts container
domains_container "cn=Domains,ou=WebADM"
# Clients container
clients_container "cn=Clients,ou=WebADM"
3.3 Proxy User
A proxy user needs to perform a wide LDAP search and reads. It also requires read-only permissions to the WebADM LDAP
configurations (ie. configured containers) and to the user Domains subtrees. A proxy user needs to do some write operations to a
few LDAP attributes because it needs to store dynamic application user data into the users. Have a look on the following
documetation to have more information about proxy_user rights : AD Proxy User.
proxy_user "cn=proxy_user,cn=Users"
proxy_password "Password1234"
WebADM OU Rights
Your proxy_user account should have the read right on your WebADM Organizational Unit previously created!
3.4 WebADM Administrator(s)
To allow an administrator or an admin group to log on to the WebADM interface, you have to edit the super_admin setting in
webadm.conf:
super_admins "cn=Administrator,cn=Users", \
"cn=Domain Admins,cn=Users"
Have a look on the following documentation to have more information about the super_admin rights. Note
To extend the schema, you need also to configure a schema administrator as a super admin. This schema admin user will be used
for the first login to extend the schema through the WebADM GUI.
WebADM OU Rights
Your super_admin administrator(s) should have the read/write rights on your WebADM Organizational Unit previously created!
4. Schema Not Extended Configuration
4.1 Prerequisite & Overview
With this option, WebADM does not make any addition to the Active Directory schema. Instead, the configuration WebADM is
customized to re-use some existing object classes and attributes.
/opt/webadm/bin/setup
Checking system architecture...Ok
Setup WebADM as master server or slave (secondary server in a cluster) (m/s)? m
WebADM proposes 3 default configuration templates:
1) Default configuration (Novell, eDirectory, Oracle, OpenLDAP)
2) Active Directory with schema extention (preferred with AD)
3) Active Directory without schema extention
Choose a template number or press enter for default: 3
Enter the server fully qualified host name (FQDN): webadm.mycompany.com
Enter your organization name: my compagny
Generating CA private key... Ok
Creating CA certificate... Ok
Generating SSL private key... Ok
Creating SSL certificate request... Ok
Signing SSL certificate with CA... Ok
Adding CA certificate to the local trust list... Ok
Setting file permissions... Ok
Adding system user to dialout group... Ok
Do you want WebADM to be automatically started at boot (y/n)? y
Adding systemd service... Ok
Do you want to register WebADM logrotate script (y/n)? y
Adding logrotate scripts... Ok
Do you want to generate a new secret key in webadm.conf (y/n)? y
Generating secret key string... Ok
WebADM has successfully been setup.WebADM will also use the AD object class bootabledevice as user/group activation class and the object class device for the LDAP configuration objects’ storage. It will also store user settings and metadata in the bootFile and bootParameter attributes in the class bootabledevice. In “conf/objects.xml”, the LDAP object specifications are configured to use the replacement object classes and attributes. 4.2 WebADM Configuration File In this file, we will configure LDAP containers for WebADM. This file is: /opt/webadm/conf/webadm.conf The file is full here but please, edit the 2nd block code, this is the only part that interests us here. # # WebADM Server Configuration # # Administrator Portal's authentication method. # - PKI: Requires client certificate and login password. # - UID: Requires domain name, login name and password. # - DN: Requires login DN and password. # - OTP: Like UID with an OTP challenge. # - U2F: Like UID with a FIDO-U2F challenge. # - MFA: Like UID with both OTP and FIDO-U2F challenge. # Using certificates is the most secure login method. To use certificate login, # you must log in WebADM and create a login certificate for your administrators. # The UID mode requires a WebADM domain to exist and have its User Search Base # set to the subtree where are located the administrator users. When using UID # and if there is no domain existing in WebADM, the login mode is automatically # forced to DN. You will also need to log in with the full user DN and set up # a WebADM domain to be able to use the UID login mode.admin_auth UID admin_auth UID # Show the registered domain list when admin_auth is set to UID, OTP or U2F. # And set a default admin login domain when auth_mode is set to these methods. list_domains Yes #default_domain "Default" # Manager API's authentication method. Only UID, PKI and DN are supported here. # If you set the admin_auth with multi-factor (PKI, OTP or U2F), then you must # either use manager_auth PKI or UID with a list of allowed client IPs. #manager_auth UID #manager_clients "192.168.0.10","192.168.0.11" # User level changes the level of feature and configuration for all applications. # WebADM proposes three levels: Beginner, Intermediate and Expert. The default # level (Expert) is recommended as it provides access to all the RCDevs features.
# level (Expert) is recommended as it provides access to all the RCDevs features.
#user_level Expert
# If your LDAP directory is setup with a base DN (ex. dc=mydomain,dc=com on AD),
# you can optionally set the base_treebase suffix and omit the suffix in other
# LDAP configurartions like proxy_user, super_admins and containers.
ldap_treebase "dc=mydomain,dc=com"
# The proxy user is used by WebADM for accessing LDAP objects over which the
# admin user does not have read permissions or out of an admin session.
# The proxy user should have read permissions on the whole LDAP tree,
# and write permissions on the users/groups used by the WebApps and WebSrvs.
# The use of a proxy user is required for WebApps and WebSrvs.
# With ActiveDirectory, you can use any Domain Administrator DN as a proxy user,
# which should look like cn=Administrator,cn=Users,dc=mydomain,dc=com.
proxy_user "cn=Administrator,cn=Users"
proxy_password "Password1234"
# Super administrators have extended WebADM privileges such as setup permissions,
# additional operations and unlimited access to any LDAP encrypted data. Access
# restriction configured in the WebADM OptionSets do not apply to super admins.
# You can set a list of individual LDAP users or LDAP groups here.
# With ActiveDirectory, your administrator account should be is something like
# cn=Administrator,cn=Users. And you can replace the sample
# super_admins group on the second line with an existing security group.
super_admins "cn=Administrator,cn=Users", \
"cn=Domain Admins,cn=Users"
# LDAP objectclasses
container_oclasses "container", "organizationalUnit", "organization", "domain",
"locality", "country", \
"openldaprootdse", "treeroot"
# user_oclasses is used to build the LDAP search filter with 'Domain' auth_mode.
# If your super admin user user does not have one of the following objectclasses,
# add one of its objectclasses to the list.
user_oclasses "user", "account", "person", "inetOrgPerson", "posixAccount"
group_oclasses "group", "groupOfNames", "groupOfUniqueNames", "dynamicGroup",
"posixGroup"
# With ActiveDirectory 2003 only, you need to add the 'user' objectclass to the
# webadm_account_oclasses and the 'group' objectclass to the webadm_group_oclasses.
webadm_account_oclasses "bootabledevice"
webadm_group_oclasses "bootabledevice"
webadm_config_oclasses "device"
# LDAP attributes
certificate_attrs "userCertificate"
password_attrs "userPassword", "unicodePwd", "sambaNTPassword"
uid_attrs "uid", "samAccountName", "userPrincipalName"
member_attrs "member", "uniqueMember"
memberof_attrs "memberOf", "groupMembership"
memberuid_attrs "memberUid"
language_attrs "preferredLanguage"
mobile_attrs "mobile", "otherMobile"mobile_attrs "mobile", "otherMobile" mail_attrs "mail", "otherMailbox" webadm_data_attrs "bootFile" webadm_settings_attrs "bootParameter" webadm_type_attrs "serialNumber" # Find below the LDAP containers required by WebADM. # Change the container's DN to fit your ldap tree base. # WebADM AdminRoles container adminroles_container "cn=AdminRoles,cn=WebADM" # WebADM Optionsets container optionsets_container "cn=OptionSets,cn=WebADM" # WebApp configurations container webapps_container "cn=WebApps,cn=WebADM" # WebSrv configurations container websrvs_container "cn=WebSrvs,cn=WebADM" # Mount points container mountpoints_container "cn=Mountpoints,cn=WebADM" # Domain and Trusts container domains_container "cn=Domains,cn=WebADM" # Clients container clients_container "cn=Clients,cn=WebADM" # You can set here the timeout (in seconds) of a WebADM session. # Web sessions will be closed after this period of inactivity. # The Manager Interface cookie-based sessions are disabled by default. admin_session 900 manager_session 0 webapps_session 600 # You can set here the WebADM internal cache timeout. A normal value is one hour. cache_timeout 3600 # Application languages languages "EN","FR","DE","ES","IT","FI" # WebADM encrypts LDAP user data, sensitive configurations and user sessions with # AES-256. The encryption key(s) must be 256bit base64-encoded random binary data. # Use the command 'openssl rand -base64 32' to generate a new encryption key. # Warning: If you change the encryption key, any encrypted data will become invalid! # You can set several encryption keys for key rollout. All the defined keys are used # for decrypting data. And the first defined key is used to (re-)encrypt data. # Two encryption modes are supported: # Standard: AES-256-CBC (default) # Advanced: AES-256-CBC with per-object encryption (stronger) encrypt_data Yes encrypt_mode Standard encrypt_hsm No encrypt_key "10FiU5OKkO8FjthFHfRr5ZbsTr5XCPFUnk6iCDxZqHE=" # Hardware Cryptography Module # Yubico YubiHSM and RCDevs HSMHub are currently supported for hardware encryption. # Up to 8 HSM modules can be concurrently attached to the server.
#hsm_model YubiHSM #hsm_keyid 1 # The data store defines which back-end is used for storing user data and settings. # By default WebADM stores any user and group metadata in the LDAP objects. By setting # the data_store to SQL, these metadata are stored in a dedicated SQL table. # LDAP remains the preferred option because it maximizes the system consistency. # SQL should be used only if you need read-only LDAP access for the proxy_user. data_store LDAP # The record store defines which back-end is used to store SpanKey records. # Choose SQL to store records in the database and NAS to store on a shared NAS folder. # With NAS, the store_path must be configured and accessible from all cluster nodes. record_store SQL #record_path "/mnt/records" # The group mode defines how WebADM will handle LDAP groups. # - Direct mode: WebADM finds user groups using the memberof_attrs defined above. # In this case, the group membership is defined in the LDAP user objects. # - Indirect mode: WebADM finds user groups by searching group objects which contain # the user DN as part of the member_attrs. # - Auto: Both direct and indirect groups are used. # - Disabled: All LDAP group features are disabled in WebADM. # By default (when group_mode is not specified) WebADM handles both group modes. group_mode Auto # LDAP cache increases a lot of performances under high server loads. The cache limits # the number of LDAP requests by storing resolved user DN and group settings. When # enabled, results are cached for 300 secs. ldap_cache Yes # LDAP routing enables LDAP request load-balancing when multiple LDAP servers are # configured in servers.xml. You should enable this feature only if the LDAP server # load becomes a bottleneck due to a big amount of users (ex. more than 10000 users). #ldap_routing No # You can optionally disable some features if you run multiple WebADM servers with # different purposes. For example, if you don't want to provide admin portal on an # Internet-exposed WebApps and WebSrvs server. # By default, all the functionalities are enabled. enable_admin Yes enable_manager Yes enable_webapps Yes enable_websrvs Yes # Enable syslog reporting (disabled by default). When enable, system logs are sent # to both the WebADM log files and syslog. #log_debug No #log_format Default #log_mixsql No #log_syslog No #syslog_facility LOG_USER #syslog_format CEF
#syslog_format CEF # Alerts are always recorded to the SQL Alert log. Additionally, when alert_email # or alert_mobile is defined, the alerts are also sent by email/SMS. #alert_email "me@mydomain.com" #alert_mobile "+33 12345678" # Alert users via email when a login certificate or ActiveDirectory domain password # is near expiration. The templates are defined in ldap_expire_xxx and cert_expire_xxx. user_warning Yes # If your WebADM server is used behind a reverse-proxy or load-balancer, you need to # set the IP address(es) of your reverse-proxy server(s). Your proxy MUST create the # HTTP_X_FORWARDED_FOR and HTTP_X_FORWARDED_HOST headers. #reverse_proxies "192.168.0.100", "192.168.0.101" # If you use WebADM Publishing Proxy (WAProxy) for publishing applications on public # networks, then you must set the IP address(es) of the WAProxy server(s). # Enable this setting ONLY if you are using RCDevs WAProxy as reverse-proxy! #waproxy_proxies "192.168.0.102" # The public DNS name of your WAProxy server #waproxy_pubaddr "www.myproxy.com" # Check for new product versions and license updates on RCDevs' website. # These features require outbound Internet access from the server. check_versions Yes check_licenses Yes # WebApps theme (default or flat) # Comment the following line to disable the default theme. webapps_theme "default" # End-user message templates # The following variables are available: %USERNAME%, %USERDN%, %USERID%, %DOMAIN%, %APPNAME% # Additional variables are available depending on the context: %APPNAME%, %APPID%, %TIMEOUT%, %EXPIRES% app_unlock_subject "Unlocked access to %APPNAME%" app_unlock_message "Hello %USERNAME%,\r\n\r\nYou have a one-time access to the %APPNAME%.\r\nYour access will automatically expire %EXPIRES%." ldap_expire_subject "Login password near expiration" ldap_expire_message "Hello %USERNAME%,\r\n\r\nYour login password will expire %EXPIRES%.\r\nPlease reset your password before expiration!\r\n\r\nRegards" cert_expire_subject "Login certificate near expiration" cert_expire_message "Hello %USERNAME%,\r\n\r\nYour login certificate will expire %EXPIRES%.\r\nPlease renew your certificate before expiration!\r\n\r\nRegards" # Personalization options # You can customize your organization name, logo file and website URL. # The logo file must be PNG image with size 100x50 pixels. #org_name "RCDevs SA" #org_logo "rcdevs.png" #org_site "http://www.rcdevs.com/"
# Misc options #treeview_width 300 #treeview_items 1500 #default_portal Admin #ldap_uidcase No #ntp_server "myserver.local" Adjust the LDAP containers with your configuration : Note You don’t have to change the first part of each container DN. You have to edit LDAP containers DN according to your domain and your OU. My Organizational Unit DN is ou=WebADM,dc=mydomain,dc=com . The ldap treebase (dc=mydomain,dc=com) is not required for LDAP containers, proxy_user and super_admin because of the setting ldap_treebase just above. # Find below the LDAP containers required by WebADM. # Change the container's DN to fit your ldap tree base. # WebADM AdminRoles container adminroles_container "cn=AdminRoles,ou=WebADM" # WebADM Optionsets container optionsets_container "cn=OptionSets,ou=WebADM" # WebApp configurations container webapps_container "cn=WebApps,ou=WebADM" # WebSrv configurations container websrvs_container "cn=WebSrvs,ou=WebADM" # Mount points container mountpoints_container "cn=Mountpoints,ou=WebADM" # Domain and Trusts container domains_container "cn=Domains,ou=WebADM" # Clients container clients_container "cn=Clients,ou=WebADM" 4.3 Proxy User A proxy user needs to perform a wide LDAP search and reads. It also requires read-only permissions to the WebADM LDAP configurations (ie. configured containers) and to the user Domains subtrees. A proxy user needs to do some write operations to a few LDAP attributes because it needs to store dynamic application user data into the users. Have a look on the following documetation to have more information about proxy_user rights : AD Proxy User. proxy_user "cn=proxy_user,cn=Users" proxy_password "Password1234"
WebADM OU Rights
Your proxy_user account should have the read right on your WebADM Organizational Unit previously created!
4.4 WebADM Administrator(s)
To allow an administrator or an admin group to log on to the WebADM interface, you have to edit the super_admin setting in
webadm.conf:
super_admins "cn=Administrator,cn=Users", \
"cn=Domain Admins,cn=Users"
WebADM OU Rights
Your super_admin administrator(s) should have the read/write rights on your WebADM Organizational Unit previously created!
Have a look on the following documentation to have more information about the super_admin rights.
5. Servers Configuration
5.1 LDAP Server
LDAP server(s) have to be set in /opt/webadm/conf/servers.xml file. Edit this file and configure the LDAP section
like below:
Note
Note : For the extended schema scenario, you have to set the schema master server. And if you provide more than 1 LDAP server
in servers.xml, the schema master will be the first. To provide more than 1 LDAP server you should have an enterprise license.
5.2 SQL ServerWebADM uses a database to store audit logs and localized messages. Application configurations, users and their metadata are directly stored in LDAP rather than in the databases. WebADM supports both MySQL and PostgreSQL databases. Other databases are not currently fully tested. You must create a webadm database on your SQL server and a webadm user with password webadm, having full permissions on that database. Edit the /opt/webadm/conf/servers.xml file and adjust the SQL Server parameters such as the database username and password. Install with Debian repository: apt-get install mariadb-server systemctl enable mariadb systemctl start mariadb mysql_secure_installation /opt/webadm/doc/scripts/create_mysqldb Installation with yum repository: yum install mariadb-server systemctl enable mariadb systemctl start mariadb mysql_secure_installation /opt/webadm/doc/scripts/create_mysqldb SQL configuration in servers.xml file : Configure the SQL information according to your setup. 6. WebADM Services After editing webadm.conf & servers.xml files, you have to restart or start the WebADM services. Type the following command to do it: /opt/webadm/bin/webadm restart WebADM configuration through the command line interface is done. We can finish the setup through the Web interface.
7. WebADM Setup Wizard Please, go to the Web interface, type the IP address or DNS name of your WebADM server in the URL field of your web browser. For the first login, you have to use the FULL DN of your super_admin user defined in webadm.conf. Once logged on WebADM interface, you will have a message on the first page saying: Your WebADM installation is not completely configured! Note If you have chosen the extended schema scenario, you have to log in with the schema admin account defined in webadm.conf file. Scroll down at the end of this page and click on the blue button to finish the setup. Installation and configuration are done. You can log out and log in again now not with the DN but with the username. 8. WebADM Domain Configuration and OpenOTP Registration To finish, go on WebADM GUI, click on Admin on the top and click on Local Domains option. You can show “Default” in Registered Local Domains. This object was created during the graphical setup. Click on CONFIGURE and check the box Domain Name Aliases . In this field, put your Domain name and NetBIOS domain name. Example If my domain is rcdevs.com and my netbios name is netbiosrcdevs, I will set in the field rcdevs.com, rcdevs, netbiosrcdevs. You can also configure your User Search Base here. You have now to register the OpenOTP application to enable the service. To do it, go on Applications tab, in Categories box, select Authentication . Under Web Services, you will find
MFA Authentication Server (OpenOTP) . Click on Register button. Configuration is done! You can use your Active Directory with WebADM & OpenOTP. 9. Video Tutorial Without Schema Extension Play Video on Youtube This manual was prepared with great care. However, RCDevs S.A. and the author cannot assume any legal or other liability for possible errors and their consequences. No responsibility is taken for the details contained in this manual. Subject to alternation without notice. RCDevs S.A. does not enter into any responsibility in this respect. The hardware and software described in this manual is provided on the basis of a license agreement. This manual is protected by copyright law. RCDevs S.A. reserves all rights, especially for translation into foreign languages. No part of this manual may be reproduced in any way (photocopies, microfilm or other methods) or transformed into machine-readable language without the prior written permission of RCDevs S.A. The latter especially applies for data processing systems. RCDevs S.A. also reserves all communication rights (lectures, radio and television). The hardware and software names mentioned in this manual are most often the registered trademarks of the respective manufacturers and as such are subject to the statutory regulations. Product and brand names are the property of RCDevs S.A. © 2021 RCDevs SA, All Rights Reserved
You can also read
