Replace login for config UI
Default authentication for the web ui uses an internal user. It is possible to reconfigure the PhenixID server to use external datasource for authentication. This article will describe how to use an Active Directory as primary source using username & password.
In order to allow user to log in the user in the configuration manager an attribute, "role", must be present on the user logging in. Value of this atribute is expected to be "sysadmin". If no such attribute exists either create it in the directory or add it to the users attribute list when loggin in at runtime.
Before performing steps below be sure to backup the server configuration.
PhenixID also support multifactor authentication. Contact PhenixID support if having any questions regarding multifactor authentication.
Prepare the connection
Perform scenario adding the LDAP/AD connection. Follow these steps.
Prepare the user validation
Locate the id of the created LDAP connection:
Create two new valves.
Under the Advanced tab in configuration manager. Locate and expand "Pipe valves" .
{
"name": "LDAPSearchValve",
"enabled": "true",
"config": {
"connection_ref": "<id of the connection>",
"base_dn": "<id of the connection>",
"scope": "SUB",
"size_limit": "0",
"filter_template": "<attribute name holding the username often samaccoutname/uid>={{request.username}}" //extend the ldap search filter to restrict only allowing "true" admins.
},"id":"<unique_id>"
}
{
"name": "LDAPBindValve",
"alias": "auth_pipe_bind",
"enabled": "true",
"config": {
"connection_ref": "<id of the connection>",
"password_param_name": "password"
},
"id": "<uniqu_id>"
}
Creating a pipe
In the Advanced locate Pipes. Expand and add a Pipe:
{
"name": "Config auth pipe",
"description": "Pipe to authenticate user from remote AD",
"enabled": "true",
"id": "<unique_id>",
"config": {
"valve_refs": "<valve_id from earlier (LDAPSearch)>,<valve_id from earlier (LDAPBind)>"
}
}
Prepare the authenticator
In the modal window click "Advanced"
Modify the snippet below according to the environment and paste it into the dialog. Values within "<>" need to be changed. Do not keep "<>".
{
"id": "<unique_id>",
"alias": "login",
"name": "PostUidAndPassword",
"configuration": {
"pipeID": "<id_of_created_pipe>",
"successURL": "/config/",
"translationKey": "login.messages.information.body.enduser",
"headingtranslationKey": "login.messages.information.header.enduser"
}
}
Stage and save the changes.
Update boot.json
Locate the "auth_redirect_url" and change the value to "/config/authenticate/login". Save the file and restart server.