When the server is installed on a Linux system, all users should be defined in the Settings/Access Control/Users window.
The first user is the Administrator user; additional users can be defined as needed.
It is also possible to configure the Faddom Tomcat Application Server to use LDAP authentication to integrate with Active Directory authentication.
To configure this, perform the following configuration steps:
- In the Access Control screen under settings, create a user with a name identical to your user name in Active Directory and assign it the administrator's role.
This is to prevent you from being locked out after switching authentication methods. - Log in to the Faddom Server appliance using SSH. You need to use Root user with the password you set during installation.
- In the context.xml file in the /usr/local/tomcat9/conf folder, you need to define a JNDI realm to authenticate with LDAP. There is an example predefined in the configuration file which you can uncomment and use (see the example below).
Make sure to comment out the PostgresJDBCRealm to enable authentication with LDAP only. - After making changes to the context.xml file, restart the tomcat service using the command:
systemctl restart tomcat
Following is a sample realm configuration.
The bold fields need to be updated according to your environment, some additional fields may need to be changed based on your configuration; the LDAP user needs to be user-defined in Active Directory that tomcat can use to perform the LDAP queries.
It does not need any special permissions.
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://<ldap-server-fqdn>:389"
connectionName="<ldap-user>@example.com"
connectionPassword="<ldap-user-password>"
referrals="follow"
userBase="CN=Users,DC=example,DC=com"
userSearch="(sAMAccountName={0})"
userSubtree="true"
roleBase="CN=Users,DC=example,DC=com"
roleName="name"
roleSubtree="true"
roleSearch="(member={0})" />
You can view the full details on JNDI Realm configuration in the official Apache documentation here: https://tomcat.apache.org/tomcat-9.0-doc/realm-howto.html#JNDIRealm
Additional Step for LDAPs
For LDAPs integration, you need to set the port used as 3269, not 636 as this is the port used to connect to the Global Catalog.
Additionally, you will need to install your LDAP CA certificate in the ROOT folder. To do this, you can use the below procedure
- Upload the certificate to the Faddom server
- Run the below command
keytool -keystore /etc/pki/java/cacerts -trustcacerts -storepass changeit -importcert -<filepath>Troubleshooting
If you are getting an invalid username/password error, check the localhost.XXXX.log file under the /usr/local/tomcat9/logs folder. There may be an issue with your JNDI Realm configuration
If you are getting a Permission Denied screen, you have logged in successfully but may have missed step 1 above to give your active directory user permissions to Faddom. Try reverting to the default authentication and providing your user access.
Setting up SSL access to the Faddom Server
The Faddom server comes pre-configured with SSL access, using a self-signed certificate on port 9443.
The certificate is located in a java keystore in /usr/local/tomcat9/conf/.keystore
It is possible to replace the certificate in the Keystore or use a different Keystore and configure it in the /usr/local/tomcat9/conf/server.xml file.
Detailed instructions on configuring SSL on Tomcat and importing certificates can be found here: Setting up SSL access to the Faddom Server
Comments