This page (revision-32) was last changed on 26-Nov-2021 10:22 by Kevin Higgs

This page was created on 26-Nov-2021 10:22 by jmyers

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note
32 26-Nov-2021 10:22 8 KB Kevin Higgs to previous
31 26-Nov-2021 10:22 7 KB Lilia Urtan to previous | to last
30 26-Nov-2021 10:22 7 KB ibarr to previous | to last
29 26-Nov-2021 10:22 7 KB ibarr to previous | to last
28 26-Nov-2021 10:22 7 KB ibarr to previous | to last
27 26-Nov-2021 10:22 7 KB ibarr to previous | to last
26 26-Nov-2021 10:22 7 KB ibarr to previous | to last
25 26-Nov-2021 10:22 6 KB kparrott to previous | to last LDAP FACTORY(System Preference) ==> LDAP FACTORY(System_Preference)
24 26-Nov-2021 10:22 5 KB kparrott to previous | to last LDAP_UNAME_LCASE(System Preference) ==> LDAP_UNAME_LCASE(System_Preference)
23 26-Nov-2021 10:22 5 KB kparrott to previous | to last
22 26-Nov-2021 10:22 5 KB kparrott to previous | to last
21 26-Nov-2021 10:22 5 KB kparrott to previous | to last

Page References

Incoming links Outgoing links

Version management

Difference between version and

At line 16 added 10 lines
In order to use Active directory, records must exist on the following tables;
*P2K_HR_IDENTITIES
*p2K_HR_PERSONALS
*P2K_HR_EMPLOYMENTS
*P2K_HR_ASSIGNMENTS
*P2K_HR_ASSIGNMENT_DETAILS
*P2K_RE_CANDIDATES - If a candidate code is not found, the process will attempt to insert a new candidate record automatically when a user attempts to login.
SSL over LDAP - LDAPS is now supported: The application can now authenticate users against servers using the LDAPS protocol.
At line 33 added 2 lines
*[LDAP FACTORY|LDAP FACTORY(System Preference)|LDAP FACTORY(System_Preference)] - Site Preference that can now be configured by the client.
*[LDAP_UNAME_LCASE|LDAP_UNAME_LCASE(System Preference)|LDAP_UNAME_LCASE(System_Preference)] - Used to determine if user names must be converted to all lower case
At line 45 added 4 lines
To enable the feature - SSL over LDAP / LDAPS, open the IMLN screen, navigate to the 'X_LDAP_DOMAINS' record, and add the text ‘ldaps://’ to start of any server URL (Lexicon Value 'Meaning') that is configured to use LDAPS. For example, if the LDAP server at 'valasca.highlinecorp.com' is configured to use LDAPS, the Lexicon Value Meaning should be set to 'ldaps://valasca.highlinecorp.com'. If the LDAP server is not configured for SSL (i.e. just the ldap protocol), then adding a prefix to the URL is not necessary and not recommended: In this example 'valasca.highlinecorp.com' is sufficient.
Site preference LDAP_UNAME_LCASE can be used to indicate whether an username should be converted to lowercase before sending credentials to LDAP server for authentication. If this value is not added to Site Preferences, or value is 'N', then usernames will be passed to LDAP server, exactly as they are entered by the user. Default value for this preference is 'No'.
At line 40 changed one line
**If Active Directory authentication fails, before displaying a failed login message, authenticate using standard [{$applicationname}] methods. IF the password is NULL in [{$applicationname}] the user is ONLY allowed to log in via the Active Directory authentication.
**If Active Directory authentication fails, before displaying a failed login message, authenticate using standard Personality methods. IF the password is NULL in Personality the user is ONLY allowed to log in via the Active Directory authentication.
At line 66 added 24 lines
!!Firewall Configuration
Since the LDAP authentication is performed by the WebLogic Server, it must be able to communicate to with the LDAP server through the standard ports. There are 2 ports used for LDAP communication: port 389 for LDAP; and 636 for LDAPS using SSL/TLS encryption.\\
\\
!!LDAP Trouble Shooting
Since the LDAP authentication is handled by a limited number of Java classes, we're able to turn on tracing with the TraceModes.xml file. Adding the following lines, forcing a reload of the file from IMST and setting tracing to 'Finest' can help with trouble shooting:\\
*<traceRule className="com.highlinecorp.schema.UserContext"/>
*<traceRule className="com.highlinecorp.view.common.legacy.WebUserContext"/>
*<traceRule className="com.highlinecorp.business.am.Accessors"/>\\
\\
LDAPS presents additional difficulties with authentication. Since LDAPS connects to the remote serve via an SSL connection, it must first successfully complete the SSL handshake with the server. If the server is using a self-signed certificate, the certificate will need to be added to Java's 'cacerts' file. Without this, the SSL handshake with the server will fail every time.\\
\\
If the server certificate is a domain wide, or wild card certificate, the SSL options within the managed server will need to be altered. The default host name verification handler does not support wild card certificates. Oracle provides an alternate handler that will need to be configured as outlined in the WebLogic Server documentation: [Configuring the Wildcarded Host Name Verifier|https://docs.oracle.com/middleware/1213/wls/SECMG/hostname_verifier.htm#SECMG574]\\
\\
Java provides additional options for tracing SSL authentication issues. Adding the following options to the Server Startup Arguments:\\
* -Djavax.net.debug=ssl
* -Dssl.debug=true
* -Dweblogic.StdoutDebugEnabled=true
* -Dweblogic.security.SSL.verbose=true
----
![Notes|Edit:Internal.LDAP_AD_AUTHENTICATION]
[{InsertPage page='Internal.LDAP_AD_AUTHENTICATION' default='Click to create a new notes page'}]