LDAPS configuration
In order to use LDAPS authentication, you must configure the LDAPS settings in the standalone-full.xml to match the LDAPS configuration to be used by the installation customer.
 | For security reasons Planon recommends to use LDAPS; e.g. LDAP via SSL. |
You can choose the LDAPS solution that suits your requirement. The following section only serves as an example.
Ensure your LDAPS server is configured.
| | The following screenshot an LDAPS server configuration example that is used as a model in the following configuration. |
Login configuration with an encrypted password
For LDAPS, use only the login module described below.
Procedure
1. Add the LDAP realm:
/subsystem=elytron/security-domain=PlanonSecurityDomain:write-attribute(name=default-realm,value=LdapRealm)
2. Add the credentials store:
/subsystem=elytron/credential-store=EncryptDBCredentialStore:generate-secret-key(alias=EncryptionKey, key-size=256)
3. For extra security, disable the CLI history before you add the passwords - run:
history --disable
4. Add your LDAP Passwords to the credential store.
a. Replace the LDAPADMINPASSWORD.
b. Run the following command:
/subsystem=elytron/expression=encryption:create-expression(resolver=PnExpressionResolver, clear-text=LDAPADMINPASSWORD)
c. Keep the result, you need it in the next steps.
It looks as follows:
"${ENC::PnExpressionResolver:RUxZAUMQM14WYQysqFPR6tV2r6jj7uHMoeP5
VHg1EcZJa3DI2Qi+gRq9CEr814uQ8EzEcog}"
VHg1EcZJa3DI2Qi+gRq9CEr814uQ8EzEcog}"
5. Add the Trust store password to the credential store:
a. Replace the TRUSTSTOREPASSWORD password.
b. Run the following command:
/subsystem=elytron/expression=encryption:create-expression(resolver=PnExpressionResolver, clear-text=TRUSTSTOREPASSWORD)
c. Keep the result, you need it in the next steps.
6. Enable the CLI history before you continue - run:
history --enable
7. Add your LDAP server's hierarchical organizational structure, LDAPADMINPASSWORD with the encrypted value, the keystore (YOURldap-truststore.jks) and the TRUSTSTOREPASSWORD with the encrypted value. Also update throwValidateError to False if you don't want detailed messages:
/subsystem=elytron/custom-realm=LdapRealm:write-attribute(name=configuration, value={ldapUrl="ldaps://HOST:PORT", bindDN="development\Administrator", bindCredential="LDAPADMINPASSWORD", baseCtxDN="dc=development, dc=planon, dc=nl", baseFilter="(sAMAccountName={0})", roleAttributeID="memberOf", rolesCtxDN="CN=Users,DC=development,DC=planon,DC=nl", roleFilter="(sAMAccountName={0})", roleAttributeIsDN="true", roleNameAttributeID="cn", searchScope="SUBTREE_SCOPE", allowEmptyPasswords="false", truststorePath="${jboss.server.config.dir}/YOURldap-truststore.jks",truststorePassword="TRUSTSTOREPASSWORD", throwValidateError="true" })
exit
exit
8. Add your certificate to the client cacerts keystore if needed (for example self-signed certificate). To do so use the following keytool command:
keytool -cacerts -import -trustcacerts -noprompt -file path\to\your\certificate.crt -alias yourAlias -storepass changeit
You can find the keytool in the following location: ...\Server\jdk-*\bin
9. Restart your service for the changes to take effect.
10. When a user logs on to Planon Software Suite, the user credentials are first authenticated against LDAPS and subsequently it is verified whether the user name exists in Planon Software Suite. If both tests succeed, the user is logged on. If either test fails, the user is not granted access.
| | The user name must be the same in LDAPS and in Planon. |