Hexagon Geospatial
MENU

ERDAS APOLLO & ECW/JP2

Wondering how others have configured their ERDAS APOLLO server or what data they are crawling? The ERDAS APOLLO Discussion board is a place to find information, share ideas and more. Join the community, connect, contribute and share.
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 29
Registered: ‎10-12-2015
Accepted Solution

LDAP Authentication with Apollo for users across multiple DNs

Hi,

I am trying to configure Apollo TomCat Setup with LDAP Authentication.

The LDAP authentication works fine when the base DN is set as to a particular OU or CN in AD. But for one of our projects the customer has setup its AD configuration in such a way that there are multiple OUs and each OU has nested OU (child OU=Users), under which all the users are available. In other words, the users of AD are spanned through multiple nested OUs.
When I try to put the baseDN as the server root (DC=domain, DC=com), and try with appropriate userFilter attribute it does not work. I have tried with different search filter criteria's but none of them work. The idea is to have a configuration in such a way that all the users across different OUs are aunthenicated by Apollo using LDAP.

This issue is more towards AD, as I can't even set the appropriate search filter on the server root in Apache AD Studio, to search for users across nested OUs.


ad.png

 

Here is the sample ldap config used in Apollo for a single OU or CN,

 

apollo-jaas {
  org.ldaptive.jaas.LdapLoginModule required
    storePass="true"
    ldapUrl="ldap://111.111.111.111:389"
    baseDn="CN=Users,dc=domain,dc=com"
    useStartTLS="false"
    bindDn="CN=testuser,CN=Users,DC=domain,DC=com"
    bindCredential="password"
    userFilter="(CN={user})";
  org.ldaptive.jaas.LdapRoleAuthorizationModule required
    useFirstPass="true"
    ldapUrl="ldap://111.111.111.111:389"
    baseDn="CN=Users,dc=domain,dc=com"
    bindDn="CN=testuser,CN=Users,DC=domain,DC=com"
    bindCredential="password"
    roleFilter="(member={dn})"
    roleAttribute="cn";
};


Has anybody faced similar AD implementation while configuring Apollo with LDAP. Please suggest.

Rohit Sinha
Hexagon Geospatial
Technical Evangelist
Posts: 847
Registered: ‎07-30-2015

Re: LDAP Authentication with Apollo for users across multiple DNs

Hi Rohit,

 

Tomcat is the application server for Apollo 2016, I found the following article
https://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html

 

Not LDAP expert, it looks like CombinedRealm has the ability to combine multiple Realms of the same or different types (e.g., JNDIRealm for LDAP)

 

Hope it helps & best
haiyan

Highlighted
Contributor
Posts: 29
Registered: ‎10-12-2015

Re: LDAP Authentication with Apollo for users across multiple DNs

Hi All,

 

I got it working by changing the jaas configuration as below. Adding subtreeSearch parameter did the trick.

 

apollo-jaas {
  com.erdas.apollo.jaas.security.DBJaasLoginModule required debug=false;
};

apollo {
  org.ldaptive.jaas.LdapLoginModule required
    storePass="true"
    ldapUrl="ldap://111.111.111.111:389"
    baseDn="dc=domain,dc=com"
    useStartTLS="false"
    subtreeSearch="true"
    bindDn="CN=testuser,CN=Users,DC=domain,DC=com"
    bindCredential="password"
    userFilter="(CN={user})";
  org.ldaptive.jaas.LdapRoleAuthorizationModule required
    useFirstPass="true"
    ldapUrl="ldap://111.111.111.111:389"
    baseDn="CN=Users,dc=domain,dc=com"
    bindDn="CN=testuser,CN=Users,DC=domain,DC=com"
    bindCredential="password"
    roleFilter="(member={dn})"
    roleAttribute="cn";
};

 

 

Rohit Sinha
Hexagon Geospatial
Do you need immediate support?
If you encounter a critical issue and need immediate assistance please submit a Service Request through our Support Portal.