If you’re having trouble at any stage please contact us at support@skyformation.com
Compatible with SkyFormation App Version
This guide is compatible with SkyFormation App version 2.1.21 (see Get Your SkyFormation App Version). If you are using an older version of SkyFormation we highly recommend to update to the latest one.
Preface
SkyFormation platform is using an authentication mechanism based on local file with the relevant user:role:credentials information.
It is highly recommended to replace the default authentication mechanism with AD/LDAP based one.
This would allow an easy way to add/remove users allowed access to SkyFormation, and improve the user’s information and credentials security.
This post explains how to use AD server as the SkyFormation authentication service provider.
SkyFormation application will ask the user for his or her userPrincipalName and password and validate these with the configured AD server.
SkyFormation application will not save the user’s credentials sent to the AD.
Prerequisites
- Make sure the SkyFormation machine could communicate with the AD server
- If you plan to use LDAPS (rather than LDAP) please import the AD certificate to the SkyFormation’s trust store
- Have the AD server name and port number to use
- Make sure each user you would like to allow access to SkyFormation app is a member of the AD
group that would be used to allow access to the SkyFormation app
- Have an integration user in AD with read permission (system user). This user is being used to read all the groups the authenticated user is a member of
Step
- SSH to your SkyFormation machine
- Change user to root
sudo su - -
Locate your sk4_conf volume - run the first command of the two below, if the result is <no value> then run the second command of the two below to get the path.
-
Backup your existing <sk4_conf_location>/shiro/client-shiro.ini
cp <sk4_conf_location>/shiro/client-shiro.ini <sk4_conf_location>/shiro/client-shiro.ini.bak -
Delete the [users] section
-
If anonymous AD search is supported or for keeping the system user’s password in /shiro/client-shiro.ini file in clear text please add the following lines to the file
ldapRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm # ldap or ldaps ldapRealm.url = ldap://HOST_OR_IP:PORT # Optional - to allow dan@myorg.com to authenticate with dan as the username. ldapRealm.principalSuffix = @myorg.com # If white spaces exists int the AD group DN it must be put in double quotes ldapRealm.groupRolesMap = "REPLACE_WITH_AD_GROUP":"sk4-admin" ldapRealm.searchBase = REPLACE_WITH_AD_BASE_SEARCH # systemUsername and systemPassword are only required if anonymous AD search is not supported # Existance of principalSuffix also applies to systemUsername # So if sk4@myorg.com is the UPN for the system user and principalSuffix is @myorg.com then systemUsername should be sk4 ldapRealm.systemUsername = REPLACE_WITH_SYSTEM_USER_UPN ldapRealm.systemPassword = REPLACE_WITH_SYSTEM_USER_PASSWORD securityManager.realms = $ldapRealm -
For keeping the system user’s password in the client-shiro.ini file encrypted (if anonymous AD search is not supported) please do the following (supported from 2.4.206):
-
Encrypt the system user’s password (SK4 root directory is either /opt/sk4 or /opt/exabeam/data/sk4 by default)
- Copy the encrypted password printed to console
-
Please add the following lines to the file
ldapRealm = com.skyformation.shiro.realms.SK4ActiveDirectoryRealm # ldap or ldaps ldapRealm.url = ldap://HOST_OR_IP:PORT # Optional - to allow dan@myorg.com to authenticate with dan as the username. ldapRealm.principalSuffix = @myorg.com # If white spaces exists int the AD group DN it must be put in double quotes ldapRealm.groupRolesMap = "REPLACE_WITH_AD_GROUP":"sk4-admin" ldapRealm.searchBase = REPLACE_WITH_AD_BASE_SEARCH # Existance of principalSuffix also applies to the value you put here. # So if sk4@myorg.com is the UPN for the system user, and principalSuffix is @myorg.com, systemUsername should be sk4 ldapRealm.systemUsername = REPLACE_WITH_SYSTEM_USER_UPN ldapRealm.systemPassword = REPLACE_WITH_SYSTEM_USER_ENCRYPTED_PASSWORD ldapRealm.passwordEncrypted = true securityManager.realms = $ldapRealm
-
-
Restart SkyFormation’s tomcat microservice
docker container restart sk4tomcat
Done
Sample client-shiro-ini
[main]
sk4Authc = com.skyformation.shiro.filter.SK4FormAuthenticationFilter
sk4Authc.loginUrl = /login.html
sk4Authc.successUrl = /index.html
cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
cacheManager.cacheManagerConfigFile = classpath:ehcache.xml
securityManager.cacheManager = $cacheManager
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionManager.sessionDAO = $sessionDAO
securityManager.sessionMode = native
cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = SSOcookie
cookie.path = /
sessionManager.sessionIdCookie = $cookie
securityManager.sessionManager = $sessionManager
ldapRealm = com.skyformation.shiro.realms.SK4ActiveDirectoryRealm
ldapRealm.url = ldap://ad.exabeam:389
ldapRealm.principalSuffix = @exabeam.com
ldapRealm.groupRolesMap = "CN=SK4,DC=Groups,DC=exabeam,DC=com":"sk4-admin"
ldapRealm.searchBase = DC=exabeam,DC=com
ldapRealm.systemUsername = sk4
ldapRealm.systemPassword = gATNJ0RQzDzWPSHg/kJ1Jg==
ldapRealm.passwordEncrypted = true
securityManager.realms = $ldapRealm
[urls]
/login.html = sk4Authc
/index.html = sk4Authc, roles[sk4-admin]
/onboard.html = sk4Authc, roles[sk4-admin]
/logout = logout
/ = sk4Authc, roles[sk4-admin]
/** = anon
Comments
0 comments
Please sign in to leave a comment.