3.2.2.1.4. User data sources

By defining multiple User Data Sources (UDS) on a system, different authorities can be used in the authorization process. Active Directory attributes are used to support this process.

By adding the ON Core into the domain and configuring UDS, it is possible to define different authorization policies.

../../../../_images/uds.png


The following are examples of User Data Sources that can be defined:

  • LocalDB: This is a local database based on MySQL.

  • Sample ldap: This is a local ldap service that can be used for proof of concepts, and is not recommended for productive environments.

  • Active Directory (optional): This is the connection established with the Active Directory.

  • LDAP Server

  • External Database, and many others.

3.2.2.1.4.1. Creating a new UDS

To create a new UDS, click on the Create new button. It will display the following window.

../../../../_images/create_new3.png


Enter a name for the new UDS and select a type from the three options available:

../../../../_images/type.png


By selecting the Database type, the following configuration properties will be displayed:

../../../../_images/create_new_database.png


Connection data

  • Adapter: Select an adapter from MySQL, PostgreSQL, Oracle, or Microsoft SQL server.

  • Charset: Character encoding format.

  • Host: Hostname or IP address of the database server.

  • Write host: Hostname or IP address of the server for write operations.

  • Database name: Name of the database to connect to.

  • User name: Name of the user account.

  • Password: Password for the user account.

Table attributes

  • Table: Name of the table in the database.

  • Identity column: Column that represents the identity or unique identifier for records.

  • Credential column: Column that stores the credential information (if applicable).

  • User name column: Column that stores the usernames of users.

  • User e-mail column: Column that stores the email addresses of users.

  • User telephone column: Column that stores the telephone numbers of users.

  • Additional conditional query: An optional additional query with specific conditions or criteria for data retrieval.

By selecting a Active Directory or LDAP, the following configuration properties will be displayed:

../../../../_images/create_new21.png


  • Name: The name used by the UDS. In this case, this is a UDS type LDAP/AD, and for this reason, for instance: AD Mycompany.

  • Type: Defined as LDAP. The database connection could be used to get user attributes.

  • Enabled: The UDS can be enabled or disabled.

  • Read only: If the query is launched with a Read only flag. This will avoid any write action in the commands.

  • Host: The LDAP/AD IP where the queries are launched. For instance: 172.16.11.5, additional IPs can be added.

  • Port: The port used for the AD/LDAP Search query, by default, uses an unsecured connection. The default is 389 and if AD/LDAP SSL is enabled is 636.

  • Username: The user registered in the AD/LDAP server. This allows us to bind and use AD/LDAP information.

  • Password: The password for the AD/LDAP binding.

  • Base domain name: BaseDN at the top of the domain name structure. Our domain is named mycompay.local and its BaseDN is DC=mycompany,DC=local.

  • Account domain name: The DNS name for the domain is in uppercase. In this case MYCOMPANY.LOCAL.

  • Short account domain name: The short name for the domain or commonly named NETBIOS name. For instance, MYCOMPANY.

  • Account filter format: The attribute used to select users. We have included two options, but only one must be used. In this example sAMAccountName=%s is defined for Active Directory, and uid=%s for LDAP Servers.

  • Bind requires domain name: It is basically the credential you are using to authenticate against an LDAP. When using a bindDN, it usually comes with a password associated with it. Sometimes, anonymous binding doesn’t allow certain types of actions.

  • UID attribute name: The attribute is used to identify users’ IDs. The filter changes depending on if AD or LDAP is used.

  • E-mail attribute name: The filter is used to identify the email as an attribute of the user.

  • Telephone attribute name: The filter is used to identify the phone number as an attribute of the user.

  • Group attribute name: The filter use to identify the groups as an attribute of the user.

  • Enable LDAPS: For authenticating and authorizing users where LDAP communication is transmitted over an SSL tunnel port 636 TCP.

  • Enable TLS: For securing communication between LDAP clients and LDAP servers.

3.2.2.1.4.2. UDS table

The following fields are displayed in the UDS table:

../../../../_images/uds2.png


You can check the UDS status, its connection details, and if it is enabled or disabled by clicking on the arrow located at the beginning of each UDS row.

The three-dot icon located at the end of each row, can display the following options:

../../../../_images/edit_uds.png


  • Edit: Edit UDS.

  • Check status: Check the status of this UDS.

  • View users: View with a list of users registered in this UDS.

../../../../_images/view_users.png


  • Manage group authorizations: By selecting this option, it will open the Authorized user groups table:

../../../../_images/user_groups.png


From this view you can edit user groups by selecting the edit option from the three-dot icon dropdown menu.

../../../../_images/edit_user_groups.png


3.2.2.1.4.3. Authorized user groups

You can manage group authorizations by using local groups and assigning them to authorized administration roles. You can also use Active Directory Groups; this allows you to delegate Administration Portal identities and profiles to any Active Directory Group.

To create a new authorized user group, click on Create new. It will display a window where you can define the different groups and associate a role to them.

../../../../_images/new_user_group.png