Configure security
User and role maintenance
The users and roles are maintained through the Security module in DIH.
Authentication
By default, user logins are authenticated against the locally defined users in DIH. However, this configuration can be modified to authenticate against an LDAP server or to use Single Sign-On (SSO).
Local authentication
If the property com.ria.core.auth.store is set to local, it indicates that logins will be authenticated against the local DIH user definitions. By default, the installation includes the user ID ria and the password ria00. This user has an administrator access and can be used to create additional users and manage their access through roles.
LDAP authentication
If property com.ria.core.auth.store is set to ldap, you need to specify the following LDAP properties to point DIH to the LDAP server, and to define other details for authentication and assertion.
| Property | Description |
|---|---|
com.ria.core.ldap.url |
URL of the LDAP server. |
com.ria.core.ldap.userdn |
Distinguished name of the user. This user must have the privileges to authenticate other users and search the directory to validate memberships if the property com.ria.core.ldap.verify specifies a filter option. |
com.ria.core.ldap.password |
Password of the com.ria.core.ldap.userdn. It can be encrypted or not. |
com.ria.core.ldap.user.base |
Root name of the user id. For example, an embedded WebLogic LDAP would be something like ou=people, ou=myrealm, or dc=admin_domain. |
com.ria.core.ldap.user.pattern |
Specifies the filter pattern used for authenticating a user. The {user} placeholder should be embedded in this text and substituted with the user ID at the time of authentication. For example, uid={user} or sAMAccountName={user}. |
com.ria.core.ldap.verify |
Specifies how to further confirm that an authenticated user is authorized to log in. If this property is set to filter, an LDAP search filter must be specified in the com.ria.core.ldap.group.filter property to validate the user further. |
com.ria.core.ldap.group.base |
Optional and only applicable if com.ria.core.ldap.verify is set to filter.This property defines the base distinguished name for the group fitler. If not specified, it defaults to the com.ria.core.ldap.userdn value. |
com.ria.core.ldap.group.filter |
Optional and only applicable if com.ria.core.ldap.verify is set to filter.This property defines an LDAP search string that verifies whether a user is authorized to log in. You can insert the placeholder {user} anywhere in the filter string, and it will be replaced with the user ID at the time of authentication. For more information, see Filter. |
Filter
A common use case for the filter is to verify that a user is a member of a specific group, but any valid filter can be specified.
For example, in an embedded WebLogic LDAP, you can use the following to verify that a user belongs to the cisusers group.
(&(objectclass=person)(uid={user})(wlsMemberOf=cn=cisusers,ou=groups,ou=myrealm,
dc=admin_domain))
Similarly, you can use the following to determine if a user belongs to the scientist group on the LDAP server located at ldap://ldap.forumsys.com:389, and using the base DN dc=example, dc=com.
(&(objectclass=groupOfUniqueNames)(cn=Scientists)(uniqueMember=uid={user},dc=example,
dc=com))
SSO
For SSO configuration, refer to the ria-dih-sso-guide.docx document. Local or LDAP authentication is not used if SSO is configured but note that the authorization of what a user is allowed to access in DIH is controlled within DIH in all cases.
Authorization
Access to DIH menus and objects can be controlled by creating roles and linking them to user ids. The roles are maintained in the Security module in DIH.
User IDs that are Admin User are limited to the menus and objects accessible through their assigned roles. However, a user tagged as Admin User has access to all menus and objects.