About this task
The current implementation of the Authentication and Authorization feature, is based on OAuth2 authorization framework, and needs to have available an Authentication Server (DEX). The next
configurations are made in the context of using the Authentication Server (DEX), which is provided in the IBM ADDI installer.
Note: These configurations are only made if the authentication of the users, who have access to the resources, is used.
The provided Authentication Server is based on DEX and provides an authentication solution, which connects through LDAP to Secure Storage. For more information about DEX, see https://github.com/
dexidp/dex/blob/master/Documentation/connectors/ldap.md.
Note: DEX can be replaced by any other Authentication Server that supports the OAuth2 protocol.
On the machine where Authentication Server is installed, go to <IBM ADDI Installation Folder>/
Authentication Server (DEX)/sample-conf/ and copy the dex.yaml file to <IBM ADDI Installation Folder>/Authentication Server (DEX)/conf/. Open the dex.yaml file by using a text editor and enter the desired values for the properties that are detailed below.
Procedure
1. Set the issuer parameter as follows.
a. If the communication to and from DEX is done through https, the issuer parameter has the following format:
https://<machine name where DEX is installed>.<machine domain>:<port>/dex
Example:
issuer: https://WIN-ASK7V692EKB.ferdinand2.com:7600/dex
b. If the communication to and from DEX is done through http, the issuer parameter has the following format:
http://<machine name where DEX is installed>.<machine domain>:<port>/dex
Example:
issuer: http://WIN-ASK7V692EKB.ferdinand2.com:7600/dex
2. The next section can be configured as follows:
a) If the communication to and from DEX is done through https, generate the TLS certificates for Authentication Server and add the paths for the certificate(.crt) and the key(.key) files in the TLSCert and TLSKey fields. The default port is 7600.
storage:
Configuring IBM AD 41
https: 0.0.0.0:7600
TLSCert: C:\certs\dex.cert TLSKey: C:\certs\dex.key
b) If the communication to and from DEX is done through http, remove the TLSCert and TLSKey fields.
web: http: 0.0.0.0:7600
3. The skipApprovalScreen parameter can be set to true or false. The true value offers the possibility to skip the "Grant access screen" after the user logs in, even if the connection is secured through http or https .
oauth2:
skipApprovalScreen: true
4. The connectors section can be configured as follows:
a) Set the host parameter, including the port used by LDAP (389) or LDAPS (636).
The host parameter has the following format:
host: << IP:PORT >> or << MACHINE NAME:PORT >>
Example:
config:
host: WIN-NSSMI7A1KJQ.ferdinand2.com:636
b) The InsecureNoSSL parameter can be set to true or false. The true value sets the communication through TLS, while false sets the communication through SSL.
# No TLS for this setup.
insecureNoSSL: false
c) Set the bindDN parameter by adding the account that has the rights for the LDAP bind action.
# This would normally be a read-only user.
bindDN: CN=Administrator,CN=Users,DC=ferdinand2,DC=com
d) Set the bindPW parameter by adding the account's password that has the rights for the LDAP bind action.
bindPW: password
e) Do not modify the value of the usernamePrompt parameter.
usernamePrompt: email address
5. Under the userSearch section, only modify the value of the baseDN parameter:
Note: The baseDN parameter contains the base location of all User Accounts.
userSearch:
baseDN: dc=ferdinand2,dc=com filter: "(objectClass=person)"
username: userPrincipalName
# "DN" (case sensitive) is a special attribute name. It indicates that # this value should be taken from the entity's DN not an attribute on # the entity.
idAttr: DN
emailAttr: userPrincipalName nameAttr: cn
6. Under the groupSearch section, only modify the value of the baseDN parameter:
Note: The baseDN parameter contains the base location of all User Accounts.
groupSearch:
baseDN: cn=Users,dc=alpaca,dc=com filter: "(objectClass=group)"
# A user is a member of a group when their DN matches
7. The StaticClients section, can be configured as follows:
staticClients:
• id is the generic name that is given for the IBM AD Analyze Client.
• redirectURLs takes as value the localhost IP and a generic port that is used for callback to Authentication Server (DEX).
• name takes as value 'AD Client'.
• secret is a secret that is shared among application.
Example
• When the communication to and from DEX is done through https the dex.yaml file is configured as follows:
host: WIN-NSSMI7A1KJQ.ferdinand2.com:636 # No TLS for this setup.
insecureNoSSL: false
# This would normally be a read-only user.
bindDN: CN=Administrator,CN=Users,DC=ferdinand2,DC=com bindPW: Admin15_
usernamePrompt: email address userSearch:
Configuring IBM AD 43
baseDN: dc=ferdinand2,dc=com filter: "(objectClass=person)"
username: userPrincipalName scope: sub
# "DN" (case sensitive) is a special attribute name. It indicates that # this value should be taken from the entity's DN not an attribute on # the entity.
idAttr: DN
emailAttr: userPrincipalName nameAttr: cn
groupSearch:
baseDN: dc=ferdinand2,dc=com filter: "(objectClass=group)"
scope: sub
• When the communication to and from DEX is done through http the dex.yaml file is configured as follows:
host: WIN-NSSMI7A1KJQ.ferdinand2.com:636 # No TLS for this setup.
insecureNoSSL: true
# This would normally be a read-only user.
bindDN: CN=Administrator,CN=Users,DC=ferdinand2,DC=com bindPW: Admin15_
usernamePrompt: email address userSearch:
baseDN: dc=ferdinand2,dc=com filter: "(objectClass=person)"
username: userPrincipalName scope: sub
# "DN" (case sensitive) is a special attribute name. It indicates that # this value should be taken from the entity's DN not an attribute on # the entity.
idAttr: DN
emailAttr: userPrincipalName nameAttr: cn
groupSearch:
baseDN: dc=ferdinand2,dc=com filter: "(objectClass=group)"
scope: sub
Make sure that Authentication Server (DEX) is correctly configured in IBM AD Configuration Server. For more information, see Configuring Authentication and Configuring AD OAuth2 Client.
After Authentication Server (DEX) is configured, start the service:
1. Click Start, select Run, type services.msc and start Authentication Server (DEX).
2. If the service does not start, check the dex.log file under <IBM ADDI Installation Folder>/
Authentication Server/.log/ folder.