Active Directory with WebADM
  Download PDF

1. Installation Packages

Firstly, we have to install OpenOTP and WebADM packages available through RCDevs Repository or on RCDevs Website. In this “How To”, we will install all required packages through the RCDevs repository. So, your servers should have an internet access to download every package.

1.1 For Redhat/CentOS

On a RedHat, Centos or Fedora system, you can use our repository, which simplifies updates. Add the repository on your server(s) who will host WebADM/OpenOTP:

curl http://www.rcdevs.com/repos/redhat/rcdevs.repo -o /etc/yum.repos.d/rcdevs.repo

Clean yum cache and install WebADM with OpenOTP:

yum clean all

Install WebADM and OpenOTP packages :

yum install webadm openotp

You can also install Self-Service Desk, Self-Registration or Secure Password Reset apps if needed (optional) :

yum install selfdesk selfreg pwreset

Run the setup script:

/opt/webadm/bin/setup

It initializes the WebADM PKI, etc…

1.2 For Debian/Ubuntu

On a Debian system, you can use RCDevs repository too. Add the repository with the following command :

echo "deb http://rcdevs.com/repos/debian ./" > /etc/apt/sources.list.d/rcdevs.list
apt-key adv --fetch-key http://rcdevs.com/repos/debian/RPM-GPG-KEY-rcdevs.pub

Clean cache and install WebADM with all WebApps & Services:

apt-get update

Install WebADM and OpenOTP packages :

apt-get install openotp webadm

You can also install Self-Service Desk, Self-Registration or Secure Password Reset apps if needed (optional) :

apt-get install selfdesk selfreg pwreset

Run the setup script:

/opt/webadm/bin/setup

It initializes the WebADM PKI, etc…

2. Scenarios

You have two ways to setup WebADM LDAP schema for Active Directory:

  • With the WebADM schema extension (preferred).
  • Without any schema addition (re-uses existing object classes and attributes as a replacement).

In both scenarios, we advise you to create a blank Organizational Unit on your AD to store the WebADM configurations. In this documentation, the OU will be ou=WebADM and the domain is dc=mydomain,dc=com

Follow below, the scenario that you prefer and skip the other one.

3. AD Schema Extended Configuration

3.1 Prerequisite & Overview

This option is preferred and WebADM will use the RCDevs IANA-registered Active Directory attributes to store additional LDAP data in users and groups. The WebADM schema addition is very minimal and is composed of 3 new object classes (webadmAccount, webadmGroup, webadmConfig) and 3 new attributes (webadmSettings, webadmData, webadmType).

If you choose this installation option, then you must connect WebADM to the domain controller having the Schema Master Role in Active Directory to let WebADM register its schema additions. If you connect WebADM to two domain controllers in the servers.xml file, the first one should be the one with the Schema Master Role. Without it, the WebADM graphical setup (explained later) will not be allowed to add the required object classes to your Active Directory.

On the WebADM server, you need to copy 2 files in “/opt/webadm/conf/”. Type the following command to do it :

cd /opt/webadm/doc/ActiveDirectory/Schema_Extended/
cp webadm.conf objects.xml /opt/webadm/conf/

3.2 WebADM Configuration File

In this file we will configure LDAP containers for WebADM. This file is :

/opt/webadm/conf/webadm.conf

The file is full here but please, edit the 2nd block code, this is the only part that interests us here.

#
# WebADM Server Configuration
#

# Administrator Portal's authentication method.
# - PKI: Requires client certificate and login password.
# - UID: Requires domain name, login name, password.
# - DN: Requires login DN and password.
# - OTP: Like UID with an OTP challenge.
# - U2F: Like UID with a FIDO-U2F challenge.
# - MFA: Like UID with both OTP and FIDO-U2F challenge.
# Using certificates is the most secure login method. To use certificate login,
# you must log in WebADM and create a login certificate for your administrators.
# The UID mode requires a WebADM domain to exist and have its User Search Base
# set to the subtree where are located the administrator users. When using UID
# and if there is no domain existing in WebADM, the login mode is automatically
# forced to DN. You will also need to log in with the full user DN and set up
# a WebADM domain to be able to use the UID login mode.
admin_auth UID

# Show the registered domain list when admin_auth is set to UID, OTP or U2F.
# And set a default admin login domain when auth_mode is set to these methods.
list_domains Yes
#default_domain "Default"

# Manager API's authentication method. Only UID, PKI and DN are supported here.
# If you set the admin_auth with multi-factor (PKI, OTP or U2F), then you must
# either use manager_auth PKI or UID with a list of allowed client IPs.
#manager_auth UID
#manager_clients "192.168.0.10","192.168.0.11"

# User level changes the level of feature and configuration for all applications.
# WebADM proposes three levels: Beginner, Intermediate and Expert. The default
# level (Expert) is recommended as it provides access to all the RCDevs features.
user_level Expert

# The proxy user is used by WebADM for accessing LDAP objects over which the
# admin user does not have read permissions or out of an admin session.
# The proxy user should have read permissions on the whole LDAP tree,
# and write permissions on the users/groups used by the WebApps and WebSrvs.
# The use of a proxy user is required for WebApps and WebSrvs.
# With ActiveDirectory, you can use any Domain Administrator DN as a proxy user,
# which should look like cn=Administrator,cn=Users,dc=mydomain,dc=com.
proxy_user     "cn=Administrator,cn=Users,dc=mydomain,dc=com"
proxy_password "Password1234"

# Super administrators have extended WebADM privileges such as setup permissions,
# additional operations and unlimited access to any LDAP encrypted data. Access
# restriction configured in the WebADM OptionSets do not apply to super admins.
# You can set a list of individual LDAP users or LDAP groups here.
# With ActiveDirectory, your administrator account should be is something like
# cn=Administrator,cn=Users,dc=mydomain,dc=com. And you can replace the sample 
# super_admins group on the second line with an existing security group.
super_admins "cn=Administrator,cn=Users,dc=mydomain,dc=com", \
	     "cn=Domain Admins,cn=Users,dc=mydomain,dc=com"

# LDAP objectclasses
container_oclasses      "container", "organizationalUnit", "organization", "domain", "locality", "country", \
                        "openldaprootdse", "treeroot"
# user_oclasses is used to build the LDAP search filter with 'Domain' auth_mode.
# If your super admin user user does not have one of the following objectclasses,
# add one of its objectclasses to the list.
user_oclasses           "user", "account", "person", "inetOrgPerson", "posixAccount"
group_oclasses          "group", "groupOfNames", "groupOfUniqueNames", "dynamicGroup", "posixGroup"
# With ActiveDirectory 2003 only, you need to add the 'user' objectclass to the
# webadm_account_oclasses and the 'group' objectclass to the webadm_group_oclasses.
webadm_account_oclasses "webadmAccount"
webadm_group_oclasses   "webadmGroup"
webadm_config_oclasses  "webadmConfig"

# LDAP attributes
certificate_attrs       "userCertificate"
password_attrs          "userPassword", "unicodePwd", "sambaNTPassword"
uid_attrs               "uid", "samAccountName", "userPrincipalName"
member_attrs            "member", "uniqueMember"
memberof_attrs          "memberOf", "groupMembership"
memberuid_attrs         "memberUid"
language_attrs          "preferredLanguage"
mobile_attrs            "mobile", "otherMobile"
mail_attrs              "mail", "otherMailbox"
webadm_data_attrs       "webadmData"
webadm_settings_attrs   "webadmSettings"
webadm_type_attrs       "webadmType"

# ignore some AD attributes
ignored_attrs "ntsecuritydescriptor", "objectcategory", "objectsid", "badpasswordtime", \
              "badpwdcount", "lastlogoff", "lastlogon", "logoncount", "lastlogontimestamp", \
              "pwdlastset", "primarygroupid", "samaccounttype"

Adjust the LDAP containers with your configuration.

Note

You don’t have to change the first part for each DN. You have to edit ou=WebADM,dc=mydomain,dc=com for each container where ou=WebADM is your blank Organizational Unit previously created and dc=mydomain,dc=com is your domain.

# Find below the LDAP containers required by WebADM.
# Change the container's DN to fit your ldap tree base.
# WebADM AdminRoles container
adminroles_container "cn=AdminRoles,ou=WebADM,dc=mydomain,dc=com"
# WebADM Optionsets container
optionsets_container "cn=OptionSets,ou=WebADM,dc=mydomain,dc=com"
# WebApp configurations container
webapps_container "cn=WebApps,ou=WebADM,dc=mydomain,dc=com"
# WebSrv configurations container
websrvs_container "cn=WebSrvs,ou=WebADM,dc=mydomain,dc=com"
# Mount points container
mountpoints_container "cn=Mountpoints,ou=WebADM,dc=mydomain,dc=com"
# Domain and Trusts container
domains_container "cn=Domains,ou=WebADM,dc=mydomain,dc=com"
# Clients container
clients_container "cn=Clients,ou=WebADM,dc=mydomain,dc=com"
# You can set here the timeout (in seconds) of a WebADM session.
# Web sessions will be closed after this period of inactivity.
# The Manager Interface cookie-based sessions are disabled by default.
admin_session 900
manager_session 0
webapps_session 600

# You can set here the WebADM internal cache timeout. A normal value is one hour.
cache_timeout 3600

# Application languages
languages "EN","FR","DE","ES","IT","FI"

# WebADM encrypts LDAP user data, sensitive configurations and user sessions with
# AES-256. The encryption key(s) must be 256bit base64-encoded random binary data.
# Use the command 'openssl rand -base64 32' to generate a new encryption key.
# Warning: If you change the encryption key, any encrypted data will become invalid!
# You can set several encryption keys for key rollout. All the defined keys are used
# for decrypting data. And the first defined key is used to (re-)encrypt data.
# Two encryption modes are supported:
# Standard: AES-256-CBC (default)
# Advanced: AES-256-CBC with per-object encryption (stronger)
encrypt_data Yes
encrypt_mode Standard
encrypt_hsm  No
encrypt_key  "cq19TEHgHLQuO09DXzjOw30rrQDLsPkT3NiL6l3BH2w="

# Hardware Cryptography Module
# Yubico YubiHSM and RCDevs HSMHub are currently supported for hardware encryption.
# Up to 8 HSM modules can be concurrently attached to the server.
#hsm_model YubiHSM
#hsm_keyid 1

# Data store defines which back-end is used for storing user data and settings.
# By default WebADM stores the user and group metadata in the LDAP. By setting the
# data_store to SQL, these metadata are stored in a dedicated SQL table.
# LDAP is generally the preferred option because it maximizes the system consistency.
# SQL is preferred if you absolutely need read-only LDAP access for the proxy_user.
data_store LDAP

# The group mode defines how WebADM will handle LDAP groups.
# - Direct mode: WebADM finds user groups using the memberof_attrs defined above.
#   In this case, the group membership is defined in the LDAP user objects.
# - Indirect mode: WebADM finds user groups by searching group objects which contain
#   the user DN as part of the member_attrs.
# - Auto: Both direct and indirect groups are used.
# - Disabled: All LDAP group features are disabled in WebADM.
# By default (when group_mode is not specified) WebADM handles both group modes.
group_mode Auto

# LDAP cache increases a lot of performances under high server loads. The cache limits
# the number of LDAP requests by storing resolved user DN and group settings. When
# enabled, results are cached for 300 secs.
ldap_cache Yes

# LDAP routing enables LDAP request load-balancing when multiple LDAP servers are
# configured in servers.xml. You should enable this feature if LDAP server load
# becomes a bottleneck due to a big amount of users (ex. more than 10000 users).
#ldap_routing No

# You can optionally disable some features if you run multiple WebADM servers with
# different purposes. For example, if you don't want to provide admin portal on an 
# Internet-exposed WebApps and WebSrvs server.
# By default, all the functionalities are enabled.
enable_admin Yes
enable_manager Yes
enable_webapps Yes
enable_websrvs Yes

# Enable extended logging to the webadm.log file (enabled by default).
# Records all WebApps and Web Service events to the webadm.log file.
log_webapps Yes
log_websrvs Yes

# Enable syslog reporting (disabled by default). When enable, system logs are sent
# to both the WebADM log files and syslog.
#log_debug No
#log_format Default
#log_syslog No
#syslog_facility LOG_USER
#syslog_format CEF

# Alerts are always recorded to the SQL Alert log. Additionally, when alert_email
# is defined, the alerts are also sent by email to the configured recipient(s).
#alert_email "me@mydomain.com"

# If your WebADM server is used behind a reverse-proxy or load-balancer, you need to
# set the IP address(es) of your reverse-proxy server(s). Your proxy MUST create the
# HTTP_X_FORWARDED_FOR and HTTP_X_FORWARDED_HOST headers.
#reverse_proxies "192.168.0.100", "192.168.0.101"
# If you use WebADM Publishing Proxy (WAProxy) for publishing applications on public
# networks, then you must set the IP address(es) of the WAProxy server(s).
# Enable this setting ONLY if you are using RCDevs WAProxy as reverse-proxy!
#waproxy_proxies "192.168.0.102"
# The public DNS name of your WAProxy server
#waproxy_pubaddr "www.myproxy.com"

# Check for new product versions and license updates on RCDevs' website.
# These features require outbound Internet access from the server.
check_versions Yes
check_licenses Yes

# WebApps theme
# Comment the following line to disable the default theme.
webapps_theme "default"

# End-user messages
# The following variables are available: %USERNAME%, %USERDN%, %USERID%, %DOMAIN%, %APPNAME%
# Additional variables are available depending on the context: %APPID%, %TIMEOUT%, %EXPIRES%
unlock_subject "Unlocked access to %APPNAME%"
unlock_message "Hello %USERNAME%,\r\n\r\nYou have a one-time access to the %APPNAME%.\r\nYour access will automatically expire %EXPIRES%."

# Personalization options
# You can customize your organization name, logo file and website URL.
# The logo file must be PNG image with size 100x50 pixels.
#org_name "RCDevs SA"
#org_logo "rcdevs.png"
#org_site "http://www.rcdevs.com/"

# Misc options
#treeview_width 300
#treeview_items 1500
#default_portal Admin
#ldap_uidcase No

3.3 Proxy User Rights

A proxy user needs to perform wide LDAP search and reads. It also requires read-only permissions to the WebADM LDAP configurations (ie. configured containers) and to the user Domains subtrees. A proxy user needs to do some write operations to a few LDAP attributes because it needs to store dynamic application user data into the users.

In some circumstances, the Proxy user will also need to write an application setting on the users and groups. The following attributes are part of the WebADM LDAP schema and need Proxy user write permissions:

  • webadmData : is the attribute where the applications store the user data (ex. OpenOTP enrolled Token states).

  • webadmSettings : is the attribute where WebADM stores user-specific settings (ex. per-user OTP policy).

If you use WebADM Self-Services and depending on what you allow users to do within the self-service applications, then WebADM Proxy user may need some additional permissions: Ex. if you want users to reset their LDAP password, set their mobile numbers or email addresses, then the Proxy user will need to have write permissions to the corresponding LDAP attributes.

In general, it is recommended to implement Proxy user write access to the following attributes:

  • webadmData (dynamic and encrypted application data)

  • webadmSettings (only if Self-Services are used to configure account settings)

  • mail (only if Self-Services are used to set email addresses)

  • mobile (only if Self-Services are used to set mobile numbers)

  • preferredLanguage (only if Self-Services are used to set user language)

  • unicodePwd (only if Self-Services are used to set user password)

Please, create the Proxy User on the AD and configure proxy_user and proxy_passwordsettings in webadm.conf file.

If you encounter some difficulties to set the rights for the proxy User on Active Directory, please read the ‘How To’ to set the proxy user rights on the AD at the following link : AD Proxy User.

3.4 WebADM Administrator(s)

To allow an administrator or an admin group to log on to the WebADM interface, you have to edit the super_admin setting in webadm.conf:

super_admins "cn=Administrator,cn=Users,dc=mydomain,dc=com", \ 
         "cn=Domain Admins,cn=Users,dc=mydomain,dc=com"

Note

To extend the schema, you need also to configure a schema administrator as a super admin. This schema admin user will be used for the first login to extend the schema through the WebADM GUI.

WebADM OU Rights

Your super_admin administrator(s) and proxy_user should have the read/write rights on your WebADM Organizational Unit previously created!


4. Schema Not Extended Configuration

4.1 Prerequisite & Overview

With this option, WebADM does not make any addition to the Active Directory schema. Instead, the configuration WebADM is customized to re-use some existing object classes and attributes. Please go to directory “doc/ActiveDirectory/Schema_Not_Extended/” and copy the files “webadm.conf” and “objects.xml” to the WebADM directory “/opt/webadm/conf/”. The following changes are applied to the configurations: In “conf/webadm.conf”, the default configurations:

webadm_account_oclasses "webadmAccount" 
webadm_group_oclasses "webadmGroup" 
webadm_config_oclasses "webadmConfig"

webadm_data_attrs "webadmData" 
webadm_settings_attrs "webadmSettings" 
webadm_type_attrs "webadmType"

Are changed to:

webadm_account_oclasses "bootabledevice" 
webadm_group_oclasses "bootabledevice"
webadm_config_oclasses "device"

webadm_data_attrs "bootFile" 
webadm_settings_attrs "bootParameter" 
webadm_type_attrs "serialNumber"

WebADM will also use the AD object class bootabledevice as user/group activation class and the object class device for the LDAP configuration objects’ storage. It will also store user settings and metadata in the bootFile and bootParameter attributes in the class bootabledevice.

In “conf/objects.xml”, the LDAP object specifications are configured to use the replacement object classes and attributes.

4.2 WebADM Configuration File

In this file, we will configure LDAP containers for WebADM. This file is :

/opt/webadm/conf/webadm.conf

The file is full here but please, edit the 2nd block code, this is the only part that interests us here.

#
# WebADM Server Configuration
#
# Administrator Portal's authentication method.
# - PKI: Requires client certificate and login password.
# - UID: Requires domain name, login name, password.
# - DN: Requires login DN and password.
# - OTP: Like UID with an OTP challenge.
# - U2F: Like UID with a FIDO-U2F challenge.
# - MFA: Like UID with both OTP and FIDO-U2F challenge.
# Using certificates is the most secure login method. To use certificate login,
# you must log in WebADM and create a login certificate for your administrators.
# The UID mode requires a WebADM domain to exist and have its User Search Base
# set to the subtree where are located the administrator users. When using UID
# and if there is no domain existing in WebADM, the login mode is automatically
# forced to DN. You will also need to log in with the full user DN and set up
# a WebADM domain to be able to use the UID login mode.
admin_auth UID

# Show the registered domain list when admin_auth is set to UID, OTP or U2F.
# And set a default admin login domain when auth_mode is set to these methods.
list_domains Yes
#default_domain "Default"

# Manager API's authentication method. Only UID, PKI and DN are supported here.
# If you set the admin_auth with multi-factor (PKI, OTP or U2F), then you must
# either use manager_auth PKI or UID with a list of allowed client IPs.
#manager_auth UID
#manager_clients "192.168.0.10","192.168.0.11"

# User level changes the level of feature and configuration for all applications.
# WebADM proposes three levels: Beginner, Intermediate and Expert. The default
# level (Expert) is recommended as it provides access to all the RCDevs features.
user_level Expert

# The proxy user is used by WebADM for accessing LDAP objects over which the
# admin user does not have read permissions or out of an admin session.
# The proxy user should have read permissions on the whole LDAP tree,
# and write permissions on the users/groups used by the WebApps and WebSrvs.
# The use of a proxy user is required for WebApps and WebSrvs.
# With ActiveDirectory, you can use any Domain Administrator DN as a proxy user,
# which should look like cn=Administrator,cn=Users,dc=mydomain,dc=com.
proxy_user     "cn=Administrator,cn=Users,dc=mydomain,dc=com"
proxy_password "Password1234"

# Super administrators have extended WebADM privileges such as setup permissions,
# additional operations and unlimited access to any LDAP encrypted data. Access
# restriction configured in the WebADM OptionSets do not apply to super admins.
# You can set a list of individual LDAP users or LDAP groups here.
# With ActiveDirectory, your administrator account should be is something like
# cn=Administrator,cn=Users,dc=mydomain,dc=com. And you can replace the sample 
# super_admins group on the second line with an existing security group.
super_admins "cn=Administrator,cn=Users,dc=mydomain,dc=com", \
	     "cn=Domain Admins,cn=Users,dc=mydomain,dc=com"

# LDAP objectclasses
container_oclasses      "container", "organizationalUnit", "organization", "domain", "locality", "country", \
                        "openldaprootdse", "treeroot"
# user_oclasses is used to build the LDAP search filter with 'Domain' auth_mode.
# If your super admin user user does not have one of the following objectclasses,
# add one of its objectclasses to the list.
user_oclasses           "user", "account", "person", "inetOrgPerson", "posixAccount"
group_oclasses          "group", "groupOfNames", "groupOfUniqueNames", "dynamicGroup", "posixGroup"
# With ActiveDirectory 2003 only, you need to add the 'user' objectclass to the
# webadm_account_oclasses and the 'group' objectclass to the webadm_group_oclasses.
webadm_account_oclasses "bootabledevice"
webadm_group_oclasses   "bootabledevice"
webadm_config_oclasses  "device"

# LDAP attributes
certificate_attrs       "userCertificate"
password_attrs          "userPassword", "unicodePwd", "sambaNTPassword"
uid_attrs               "uid", "samAccountName", "userPrincipalName"
member_attrs            "member", "uniqueMember"
memberof_attrs          "memberOf", "groupMembership"
memberuid_attrs         "memberUid"
language_attrs          "preferredLanguage"
mobile_attrs            "mobile", "otherMobile"
mail_attrs              "mail", "otherMailbox"
webadm_data_attrs       "bootFile"
webadm_settings_attrs   "bootParameter"
webadm_type_attrs       "serialNumber"

# ignore some AD attributes
ignored_attrs "ntsecuritydescriptor", "objectcategory", "objectsid", "badpasswordtime", \
              "badpwdcount", "lastlogoff", "lastlogon", "logoncount", "lastlogontimestamp", \
              "pwdlastset", "primarygroupid", "samaccounttype"

Adjust the LDAP containers with your configuration :

Note

You don’t have to change the first part for each DN. You have to edit cn=WebADM,dc=mydomain,dc=com for each container where cn=WebADM is your blank OU previously created and dc=mydomain,dc=com is your domain.

# Find below the LDAP containers required by WebADM.
# Change the container's DN to fit your ldap tree base.
# WebADM AdminRoles container
adminroles_container "cn=AdminRoles,cn=WebADM,dc=mydomain,dc=com"
# WebADM Optionsets container
optionsets_container "cn=OptionSets,cn=WebADM,dc=mydomain,dc=com"
# WebApp configurations container
webapps_container "cn=WebApps,cn=WebADM,dc=mydomain,dc=com"
# WebSrv configurations container
websrvs_container "cn=WebSrvs,cn=WebADM,dc=mydomain,dc=com"
# Mount points container
mountpoints_container "cn=Mountpoints,cn=WebADM,dc=mydomain,dc=com"
# Domain and Trusts container
domains_container "cn=Domains,cn=WebADM,dc=mydomain,dc=com"
# Clients container
clients_container "cn=Clients,cn=WebADM,dc=mydomain,dc=com"
# You can set here the timeout (in seconds) of a WebADM session.
# Web sessions will be closed after this period of inactivity.
# The Manager Interface cookie-based sessions are disabled by default.
admin_session 900
manager_session 0
webapps_session 600

# You can set here the WebADM internal cache timeout. A normal value is one hour.
cache_timeout 3600

# Application languages
languages "EN","FR","DE","ES","IT","FI"

# WebADM encrypts LDAP user data, sensitive configurations and user sessions with
# AES-256. The encryption key(s) must be 256bit base64-encoded random binary data.
# Use the command 'openssl rand -base64 32' to generate a new encryption key.
# Warning: If you change the encryption key, any encrypted data will become invalid!
# You can set several encryption keys for key rollout. All the defined keys are used
# for decrypting data. And the first defined key is used to (re-)encrypt data.
# Two encryption modes are supported:
# Standard: AES-256-CBC (default)
# Advanced: AES-256-CBC with per-object encryption (stronger)
encrypt_data Yes
encrypt_mode Standard
encrypt_hsm  No
encrypt_key  "cq19TEHgHLQuO09DXzjOw30rrQDLsPkT3NiL6l3BH2w="

# Hardware Cryptography Module
# Yubico YubiHSM and RCDevs HSMHub are currently supported for hardware encryption.
# Up to 8 HSM modules can be concurrently attached to the server.
#hsm_model YubiHSM
#hsm_keyid 1

# Data store defines which back-end is used for storing user data and settings.
# By default WebADM stores the user and group metadata in the LDAP. By setting the
# data_store to SQL, these metadata are stored in a dedicated SQL table.
# LDAP is generally the preferred option because it maximizes the system consistency.
# SQL is preferred if you absolutely need read-only LDAP access for the proxy_user.
data_store LDAP

# The group mode defines how WebADM will handle LDAP groups.
# - Direct mode: WebADM finds user groups using the memberof_attrs defined above.
#   In this case, the group membership is defined in the LDAP user objects.
# - Indirect mode: WebADM finds user groups by searching group objects which contain
#   the user DN as part of the member_attrs.
# - Auto: Both direct and indirect groups are used.
# - Disabled: All LDAP group features are disabled in WebADM.
# By default (when group_mode is not specified) WebADM handles both group modes.
group_mode Auto

# LDAP cache increases a lot of performances under high server loads. The cache limits
# the number of LDAP requests by storing resolved user DN and group settings. When
# enabled, results are cached for 300 secs.
ldap_cache Yes

# LDAP routing enables LDAP request load-balancing when multiple LDAP servers are
# configured in servers.xml. You should enable this feature if LDAP server load
# becomes a bottleneck due to a big amount of users (ex. more than 10000 users).
#ldap_routing No

# You can optionally disable some features if you run multiple WebADM servers with
# different purposes. For example, if you don't want to provide admin portal on an 
# Internet-exposed WebApps and WebSrvs server.
# By default, all the functionalities are enabled.
enable_admin Yes
enable_manager Yes
enable_webapps Yes
enable_websrvs Yes

# Enable extended logging to the webadm.log file (enabled by default).
# Records all WebApps and Web Service events to the webadm.log file.
log_webapps Yes
log_websrvs Yes

# Enable syslog reporting (disabled by default). When enable, system logs are sent
# to both the WebADM log files and syslog.
#log_debug No
#log_format Default
#log_syslog No
#syslog_facility LOG_USER
#syslog_format CEF

# Alerts are always recorded to the SQL Alert log. Additionally, when alert_email
# is defined, the alerts are also sent by email to the configured recipient(s).
#alert_email "me@mydomain.com"

# If your WebADM server is used behind a reverse-proxy or load-balancer, you need to
# set the IP address(es) of your reverse-proxy server(s). Your proxy MUST create the
# HTTP_X_FORWARDED_FOR and HTTP_X_FORWARDED_HOST headers.
#reverse_proxies "192.168.0.100", "192.168.0.101"
# If you use WebADM Publishing Proxy (WAProxy) for publishing applications on public
# networks, then you must set the IP address(es) of the WAProxy server(s).
# Enable this setting ONLY if you are using RCDevs WAProxy as reverse-proxy!
#waproxy_proxies "192.168.0.102"
# The public DNS name of your WAProxy server
#waproxy_pubaddr "www.myproxy.com"

# Check for new product versions and license updates on RCDevs' website.
# These features require outbound Internet access from the server.
check_versions Yes
check_licenses Yes

# WebApps theme
# Comment the following line to disable the default theme.
webapps_theme "default"

# End-user messages
# The following variables are available: %USERNAME%, %USERDN%, %USERID%, %DOMAIN%, %APPNAME%
# Additional variables are available depending on the context: %APPID%, %TIMEOUT%, %EXPIRES%
unlock_subject "Unlocked access to %APPNAME%"
unlock_message "Hello %USERNAME%,\r\n\r\nYou have a one-time access to the %APPNAME%.\r\nYour access will automatically expire %EXPIRES%."

# Personalization options
# You can customize your organization name, logo file and website URL.
# The logo file must be PNG image with size 100x50 pixels.
#org_name "RCDevs SA"
#org_logo "rcdevs.png"
#org_site "http://www.rcdevs.com/"

# Misc options
#treeview_width 300
#treeview_items 1500
#default_portal Admin
#ldap_uidcase No

4.3 Proxy User Rights

A proxy user needs to perform wide LDAP search and reads. It also requires read-only permissions to the WebADM LDAP configurations (ie. configured containers) and to the user Domains subtrees. A proxy user needs to do some write operations to a few LDAP attributes because it needs to store dynamic application user data into the users.

In some circumstances, the Proxy user will also need to write an application setting on the users and groups. The following attributes are part of the WebADM LDAP schema and need Proxy user write permissions:

  • bootFile : is the attribute where the applications store the user data (ex. OpenOTP enrolled Token states).

  • bootParameter : is the attribute where WebADM stores user-specific settings (ex. per-user OTP policy).

If you use WebADM Self-Services, and depending on what you allow users to do within the self- service applications, then WebADM Proxy user may need some additional permissions: Ex. if you want users to reset their LDAP password, set their mobile numbers or email addresses, then the Proxy user will need to have write permissions to the corresponding LDAP attributes.

In general, it is recommended to implement Proxy user write access to the following attributes:

  • bootFile (dynamic and encrypted application data)

  • bootParameter (only if Self-Services are used to configure account settings)

  • mail (only if Self-Services are used to set email addresses)

  • mobile (only if Self-Services are used to set mobile numbers)

  • preferredLanguage (only if Self-Services are used to set user language)

  • unicodePwd (only if Self-Services are used to set user password)

Please, create the Proxy User on the AD and configure proxy_user and proxy_passwordsettings in webadm.conf file.

If you encounter some difficulties to set the rights for the proxy User on Active Directory, please read the ‘How To’ to set the proxy user rights on the AD at the following link : AD Proxy User.

4.4 WebADM Administrator(s)

To allow an administrator or an admin group to log on to the WebADM interface, you have to edit the super_admin setting in webadm.conf:

super_admins "cn=Administrator,cn=Users,dc=mydomain,dc=com", \
        "cn=Domain Admins,cn=Users,dc=mydomain,dc=com"

5. Servers Configuration

LDAP server(s) have to be set in “/opt/webadm/conf/servers.xml” file. Edit this file and configure the LDAP section like below :

<LdapServer name="My_AD"
        host="ip_or_dns_name_of_your_AD"
        port="389"
        encryption="TLS"
        cert_file=""
        key_file="" />      

Note

Note : For the extended schema scenario, you have to set the schema master server. And if you provide more than 1 LDAP server in servers.xml, the schema master will be the first. To provide more than 1 LDAP server you should have an enterprise license.

6. WebADM Services

After editing webadm.conf & servers.xml files, you have to restart or start the WebADM services. Type the following command to do it :

/opt/webadm/bin/webadm restart

WebADM configuration through the command line interface is done. We can finish the setup through the Web interface.

7. WebADM Setup Wizard

Please, go to the Web interface, type the ip address or DNS name of your webadm server in the URL field of your web browser.

For the first login, you have to use the DN of your super_admin user defined in webadm.conf.

screenshot

Once logged on WebADM interface, you will have a message on the first page saying :

Your WebADM installation is not completely configured!

screenshot screenshot screenshot

Note

If you have chosen the extended schema scenario, you have to log in with the schema admin account defined in webadm.conf file.

Scroll down at the end of this page and click on the blue button to finish the setup.

screenshot screenshot

Installation and configuration are done. You can log out and log in again now not with the DN but with the username.

screenshot screenshot

8. WebADM Domain Configuration and OpenOTP Registration

To finish, go on WebADM GUI, click on Admin on the top and click on Local Domains option. You can show “Default” in Registered Local Domains. This object was created during the graphical setup. Click on CONFIGURE and check the box Domain Name Aliases. In this field, put your Domain name and Netbios domain name.

Example

If my domain is rcdevs.com and my netbios name is netbiosrcdevs, I will set in the field rcdevs.com, rcdevs, netbiosrcdevs.

You can also configure your User Search Base here.

screenshot

You have now to register the OpenOTP application to enable the service. To do it, go on Applications tab, in Categories box, select Authentication. Under Web Services, you will find MFA Authentication Server (OpenOTP).

screenshot

Click on Register button.

screenshot

Configuration is done! You can use your Active Directory with WebADM & OpenOTP.

9. Video Tutorial Without Schema Extension


Play Video on Youtube