RCDevs WebADM Administrator’s Guide - Page 1 of 76The specifications and information in this document are subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. This document may not be copied or distributed by any means, in whole or in part, for any reason, without the express written permission of RCDevs. Copyright (c) 2010-2012 RCDevs SARL. All rights reserved. http://www.rcdevs.com/ WebADM and OpenOTP are trademarks of RCDevs. All further trademarks are the property of their respective owners. Limited Warranty No guarantee is given for the correctness of the information contained in this document. Please send any comments or corrections to
[email protected]. RCDevs WebADM Administrator’s Guide - Page 2 of 76 1. Product Documentation! 2. Product Overview! 3. Product Files and Folders! 4. WebADM Components! 4.1. Network Services! 4.1.1. HTTP Server! 4.1.2. SOAP Server! 4.1.3. Session Manager! 4.1.4. PKI Server! 4.1.5. Services Start and Stop! 4.2. Web Portals! 4.2.1. The Administrator Portal! 4.2.2. The WebApps Portal! 4.2.3. The Web Services Portal! 4.3. Web Services! 4.4. WebApps! 4.5. The Manager Interface! 5. Configuration Files! 5.1. Other Configurations! 6. LDAP Management! 6.1. Common LDAP Objects! 6.1.1 User Accounts! 6.1.2. User Groups! 6.1.3. Administrative Accounts! 6.1.4. Containers! 6.2. WebADM Configuration Objects! 6.2.1. WebADM OptionSets! 6.2.2. WebADM MountPoints! 6 6 7 8 8 8 8 9 9 9 9 9 13 14 15 16 17 17 20 20 21 21 22 24 25 26 27 27 RCDevs WebADM Administrator’s Guide - Page 3 of 76 6.2.3. WebADM LDAP Domains! 6.2.4. WebADM Trust Domains! 6.2.5. WebADM Web Service Clients! 6.2.6. WebADM WebApps and Web Services! 6.3. WebADM-Specific Attributes! 6.3.1. WebADM Settings Attribute! 6.3.2. WebADM Data Attribute! 6.3.3. Password Attribute! 6.3.4. UID Attribute! 6.3.5. Certificate Attribute! 6.3.6. Language Attribute! 6.3.7. Mobile Attribute! 6.3.8. Mail Attribute! 6.3.9. WebADM Config Type Attribute! 6.4. WebADM LDAP Schema! 6.5. Creating Objects! 6.6. Editing Objects! 6.6.1. The Contextual Action Box! 6.6.2. The Information Box! 6.6.3. The Application Box! 6.6.4. Object Name! 6.6.5. New Attributes! 6.6.6. Extensions! 6.6.7. Attribute List! 6.7. Moving / Copying Objects! 6.8. Exporting / Importing Objects! 6.8.1. LDIF Export / Import! 6.8.2. CSV Import! 27 28 28 28 28 28 29 29 30 30 30 30 31 31 31 32 33 33 34 34 34 35 35 35 36 37 37 38 Using the Manager Interface! 18.Page 4 of 76 6.4. Searching for Objects! 6. Localized Messages Editor! 14.2. Managing User Certificates! 15.9. WebADM OptionSets! 7. User Application Settings! 17.1. WebADM Trust Domains! 11. Pruning the Log Database! 13.1. Embedding a WebApp! 19. Administrator Restriction Options! 7.2. Clustering! 20.1. Log Display Options! 12. Rsign PKI Subsystem! 15. Batch Search Actions! 7. Rsign Client! 16. WebADM LDAP Domains! 10. Log Viewer! 12.RCDevs WebADM Administrator’s Guide .conf file! 39 40 41 41 43 44 46 48 49 51 52 52 53 53 54 54 55 57 57 57 58 59 60 61 62 63 64 65 .2. Creating Log Filters! 12. WebADM MountPoints! 9.1. Log Result Actions! 12.3. Managing Applications! 16.9. WebADM Web Service Clients! 12. Rsignd Server! 15. Extending the LDAP Schema! 15. Installing WebApps and Web Services! 18.3.1. LDAP Tree Options! 8. Common Issues! Appendix A : Sample webadm.1. RCDevs WebADM Administrator’s Guide .Page 5 of 76 Appendix B : Sample servers.xml file! Appendix C : Sample rsignd.conf file! Appendix D : Sample Manager Interface usage! 69 72 74 . For this reason. Instead. 2. It provides a hierarchical view of LDAP Organizations. WebADM can manage and federate all your organization directories in one single interface. Novell. it is able to provide dynamic administration interfaces for managing the existing objects with their attributes. WebADM is also the only software which able to unify your Microsoft and UNIX infrastructure. WebADM installation and setup is not covered by this guide and is documented in the RCDevs WebADM Installation Guide. without needing specific configurations or new object manipulation templates. LDAP groups. Product Overview WebADM is a powerful Web-based LDAP administration software designed for professionals to manage LDAP Organization resources such as domain users and groups. when you connect a WebADM to a LDAP directory. It supports domains of users. WebADM has been built for a maximum simplify of use and its usage is very intuitive. working with your existing directories and domains. WebADM does not use static LDAP object administration templates. That means. WebADM can be used standalone. it implements your centralized authentication system. WebADM can extend your ActiveDirectory users (with POSIX functionalities) so that they work with your PAM-LDAP UNIX systems. It is also the configuration interface for RCDevs Web Services and WebApps (end-user applications). It is the centralized administration interface for all RCDevs Web services and Web applications.RCDevs WebADM Administrator’s Guide . not all the features are documented in this guide as they are most of the time self-explaining. With this information. multi-level applications’ policies. and create new ones.Page 6 of 76 1. Better.. To achieve this. Product Documentation This document is a configuration guide for RCDevs WebADM. delegated administration and powerful management for your directories. Other directories might work but are not tested nor supported by RCDevs. web service client applications’ access control rules. You can seamlessly manage both systems from the interface. Moreover. SQL and file-based audit trails and ultra-rich LDAP object management features. . The possibilities for managing your enterprise security are nearly unlimited and WebADM’s flexibility makes it possible to implement any enterprise security requirement. RCDevs Directory Server and Microsoft ActiveDirectory 2003/2008. it will read the LDAP server schemas and will immediately be able to manage the directory objects. With OpenOTP. WebADM understands both Microsoft ActiveDirectory domains and UNIX PAM-LDAP users. as a powerful LDAP management interface. OpenLDAP. It connects your ActiveDirectory.. WebADM is compatible with Novell eDirectory. WebADM includes a set of objectclass and attribute specifications providing information for manipulating specific data types. WebADM usage is 100% graphical and many features are documented inside the management interface itself. Specific application guides are available through the RCDevs online documentation library. The reader should notice that this document is not a guide for configuring WebADM applications (Web Services and WebApps). it is able to read and understand any LDAP directory schema. OpenLDAP all together and provides hierarchical view. • /opt/webadm/doc/ : Location for WebADM documentation resources. And. 3. It includes its own PKI subsystem to create. assign them quotas or settings. • setup : Initial WebADM setup script run by the self-installer.xml : XML configuration file that defines the LDAP objects supported by WebADM and their related parameters. • /opt/webadm/conf/ : Location for WebADM configuration files. With the OptionSets.conf file with explanations. • /opt/webadm/bin/ : Location for WebADM service binaries and startup scripts. The setup can be re-run manually at any time.. so the settings can be re-defined into sub-contexts. • objects. Windows accounts.. • /opt/webadm/doc/scripts/ : This folder contains some useful scripts such as the tool for creating and renewing WebADM SSL certificates./ webadm stop./webadm start. or quota can be affined at sub-tree levels. issue . Administrators can create new contexts with subadministrators and assign them rights in the limit of their own authorizations. WebADM uses client certificates as default and recommended authentication mechanism for more security when administering LDAP resources. Please look at the Appendix A for an example of webadm.. To stop webADM. with different privileges and views. Administrators can be created at different levels of the tree structure. WebADM supports delegated administration and fine-grained access control to LDAP resources.RCDevs WebADM Administrator’s Guide . distribute and revoke user login certificates. You can edit the XML definitions in this file to customize many aspects of the WebADM behavior. the OptionSets work with inheritance. • webadm : WebADM executable control script for starting and stopping the server processes. The ‘setup slave’ command provides slave mode setup for clustered environments. WebADM can be used as a central management system for multiple LDAP trees. . WebADM includes all the necessary features to create new administrators. issue . With Novell eDirectory. renew. Product Files and Folders Find below the WebADM software installation file structure and important files. • webadm. WebADM takes advantage on the LDAP built-in permissions (ACLs). it provides a very simple way to assign settings to specific contexts.Page 7 of 76 WebADM is also able to manipulate Unix. restrict tree access. but without compromising the directory security. To start WebADM from command line. without additional configurations.conf : Main configuration file. groups and whatever data your directory is able to store. etc. in order to provide even more detailed management policies. WebADM proxy-user account DN. Defines the basic WebADM startup parameters.. etc.. Please look at the WebADM High Availability documentation for details.. location of WebADM-specific LDAP containers. Applications are provided with self-installers and are automatically installed in this place.1. This folder contains the WebADM CA signing certificate and the services’ SSL certificates.1. SOAP Server . Applications are provided with self-installers and are automatically installed in this place. Please look at the Appendix B for an example of servers. • /opt/webadm/lib/ : Location for WebADM system libraries. WebADM configuration files are documented inline. Please look at the appendixes in this document for the default configuration files with comments. • webadm. • /opt/webadm/websrvs/ : Location for WebADM Web Services.1. • rsignd. Network Services 4. WebADM Components The WebADM server is composed of several server components and Web Portals.RCDevs WebADM Administrator’s Guide . Please look at the bin/webadm startup script for the list of variables. WebADM automatically checks the configuration files for syntax errors or mistakes and writes any problem discovered in the log file /opt/webadm/logs/httpd. The Web server includes a high performance multithreaded caching system which uses shared memory for maximum service responsiveness.xml file with explanations.2.env : Some runtime environment variables can be re-defined in this file. bundled into one unique application. SMTP and HTTP proxies. SQL. By default. Please look at the Appendix C for an example of rsignd.conf file with explanations.1. • /opt/webadm/logs/ : Location for log files produced by all the WebADM services. • /opt/webadm/webapps/ : Location for WebADM Web Applications. These components include: 4. 4.xml : XML configuration file that specifies the server connections for LDAP. all the Web interfaces are running over HTTPS on port 443.Page 8 of 76 • servers. Session Manager. • /opt/webadm/pki/ : Location for WebADM integrated PKI server files. the WebApp portal and a Web Services information portal.log. • /opt/webadm/libexec/ : Location for WebADM system executables. Defines the integrated certificate authority settings and its clients. PKI.conf : PKI server (Rsignd) configuration file. 4. HTTP Server WebADM provides only Web-based user interfaces and includes its own HTTP server which provides the administrator portal. 2. The Administrator Portal This portal allows administrators to manage the LDAP objects of the organization. a clustered system should use only one PKI server for maintaining the coherence in the certificate serial numbers. Best of all.Page 9 of 76 WebADM registered applications provide SOAP/XML interfaces only. 4. It provides a tree view of the LDAP organization. the SOAP server.RCDevs WebADM Administrator’s Guide .log files.1. counters and object locks. By default.1. Use the commands webadm start. For security requirements.2. 4. Session Manager Most of the WebADM registered applications require storing session data. an object editor and many wizard-based LDAP operations. the session manager server and the PKI server.3. The SOAP server includes a high performance multithreaded caching system which uses shared memory for maximum service responsiveness. WebADM administration action logs are accessible in the Databases menu in WebADM. 4. the SOAP service is running on HTTP port 8080 and HTTPS port 8443. The SOAP server component provides the HTTP and HTTPS listeners over which the SOAP/XML interfaces are accessible. The administrator portal is accessible at the URL: https://yourserver/. 4. PKI Server WebADM includes its own PKI system for issuing user certificates.4. . The startup script is responsible for starting and stopping the WebADM HTTP server. the PKI is working in client-server mode and the signing server does not run under the same system user than the other WebADM services. a cluster of WebADM servers can be bound to one common session manager for operating commonly and having all their work data always synchronized.1. As for the session manager. webadm stop and webadm restart to start. The PKI functionalities are used by the administrator portal and some WebADM applications. System logs are accessible in the logs/httpd. This ensures the Certificate Authority (CA) component cannot be accessed even through a breach in the other components.1. Web Portals 4. This ensures the clustered systems are not affected by some kind of replay attacks and are able to handle the failover and load-balancing in the best conditions. The WebADM session manager provides those functionalities in a very high performant and distributed way.log and logs/soad.5. timers. stop or restart the WebADM services. setup and configure WebADM applications. Services Start and Stop The WebADM startup script (webadm) is located in the bin/ directory. the home page displays the button to access the initial setup wizard. administrative options and tree options for the LDAP login context (see section OptionSets for details). and if WebADM is not properly installed. installed applications.RCDevs WebADM Administrator’s Guide .conf). WebADM Admin Portal Login Figure 2.Page 10 of 76 Figure 1. When logging in as a super administrator (see WebADM main configuration file conf/ webadm. WebADM Menu The main Admin Portal menu at top of the page gives instant access to: 1) The Administrator Home Page: This page display a summary of the administrator user details. . RCDevs WebADM Administrator’s Guide . MountPoints and applications. WebADM configurations. registered Domains. as well as buttons for flushing the WebADM caches. WebADM Home Page 2) The General Information Menu: It displays a list of buttons for getting information concerning the LDAP server and schema.Page 11 of 76 Figure 3. It includes buttons for retrieving the Certificate Authority (CA) public certificate and the server SSL certificate. . See section Searching Objects for details. See section Creating Objects for details. .xml). OptionSets. Domains. WebApps and Web Services. 4) The Search Menu: It allows searching for LDAP objects.RCDevs WebADM Administrator’s Guide .Page 12 of 76 Figure 4. Information Page 3) The Object Creation Menu: It displays a list of object that can be created. The listed objects are those which are specified in the object specifications file (conf/objects. The first object of the list is a generic LDAP object used for creating WebADM configuration objects such as MountPoints. It includes a drop-down list for selecting one of these object types. 2.Page 13 of 76 5) The Import Menu: It allows importing LDAP objects in batch using LDIF or CSV file formats.RCDevs WebADM Administrator’s Guide . . 6) The Databases Menu: It displays the list of SQL log tables and application localized message tables. 8) The About Menu: It display WebADM version information. About Page 4. This portal is accessible at the URL: https://yourserver/webapps/. Figure 5. See section Log Viewer and Localized Messages Editor for details. See section Importing Objects for details. 7) The Application Menu: It displays the list and status of the registered WebADM WebApps and Web Services.2. changelog and some RCDevs contact email addresses. The WebApps Portal The WebApp portal displays the list of registered applications with the links for directly entering them.. Page 14 of 76 Figure 6. 4. This can be useful if you want to expose the WebApps over the Internet but not the admin portal.2. the admin portal can be disabled too in the WebADM main configuration file (conf/webadm. That means there exist no references pointing to other locations on the Web server when you access a WebApp. The /webapps/ HTTP location contains all the necessary resources for running a WebApp (meaning stylesheets and image references). WebApps Portal A WebApp named mywebapp can be accessed directly at the URL: https://yourserver/webapps/ mywebapp.RCDevs WebADM Administrator’s Guide .3.conf). The Web Services portal is accessible at the URL: https://yourserv/ websrvs/. The Web Services Portal This portal is only informational and displays the list of registered Web Services with their service descriptions files (WSDL). Note that if you run a system with multiple servers. The WebApps URL can also easily the placed behind a reverse-proxy which redirects URLs only for the WebApps location. . Web Services Portal 4.RCDevs WebADM Administrator’s Guide . Web Services RCDevs solutions (example: OpenOTP) run on top of the WebADM Server. which embeds the HTTP and SOAP engines required by Web Services and WebApps. The Web Services provide final functionalities such as user authentication services. The solutions are generally composed of both Web Services and end-user Web Applications (WebApps).3. 2) A WSDL service description file. The Web Services provide: 1) A SOAP XML interface. A WebADM Web Service is a pluggable component to be installed (deployed) in WebADM. WebADM is a container (application server).Page 15 of 76 Figure 7. . RCDevs WebADM Administrator’s Guide . RCDevs OpenOTP Software Token requires the end users to register their secret Token keys.Page 16 of 76 3) A graphical configurator. Registered Web Services 4. You can review the list of registered Web Services and their status in the Application Menu. 2) Optional authentication with PKI. . etc. Figure 8. resynchronize their token application.. The Web Applications provide: 1) Some public Web pages. WebApps A WebADM Web Application (WebApp) is a pluggable component to be installed (deployed) in WebADM. 3) A graphical configurator.4. or Domain login (depending on the WebApp purpose). WebApps are generally companion application for some Web Services.. For example. Figure 9. Registered Web Services 4.RCDevs WebADM Administrator’s Guide . Please look at section 17 for details about the Manager Interface. The Manager also allows external systems such as Web portals to remotely trigger user management operations and actions from the network.Page 17 of 76 You can review the list of registered Web Services and their status in the Application Menu. 5. The Manager Interface The Manager is a remote procedure call (RPC) interface which provides access to some WebADM user management functions and operations exported by your registered applications. Configuration Files . The Manager interface is accessible at the URL: https://yourserver/manag/.5. Page 18 of 76 The configuration files are self-documented. you must add the proxy user to the Domain Admins group. then be sure to add one of its objectclasses to the list.PKI: WebADM requires a client certificate and a login password. You can set a list of individual LDAP users or LDAP groups here. Be sure to respect your directory password complexity policy for the proxy user password and to have the SSL enabled. You can set access restrictions for other admins in WebADM OptionSets. And you can replace the sample super_admins group on the second line with an existing security group.other_admins : Any other WebADM administrator must be defined in the other_admins to be able to login. Please read them as part of this documentation. .list_domains : Show the domain list in a drop-down list in when auth_mode is set to UID. . or to access the LDAP resources out of an administrator session. Access restriction configured in the WebADM OptionSets do not apply to super admins.proxy_user : The proxy user is used by WebADM for accessing LDAP objects over which the administrator user does not have read permissions. . WebADM will not be able to create the proxy user during the graphical setup. . A well configured proxy user is mandatory for WebADM to work correctly. When using UID and if there is no domain existing in WebADM. a login name and a password. The following settings are part of the main WebADM configuration file (conf/webadm.dc=mydomain. user_oclasses is used to build the LDAP search filter when auth_mode is set to Domain.super_admins : Super administrators have extended WebADM privileges such as setup permissions.user_oclasses : List of LDAP objectclasses to be considered by WebADM as LDAP users. The UID mode requires a WebADM domain to exist and have its User Search Base set to the subtree where are located the administrator users.UID: WebADM requires a domain name. additional operations and unlimited access to any LDAP encrypted data. you must login WebADM and create a login certificate for your administrators. and write permissions on the users and groups used by the WebApps and Web Services. . You can comment the setting not to use other administrators.cn=Users. Else.dc=com. . you can use another existing security group here. .RCDevs WebADM Administrator’s Guide . To use certificate login.conf). Using certificates is the most secure login method. You can set a list of individual LDAP users or LDAP groups. your default administrator account should be is something like cn=Administrator. With ActiveDirectory. With Microsoft ActiveDirectory. .auth_mode : WebADM authentication mode can be: .container_oclasses : List of LDAP objectclasses to be considered by WebADM as LDAP containers. . .DN: WebADM requires a login DN and a password. With ActiveDirectory. The proxy user should have read permissions on the whole LDAP tree. the login mode is automatically forced to DN. If your super administrator user does not have one of these objectclasses. You will also need to login with the the full user DN and setup a WebADM domain to be able to use the UID login mode. keys and session manager sessions with the AES-256 algorithm.cache_timeout : You can set here the WebADM internal cache timeout.php.net/manual/en/ timezones. You have to change the container locations to match your LDAP tree base and constraints. webapps_container.ignored_attrs : List of LDAP attributes to be ignored by WebADM when crating or copying objects.txt for the list of time zones.languages : List of languages to be supported by your WebADM applications. You can find here the list of time zones: http://www. . .encrypt_data : Set to Yes if you want WebADM to encrypt LDAP sensitive data such as passwords. . Note: With ActiveDirectory 2003.encrypt_key : This is the encryption key. .direct mode: WebADM finds user groups using the memberof_attrs defined above.optionsets_container. any encrypted data will become invalid! . .session_timeout : You can set here the timeout (in seconds) of a WebADM session. clients_container : WebADM containers required by WebADM for storing configuration objects. . Important: If you change the encryption key. .webadm_account_oclasses : List of LDAP objectclasses (extensions) to be considered by WebADM as WebADM account objects. Note : With ActiveDirectory 2003 only. . .Page 19 of 76 . websrvs_container. . In this case. . WebADM accounts are usable by Web Services and WebApps.time_zone : The timezone is required for the logs and for some applications such as OpenOTP Time-based Tokens. Group settings are usable by Web Services and WebApps.php. you need to add the 'user' objectclass to the webadm_account_oclasses. .group_mode : The group mode defines how WebADM will handle LDAP groups. . you need to add the 'user' objectclass to the 'group' objectclass to the webadm_group_oclasses. the group membership is defined in the LDAP user objects.tmp_dir : Temporary WebADM work directory.group_oclasses : List of LDAP objectclasses to be considered by WebADM as LDAP groups. The key must be a 256bit base64-encoded random binary data. The languages are used by the WebADM localized messages editor and for editing LDAP language attributes. Sessions will be closed after this period of inactivity. By default (when group_mode is not specified) WebADM handles both group modes. Use the command openssl rand -base64 32 to generate a new key. domains_container.indirect mode: WebADM finds user groups by searching group objects which contain the user DN as part of the member_attrs.RCDevs WebADM Administrator’s Guide . This is a requirement for managing Microsoft ActiveDirectory users and groups. .webadm_config_oclasses : List of LDAP objectclasses to be considered as WebADM configuration objects.webadm_group_oclasses : List of LDAP objectclasses (extensions) to be considered by WebADM as LDAP groups with WebADM settings. Else look at the docs/timezones. . enable_manager : You can optionally disable main WebADM features if you run multiple WebADM servers with different purposes.MEM_SIZE : Defines the memory size in megabytes to be allocated to the session manager.SOAP_PORT_STD : Defined the SOAP port in cleartext to be used for Web Services. The format for the webadm. Only the default theme is available.0. all the functionalities are enabled.env file is : INTERFACE=0. WebADM will check for new versions for itself and for all the registered applications.env file in the WebADM conf/ directory to modify some internal configurations such port numbers and listen interface. The default port is 8080. if you don’t want to provide the Administrator Portal on an Internet-exposed WebApps and Web Services server.0 HTTP_PORT=443 SOAP_PORT_STD=8080 SOAP_PORT_SSL=8443 MEM_SIZE=256 6.log_webapps : Enables extended logging to the httpd. The default port is 443. . . By default.webapps_theme : WebApps theme for WebApps. You can change the following variables: .0. Other Configurations You can create a webadm. The default is 0.Page 20 of 76 . LDAP Management .alert_email : Email recipient address used by WebADM for sending system alerts. . .1.log for WebApps.log for Web Services.RCDevs WebADM Administrator’s Guide . 5. The default port is 8443.INTERFACE : Defines the network IP address to listen on.log_websrvs : Enables extended logging to the soapd. .0. . For example. .HTTP_PORT : Defines the HTTP port over SSL used for the Admin Portal and WebApps. enable_webapps. Extended logging is enabled by default.0. Extended logging is enabled by default.check_versions : Enables WebADM versions checking. .SOAP_PORT_SSL : Defined the SOAP port over SSL to be used for Web Services.enable_admin. enable_websrvs. .0 (any interface). The default size is 256 Mo. or extend existing users by adding new objectclasses to the user object.conf). The list of available settings depends on the registered applications and the scope of the settings. the user name is the UID LDAP attribute. RADIUS user name used for VPN logins) depends on the WebADM configurations.e. It must be used together with a structural user objectclass. This is adjustable in the objects specification file (conf/objects. WebADM and its applications use LDAP binds for static password checking.xml). User Objects WebADM provides its own user account schema named webadmAccount. userPrincipalName. a LDAP user must be a WebADM account. administrators can create and edit LDAP users. See section Extending Objects for details. WebADM considers a WebADM account is an object containing at least one objectclass from the webadm_account_oclasses list in the WebADM main configuration file (conf/webadm. That means that the user objects must be combined with a bindable objectclass and must have their LDAP password set. WebADM can create standalone users. Any Public or LDAP application setting can be set at the user or group level. You can enable the WebADM features on any existing LDAP user by extending it with the webadmAccount extension (with the object extension action in the object editor). The webadmAccount schema provides additional attributes. WebADM accounts can contain several application settings. the mobile number. . or webadmData for normal users and groups.1. Important: To be used by the Web Services and WebApps.Page 21 of 76 With WebADM. such as the webadmSettings.1. It can be the object name (CN) as well as the UID attribute. The webadmAccount objectclass is a LDAP extension class and cannot be created standalone. The LDAP attribute corresponding to the login name (i. 6. sAMAccountName. WebADM just needs to know what attributes can be used for the logins. Common LDAP Objects 6. These attributes are required by the registered Web Services and WebApps to store user-specific settings and user metadata. or anything else. WebADM considers a user account is an object containing at least one objectclass from the user_oclasses list in the WebADM main configuration file (conf/webadm. Figure 10.conf). Administrators can also extend existing LDAP users or groups with WebADM functionalities. groups and other objects.RCDevs WebADM Administrator’s Guide .1 User Accounts User accounts are LDAP standard user objects. By default. WebADM Account is a LDAP user object with the webadmAccount extension. In Figure 10. WebADM user accounts are those containing the webadmAccount LDAP objectclass. User Groups User groups are LDAP object that contains a list of LDAP members.conf). WebADM supports two methods to assign users to groups: 1) Using group membership: The user account includes a groupmemership (such as memberOf) attribute specifying which group DNs it belongs to. Like with users this is done with the object extension action in the object editor. each representing the Distinguished Name (DN) of the user object belonging to the group. Figure 6. the groups must be extended with the webadmGroup objectclass.RCDevs WebADM Administrator’s Guide . Members of a particular group are allowed to access different services than members of another. . In that case. Group Objects Groups are often used for access purposes. Group Member Attribute WebADM provides two ways to define groups: 1. Groups are also used for storing application settings common to all group members.2.Page 22 of 76 You can assign WebADM settings to LDAP groups (instead of users) by extending the groups with the webadmGroup extension. Group Membership User Attribute 2) Using group members: The group object includes a member list containing the user DN. WebADM considers a group is an object containing at least one objectclass from the group_oclasses list in the WebADM main configuration file (conf/webadm. Figure 11. The group member list is statically defined and updated manually. This often reduces the overhead in managing settings stored in user accounts. Static groups. 6. Figure 5.1. Dynamic groups require a Dynamic Group Query Identity attribute which defines the user account DN to be used internally by Novell eDirectory. Like with users this is done with the object extension action in the object editor. for performing the ldap searches needed for looking up the dynamic group members.RCDevs WebADM Administrator’s Guide . Static Group 2. You can assign WebADM settings to LDAP groups (instead of users) by extending the groups with the webadmGroup extension. Dynamic groups. The member list is computed at runtime when the group members are queried. The group member list is defined as a dynamic LDAP query (Dynamic Member Query). Note about group settings: User groups and group settings are cached for 5 minutes in order to optimize group searches and user setting resolutions. This has the side effect that user groups and group settings' changes may be delayed for a maximum time of 5 minutes when used by WebApps and Web Services.Page 23 of 76 Figure 12. . With Novell eDirectory. You can use the Add Permissions action when editing a container object to create new permissions. .RCDevs WebADM Administrator’s Guide . Administrative Accounts WebADM considers any bindable LDAP user object with write permissions to LDAP contexts is an administrator. write permissions must be created by adding permission attributes (ACL) to LDAP contexts. . It is possible to assign restrictions to administrators using the WebADM OptionSets. a newly created administrator has no write permissions. 6. Permissions By default.Page 24 of 76 Figure 13. Note : Dynamic groups are supported on Novell eDirectory and RCDevs Directory Server only.3. An administrator can create or edit LDAP objects. and assign permissions in the boundaries of his own restrictions. create new contexts with subadministrators. Dynamic Group WebADM provides administration pages to define dynamic queries and check their content.1. use the certificate-based login instead of the Domain or DN login modes. deletion. it is also possible to use an external Certificate Authority (CA). That means any user object with a bind password and a login certificate is able to enter WebADM. If another administrator creates context permissions for him. a user does not have any other rights than read access on himself.1. To prevent normal users from logging in WebADM. . Figure 15.conf).With OpenLDAP. See the Managing Certificates section for details. renewal. LDAP Permissions (ACL) Attribute . It adds another level of security while authorizing the administrator's sessions at the web server's level. Note that any bindable object is able to log into WebADM. However.Page 25 of 76 Figure 14. he becomes an administrator in these contexts. It provides the necessary pages and actions to easily manage administrator certificates. Certificate-based authentication is highly recommended when using delegated administration and especially when using WebADM for remote administration over the Internet.4. download. An administrator is able to renew. only administrators owning a valid administrator certificate can login. the user must be added to an administrative group. 6. remove or add new certificates for other users he manages or for himself. He is able to manage his own user data. change his password or renew his own certificates. the user permissions must be added in the OpenLDAP server configuration file (slapd.With Microsoft ActiveDirectory. In that case. By default. User Certificate Attribute The WebADM internal PKI (Rsign) is the default certificate management system. Supported operations are certificate creation. Containers .RCDevs WebADM Administrator’s Guide . WebADM will issue certificate signing requests (CSR) and ask for external signing. Certificates WebADM supports certificate-based authentication for a simpler and more secure access to the Administration Portal and WebApps. WebADM provides a wizard to create a new administrator certificate and parameters allow to set the type and validity time for the new certificates. Then. 2. Figure 16. WebADM considers a LDAP configuration object is an object containing at least one objectclass from the webadm_config_oclasses list in the WebADM main configuration file (conf/webadm. Organizational Units. Countries.conf). This tree structure is mandatory for WebADM to operate correctly. The type of the configuration object is determined by the webadmConfig attribute which can be either Domain. 6.Page 26 of 76 LDAP containers (or contexts) are objects.. Trust. Client. Domains. WebADM considers a container is an object containing at least one objectclass from the container_oclasses list in the WebADM main configuration file (conf/webadm. The LDAP locations for these objects are defined in the main WebADM configuration file (conf/webadm. Container Objects An administrator can assign LDAP permissions and OptionSets on containers. MountPoint. Web Services and WebApps configurations. it is highly recommended to structure the LDAP tree with containers in order to reduce the number of child objects within one container.. . MountPoints. Common containers are Organizations. Configuration Objects WebADM creates a set of LDAP containers and objects during its setup for storing WebADM Domains. OptionSet. OptionSets. WebApp or WebSrv.RCDevs WebADM Administrator’s Guide .conf). Locations. WebADM Configuration Objects Configuration objects are WebADM-specific LDAP objects that are used by WebADM for storing persistent configurations in LDAP. etc.conf). which can contain child objects. When WebADM is used to manage a lot of users. Figure 17. Page 27 of 76 Figure 18.3. OptionSets are essentially LDAP profiles that can be used for example to define LDAP settings specific to some subset of a LDAP tree. WebADM Tree Structure 6. when an application wants to obtain a LDAP user DN corresponding to the provided login information.RCDevs WebADM Administrator’s Guide . See section WebADM Domains for details. a password and a domain name. All Domains objects must be stored in the same container (as specified in the WebADM main configuration file) to be read by WebADM at start-up.2. See section WebADM OptionSets for details. The domain objects establish the relationship between a domain name and a LDAP tree base. All OptionSets must be stored in the same container (as specified in the WebADM main configuration file) to be read by WebADM at start-up. WebADM MountPoints MountPoints are containers in the LDAP tree that include objects and child containers (i.2. Option sets can for example be used for creating Organization profiles that specify the default LDAP attributes that each member of the organization inherit.2. WebADM LDAP Domains All the WebADM applications identify a user with a username. The objects are not physically present in tree structure. WebADM OptionSets Some WebADM administrator restrictions or tree options can be assigned to specific LDAP contexts using WebADM OptionSets.2. 6. the entire tree structure) from another LDAP server.e. . All MountPoints objects must be stored in the same container (as specified in the WebADM main configuration file) to be read by WebADM at start-up. Instead. See section WebADM MountPoints for details. 6. it will use the domain tree base to build the LDAP search.1. WebADM connects at a runtime to an external LDAP and renders its contents as if the data were stored in the mounted context. Also. RCDevs WebADM Administrator’s Guide . The object settings have priority over the default application settings for the registered WebADM applications. .4. 6. All WebApp and Web Service configuration objects must be stored in the same container (as specified in the WebADM main configuration file) to be read by WebADM at start-up. And you can define some Web Service settings which will always be enforced for the client. For example. it creates a LDAP object.).. any request from the corresponding client application (ex.6. Trusts work with all web services (OpenOTP. When you register a new application in WebADM. you can restrict users able to use the client application with allowed and excluded group lists.Page 28 of 76 6. For a client.2. SMSHub.3. LDAP objects extended or created with the webadmAccount and webadmGroup objectclass support the following new attributes. For example.2. 6. WebADM WebApps and Web Services These objects are used by WebADM to store registered application configurations. When a client is defined.3. The trust system works like a web service proxy for remote domains (within a trusted organization) and maps a local virtual domain name to a remote domain on another WebADM server. WebADM Web Service Clients Web Services’ Clients provide configuration of client applications’ access control and setting policies..5. will obey to the defined client policy. OpenSSO. you want the VPN to authenticate users with LDAP+OTP passwords and Token.1. 6. you use the client names as displayed in the WebADM log viewer for the client object names. WebADM-Specific Attributes WebADM schema (see section WebADM LDAP Schema for details) provides two additional objectclasses : webadmAccount and webadmConfig. You can access the application configuration either by editing the application LDAP object or using the Applications menu in WebADM.2. whatever policy is defined for the user. You can now create a client object having the name of a Web Service client ID. The client objects are also used to customize the behavior of a Web Service client application (ex. a VPN server with matching client ID). 6. WebADM Trust Domains Trusts are special domain objects which do not correspond to a set of local LDAP users but to a remote WebADM installation’s domain. a VPN server using OpenOTP Authentication Server). WebADM Settings Attribute This attribute is used to store user-specific application settings inside the user or group objects. 3.3. and re-import it at another location. WebADM Data Attribute This attribute is used by the WebADM applications to store user data such as Token keys. Password Attribute Any bindable LDAP object must have its password attribute set. The WebADM user data editor displays all the data stored by the applications and allows raw edition of the data. Important: The webadmData encryption uses the LDAP DN together with the encryption key. 6.Page 29 of 76 Figure 19. webadmData Attribute The webadmData contents are encrypted in the LDAP using an AES-256 key which is configured in the WebADM main configuration file (conf/webadm. Figure 20. Only the super administrators and the users themselves are able to read this attribute unencrypted. When a user is copied.2. But if you export the user in an LDAF file. Select an application and the list of corresponding settings is displayed and available for configuration. Administrators can change user passwords with the Change password action in the object editor.conf). They can edit the data values with the data editor.conf). webadmSetting Attribute The WebADM user setting editor displays a drop-down list containing the registered applications. This is a security mechanism to prevent the same data values from two different users to be encrypted identically. WebADM handles the re-encryption automatically. .3. The encoding and encryption format of passwords is defined in the objects specification file (conf/objects. 6. The password encoding and format depends on the LDAP directory type.RCDevs WebADM Administrator’s Guide .xml). the webadmData are lost. Password attributes are defined by the password_attrs setting in the WebADM main configuration file (conf/webadm. the applications will automatically select the massage corresponding to the user language.Page 30 of 76 Figure 21. having one uid_attrs corresponding to the provided login name. When a user logs in a WebApp or a Web Service. Then WebADM binds the LDAP directory with the user DN and the provided password. .3. Mobile Attribute This attributes stores the user mobile phone number. Figure 22. 6. When application messages are localized in several languages (with the WebADM Localized Message Editor). Certificate attributes are defined by the certificate_attrs setting in the WebADM main configuration file (conf/webadm. WebADM supports storing user certificates in both binary and base64 encoding. preferredLanguage Attribute 6. Certificate Attribute WebADM uses this attribute to store user certificates in the LDAP accounts. But in that case. WebADM computes the LDAP tree base using the information stored in the Domain configuration object and searches for objects of type webadm_account_oclasses. he enters his login name. Changing User Password 6. Login attributes are defined by the uid_attrs setting in the WebADM main configuration file (conf/webadm. Note that the private keys are never stored in this attribute. having one uid_attrs corresponding to the provided login name. domain and password. WebADM will search for any user object of type user_oclasses. Language Attribute This attribute is used by the WebADM applications to query the user language.3. It is used by some WebADM applications.conf).xml).3.conf).3. 6.7.5. UID Attribute WebADM allows specifying multiple attributes to be used as login attributes. The encoding is specified in the objects specification file (conf/objects. The same system is used when WebADM Administrator Portal is configured in Domain login mode.RCDevs WebADM Administrator’s Guide .6.4. Mail Attribute This attributes stores the user email address. Figure 25. WebApp or WebSrv). Figure 24. webadmType Attribute 6.8. mail Attribute 6. Client. WebADM Config Type Attribute This attribute is used by WebADM to assign a role to a webadmConfig object (examples of WebADM types are Domain. WebADM LDAP Schema The WebADM LDAP schema extension provides two additional objectclasses: webadmAccount and webadmConfig. Trust. MountPoint. .Page 31 of 76 Figure 23. Figure 26. mobile Attribute 6. WebADM Schema The new LDAP schema entries are automatically registered in the LDAP server schema by the WebADM setup.3.RCDevs WebADM Administrator’s Guide . It is used by some WebADM applications.3.9.4. See the figure below for the schema detail. OptionSet. The objects specification file defines additional information used by WebADM about the object types and their capabilities. They are used to control what objects can be created by administrators belonging to a given context. An object specification also includes the minimum administrative level required for the object to be created. Figure 27.Page 32 of 76 6. Creating Objects With WebADM. if the object is not present in the LDAP schema. The extensions defines the objectclasses with which the object can be extended. Objects can be created either from the top menu Create button or directly from the Create button within a context in the LDAP tree.RCDevs WebADM Administrator’s Guide . Create Object List .5. The auxclasses in the object specification is used to consider a set of objectclasses as a single WebADM object type. It defines what administrative level is required by an administrator to create an object. The creation forms will depend on the OptionSets applying on the creation context and on the LDAP schemas corresponding the to the new object DN in case of MountPoint. it is cannot created standalone and must be associated with a structural objectclass which defines other LDAP attributes. Yet. For example an objectclass corresponding to existing user objects should be extendable with the webadmAccount objectclass to allow adding WebADM features and settings to existing users. you can create any object type defined in the objects specification file (conf/ objects. Administrative levels are used to setup level-based object creation restrictions. That means. the additional objectclasses to be merged during creation and the available extension classes. It is mandatory for certain object types such as WebADM accounts because the webadmAccount objectclass is an LDAP extension class.xml). it is ignored. LDIF export. delete and export operation can be performed recursively. This kind of object corresponds to WebADM configuration objects such as Domains. The Contextual Action Box The action box is displayed at the top left of the edition page.RCDevs WebADM Administrator’s Guide . you can at any moment switch to advanced mode for extended display and capabilities.xml). MountPoints.. copy. add permissions. 6.1. And the behavior is the same for extension classes list and new attributes list. It displays all the mandatory attributes but only the optional attributes which are defined in the in the objects specification file (conf/objects. It contains a list of actions to be performed on the object such as deletion. the edition form does not display all the object attributes nor all the edition capabilities or attribute list. copy. It includes a button to change the user password if the object is usable for LDAP binds. child creation. They display all the mandatory attributes (merged from all objectclasses) and the optional attributes to be created.Page 33 of 76 The object creation forms are computed dynamically by querying the LDAP schema for the objectclass and auxclasses. WebApps or WebSrvs. If required. issue certificate.6. This is a display simplification not to show all the merged optional attribute list which can be very long depending on your LDAP.xml) are displayed.. By default. Some attribute values can be auto-filled if default values are defined in the OptionSets which apply on the object creation context. Figure 28.6. Create Object Form The creation wizard includes a WebADM Config Object item (with a drop-down list) in the new objects list. a list of actions to be performed and the list of attributes contained by the object. A button allows switching to advanced edition mode. . Editing Objects The object editor displays useful informations about the object. Note that only those optional attributes configured in the attribute specifications of the WebADM objects specification file (conf/objects. When the edited object is a container containing child objects. 6. associated attributes and they constraints. OptionSets. . If attributes have to be unique. The Information Box The object informational box is displayed at the top middle of the edition page. WebADM check the unicity and display the result and the list of checked attributes in this box.6. The Application Box This box is displayed at the top right of the edition page (only when application are registered). All the registered applications can specify some additional actions to be performed by WebADM administrators as part of the user management.RCDevs WebADM Administrator’s Guide . It displays useful information for the object such as unicity check. Those actions are generally accessible in this box (for the administrators) and through the SelfDesk WebApp (for the end-users).6. data summary. Application Box 6. Information Box 6. Figure 31. Action Box 6.4. Object Name .xml).Page 34 of 76 Figure 29. etc. WebADM settings. If some attributes are defined as unique within a specific context.3.6. this must be set in the objects specification file (conf/objects. Figure 30..2. switch to advanced edition mode.6. Add Attribute 6. a wizard will ask for the new mandatory attributes and the optional attributes which are defined in the objects specification file (conf/objects. Generally. the naming attribute is the object Common Name (CN). The objectclass removal will also remove the objectclass and all the attributes that are not part of any of the remaining objectclasses. You can change the object name by typing a new name and using the rename button.Page 35 of 76 The object name is the value of the LDAP naming attribute for the object.xml).RCDevs WebADM Administrator’s Guide . You can remove an extension objectclass from a LDAP object by switching to advanced edition mode. Remove Objectclass 6. Add Extensions To see the list of objectclasses in an object. Figure 34. When adding an extension.5. Attribute List .6.6. Extensions The Add Extension button allows adding new compatible objectclasses to the object. But you can recursively copy the container to a new one (with another name). New Attributes The Add Attrisbute button allows adding optional attributes supported by any of the objectclasses composing the object. checking the objectclass checkbox (in the objectclass attribute list). Note: You cannot rename a container object which already contains child objects.6. Figure 32. Figure 35. and clicking the Apply Changes / Delete Selected button.7. Figure 33. Rename Object 6. A set of default templates is already defined to display simple data types such as booleans. then you can add values or delete some of them. The attribute value display is dynamically rendered using WebADM attribute type templates (called WebADM attribute handlers).xml) are displayed by default. just select them on the right of the value and click he Apply Changes / Delete Selected button at the bottom of the page. This is a display simplification to ease the use of WebADM but you can display all the attributes by switching to the advanced edition mode. When an attribute has multiple values and you want to remove some of them. WebADM settings. WebADM data. After modifying one or several attribute values. then you can delete it. if an attribute is optional. and if an attribute can have multiple values. This is the case for member lists. Object Attribute List Some action buttons appear under the attribute name such as add values or delete attribute. 6. permissions or WebADM-specific data. etc. For example.Page 36 of 76 The attribute list displays the attributes which have a value defined in the object.RCDevs WebADM Administrator’s Guide . Note that only the attributes defined in the objects specification file (conf/objects. texts or members as well as complex data types such as certificates.. which should update the attribute values themselves. Yet.7. permissions. These actions are determined upon the attribute constraints in the LDAP schema.. Figure 36. you must commit the changes with the Apply Changes / Delete Selected button at the bottom of the page. some special attributes call specific modification pages. Moving / Copying Objects . RCDevs WebADM Administrator’s Guide - Page 37 of 76 WebADM does not provide actions for moving objects. The objects to be moved must be copied and then the original object should be deleted. To copy from a LDAP server to another, objects can be exported, modified and then re-imported using LDIF. Copy operations must respect the quotas defined in the OptionSets if you have quotas enabled. So ensure the copy will not reach your quotas before copying. It is not recommended to move administrator objects when using certificate-based authentication. Or his certificates must be re-created after moving because the administrator's login DN is part of the certificate data. Password attributes are invalidated after a copy or import on Novell eDirectory and Microsoft ActiveDirectory. User passwords must also be reset after a copy. WebADM data inside LDAP objects are encrypted with an AES-256 key and the object DN. The copy action will handle the re-encryption automatically. Yet, an export followed by a re-import at a different place will invalidate the encrypted data. 6.8. Exporting / Importing Objects 6.8.1. LDIF Export / Import WebADM is able to export and import LDAP objects using LDIF files. When editing an object, it is possible to export it or its whole content. Figure 37. LDIF Import Form When importing an LDIF file, WebADM operates in two passes: 1) The first pass creates the objects and all their mandatory attributes. 2) The second pass adds the optional attributes. It is not always possible to create objects in one step because some attribute values may include references to other objects that do not exist at creation time (if the are listed later in the LDIF file). It would not respect the directory integrity and would make it impossible to create some objects. Permissions or group members are some good examples. RCDevs WebADM Administrator’s Guide - Page 38 of 76 WebADM allows to export, delete and re-import a subtree with its administrators, permissions and object references by using the two-passes import mechanism. Figure 38. LDIF Import With Novell eDirectory and Microsoft ActiveDirectory, the user passwords cannot be restored at import. The password also have to be reset after the import. For super-administrators, it is possible to export LDAD encrypted attributes (such as webadmData) unencrypted. By default, the LDIF export contains the raw data as stored in the LDAP directory (with encrypted data). Exporting unencrypted data can be useful for backing up your LDAP users and data. Note: The WebADM LDAP encryption depends on the object’s DN. If you export users and then reimport them in another location, any encrypted data will be lost. You can used the unencrypted export/import for this purpose. 6.8.2. CSV Import WebADM provides a method for creating large number of objects of the same type in one single step. The CSV Import feature allows importing a file containing raw object data. The import page asks for the objects type to be created and the creation context. The import file must be structured that way: - The first line must contain the attribute names corresponding to the values appearing in the same column in the next lines. - The next lines must contain the attribute values for the imported object type. And all the mandatory attributes for the specified object type must be present. - The naming attribute must be the first one listed. - Fields must be separated by commas. RCDevs WebADM Administrator’s Guide - Page 39 of 76 Figure 39. CSV Import Form 6.9. Searching for Objects WebADM search system provides a simple interface to look for objects based on criteria. It woks in two modes: - The simple search mode allows to select an attribute, a search criteria and the data to be searched. Figure 40. Simple Search - The advanced search mode provides more detailed searching. You can select the search context and scope, edit the search filter (manually or using the search filter editor) and define what attributes should be searched and displayed. 1. . The syntaxes and details for each batch action are displayed in the batch actions wizard. . .RCDevs WebADM Administrator’s Guide .Adding webadmAccount objectclass to users. 6.Adding LDAP attribute values. Batch Search Actions WebADM allows performing batch actions on the resulting entries of a search. .Setting WebADM applications Settings.xml).Setting LDAP attributes.Adding objects to groups. .Removing objects. The actions that are supported are : .Page 40 of 76 Figure 41.Removing objects from groups. .9. . Advanced Search The list of attributes to be searched in simple mode as well as the attributes to be displayed in the results are configurable in the objects specification file (conf/objects. Page 41 of 76 Figure 42. For example if you create an OptionSet with a LDAP DN set to o=Mycompany and an Administrative Level set to 1.conf) to be read by WebADM at session startup. and do not impact the Web Services or WebApps. OptionSets are essentially LDAP profiles that can be used for example to define LDAP settings specific to some subset of a LDAP tree. the options are inherited from the upper tree down to the current context. Option sets are used by WebADM Administrator Portal only. All OptionSets must be stored in the same container as specified in the WebADM main configuration file (conf/webadm. . The OptionSet is configured with a LDAP DN which corresponds to the scope of application for the options listed hereafter. 7.1. Then all the administrators having their login DN located under o=Mycompany will have an Administrative Level of 1 all along their session. The scope of application of the options is also the login contexts of the administrators.RCDevs WebADM Administrator’s Guide . WebADM OptionSets Some administrative restrictions and tree options can be assigned to specific LDAP contexts using WebADM OptionSets. Batch Search Actions 7. Administrator Restriction Options Administrator restrictions are options which concern the administrators only and are computed at login time. When several OptionSets are defined for the same context (even at different level of the LDAP tree). OptionSets can for example be used for creating Organization profiles that specify behavior and restrictions that each member of the organization inherit. The available signing methods are: a. b. Rsign. where WebADM uses its internal PKI subsystem to sign certificates. .509 certificates. c. Ext. Administrator Restrictions .RCDevs WebADM Administrator’s Guide .Page 42 of 76 Figure 43.Certificate Signing Method : Determines how WebADM will issue X. where certificate signing is not allowed. where WebADM uses HTML forms for copy-pasting data from an external Certification Authority (CA). Off. Objects to be listed in the creation pages are those defined in the objects specification file (conf/objects. . even if removed from the list. WebADM trusts the web server client certificate access control mechanism and uses the common name (present in the certificate) and provided password to bind the directory. . Note: This option does not apply for super administrators.Page 43 of 76 . . With Novell eDirectory. LDAP Tree Options Unlike the administrative options described before. Note: This option does not apply for super administrators. The current administrative level is displayed on the WebADM home page.Allowed LDAP MountPoints : Defines which mounted LDAP trees are accessible by the administrators. it is not usable anymore. Note: This option does not apply for super administrators. And each object specification is defined with the minimum administrative level required for the object to created.Tree Base : Set the tree base limit for the administrators.2. The default administrative level is level 3 (maximum).Allowed-Only WebApps / WebSrvs : Defines which applications are configurable by the administrators. the tree access limitations are provided by the LDAP permissions (ACL) on the containers. Enable this option if you want Other Administrators to have full (unencrypted) access to the user data. . The scope of application of the options is also the location of the object being managed.Allowed SQL Tables : Defines which SQL Log and localized message tables are accessible by the administrators. When revocation is disabled.Decrypted User Data : By default in WebADM. the tree options concern the managed LDAP objects and are computed in realtime when administrators manipulate objects. WebADM does not try to find the provided certificate in the administrator's account. is still usable as long as it has not expired. OpenOTP user data) in cleartext (unencrypted) and Other Administrators can only access the user data in their encrypted form. 7. . Note: This option does not apply for super administrators. . The tree base option prevents administrators from accessing any object out of the specified tree base and reduces the tree view accordingly too.Administrative Level : This option is used to control which objects. For example if you create an OptionSet with a Tree DN set to o=Mycompany and a LDAP Quota set to 100.xml).RCDevs WebADM Administrator’s Guide . and if the certificate in the administrator's account has been removed.Login Certificates Revocations : Defines if WebADM should query the administrator's account at login for a list of valid user certificates and check if the provided one is present in the account. . Otherwise the certificate. This is the default behavior. This option is used to limit the access when using OpenLDAP and Microsoft ActiveDirectory. Super Administrators can access the encrypted user data (ex. They can also manipulate LDAP objects including data but they can never see the sensitive user data in their unencrypted form. the administrators belonging to a given context can create. When revocation is enabled. Then all the administrators cannot create more than 100 objects under o=Mycompany.Read-Only SQL Tables : Defines which SQL log and localized message tables are accessible in read-only mode by the administrators. . RCDevs WebADM Administrator’s Guide . WebADM enforces the quotas from the current context to the root level. the entire tree structure) from another LDAP server.Unicity Context : Defines the LDAP tree base to be used by WebADM for checking unique users attributes.e. The unicity context is used for other things too. . 8. The objects are not physically present in the main tree structure. then its sub-contexts (such as ou=Sales. The rendering location. Tree Options . if you have defined a quota of 10 objects for context o=MyCompany. All MountPoints must be stored in the same container (specified in the WebADM configuration file) to be read by WebADM at start-up. WebADM connects to a remote LDAP using these parameters. Once connected. whatever is defined at the sublevels. ou=Marketing) are only allowed to have a maximum of 10 accounts in total. is specified inside the MountPoint object.xml). WebADM retrieves the remote LDAP tree structure and renders it on the main tree. When quotas are defined at several tree levels. Instead. or namely the mounting point.LDAP Quotas : Defines the maximum amount of LDAP objects within a context that can be created by the administrators. WebADM connects at runtime to an external LDAP and renders its contents as if the data were stored in the mounting context. MountPoints are LDAP objects that hold LDAP connection parameters. Use the Details buttons in the tree view to review the quota chain applying on a context. . Unique attributes are defined in the objects specification file (conf/objects. . WebADM MountPoints MountPoints are containers in the LDAP tree that include objects and child containers (i. In other words.LDAP Defaults : List of default attribute values which will be auto-filled when creating or extending objects.Page 44 of 76 Figure 44. such as the counting base for determining free UID numbers for POSIX accounts. This account must have write permissions on the mounted LDAP server. . The MountPoint supports the following settings: . .Client Certificate File : The client certificate if the mounted LDAP server requires certificatebased client authentication.Login Password : The password corresponding to the login DN.Connection Type : The connection type used to connect the mounted LDAP server. . and works with all the pages having DN inputs. SSL and TSL.Login DN : The DN used to bind the mounted LDAP server.Host Name : The host name or IP address of the mounted LDAP server. Allowed connection types are None (no encryption).Mount DN : The local LDAP tree node where the mounted LDAP tree should be mounted. . . .Tree Base : The tree base on the mounted LDAP server. This notation concatenates the MountPoint DN (of the main LDAP) with the real DN in the mounted LDAP.RCDevs WebADM Administrator’s Guide . .Page 45 of 76 WebADM provides a virtual DN notation for accessing objects in mounted LDAP trees.Port Number : The LDAP port number of the mounted LDAP server. . .Client Certificate Key File : The certificate key corresponding to the client certificate. You can check the virtual DN when editing an object in a mounted LDAP. the domain is enabled. If not specified. This setting will be ignored if WebADM is configured to use direct groups only. MountPoint Settings 9. Also. when an application wants to obtain an LDAP user DN corresponding to the provided login information. All Domains must be stored in the same container (specified in the WebADM configuration file) to be read by WebADM at start-up. .RCDevs WebADM Administrator’s Guide . it will use the domain tree base to build the LDAP search. . WebADM LDAP Domains WebADM Domains are used by the registered WebADM applications to identify a user with a username.User Search Base : The tree base corresponding to the domain and to be used in the user LDAP searches.Disable Domain : Allows disabling a domain. . A WebADM Domain object supports the following settings: . it defaults to the Tree DN. By default.Page 46 of 76 Figure 45. a password and a domain name.Group Search Base : The tree base to be used in the LDAP group searches. The domain objects establish the relationship between a domain name and a LDAP tree base. a domain work with all registered applications. If set.Page 47 of 76 . Important: The WebADM Domains are not the same thing as the LDAP Domain containers (example: dc=myobject).Hide Domain : Do not list the domain in the Admin login page (when login_mode is set to UID and list_domains is enabled in the conf/webadm. By default. Figure 46. LDAP Domain containers (DC objects) are generic containers like .Allowed WebApps / Web Services : List of applications with which the domain is usable.conf file) and in the WebApps portal. This is a very convenient way to assign a domain to the users of another LDAP server. WebADM LDAP Domain Settings The Domain Tree DN can be set to a container inside a mounted LDAP or the LDAP mount point DN itself (see MountPoints).RCDevs WebADM Administrator’s Guide .Excluded Groups : Exclusion LDAP group(s) the domain users must not belong to. . . . users must not be a member of any of the listed groups. users must be a member of at least one of the listed groups.Allowed Groups : Mandatory LDAP group(s) the domain users must belong to (in order to be considered as part of the domain). If set. . .Use SSL Connection : If enabled. . Whereas WebADM Domains are objects of type webadm_config_object such as the OptionSets. MountPoints or Clients and contain some settings. . . . you can specify the remote domain.Page 48 of 76 Organizations or Organizational Units. WebADM Trust Domains Trusts are special Domains which do not correspond to a set of local LDAP users but a domain on a remote WebADM installation. A WebADM Trust object supports the following settings: .Remote Domain Name : If the remote domain name is not the same as the local Trust Domain name. a domain work with all registered applications.Trusted CA Certification File : This is the file containing the remote CA certificate.RCDevs WebADM Administrator’s Guide . Trusted certificates with non-matching CN will be refused. All Trusts must be stored in the Domains container (specified in the WebADM configuration file) to be read by WebADM at start-up. The Trust system works like a authentication proxy for remote domains (within a trusted organization) and maps a local virtual Domain name to a remote Domain on another WebADM server. The local Web Service will forward the incoming SOAP request to the trusted system through a secure communication. . By default.Remote Server Address : This is the server name (hostname) for the remote services.Disable Trust : Enable or disable the Trust Domain.Trusted Certificate CN : Mandatory certificate common name required for remote server authentication. If set only the certificates issued by this CA will be trusted for remote server authentication. . Trust work only with Web Services. 10.Allowed Web Services : List of Web Services applications with which the domain is usable.Remote Server SOAP Port : This is the remote SOAP port (typically 8080 or 8443). connection will use SSL (port 8443). WebADM Web Service Clients A Web Service Client object can be defined if you need to assign an access control policy for a specific client application (which uses the SOAP or RADIUS APIs). With RADIUS. You can also define per-client application profiles in WebADM using Client objects. For example. you want one VPN to authenticate users through RCDevs OpenOTP with LDAP+OTP passwords and Token whatever policy is defined for the user. or if you want to force some Web Service settings for a client application. Another feature of the Client is that you can define some Web Application settings which will always be enforced for the Client application whatever setting is set in the users or its groups. You can even restrict the application access to some WebADM Domains. you must know your client application IDs.Page 49 of 76 Figure 47. you can for example restrict access to the Client application for some LDAP authorized groups or prevent some groups to use the application. The Client ID is generally provided in the client requests in the client SOAP attribute. The WebADM Client object must have the same name as the client ID. The ID is typically the Client name that appears in the WebADM Log Viewer for Web Services. it is the NAS-Identifier. WebADM will use the client IP Address as client name. If this information is not provided by the client. WebADM Trust Domain Settings 11. To create a Client profile.RCDevs WebADM Administrator’s Guide . A WebADM Web Service Client supports the following settings: . By defining a Web Service Client. and you want you internal systems to authenticate users with LDAP only. . Note that SOAP requests are also able to transport user settings in order to implement perapplication settings. you can go to the Application menu.Allowed Domains : You can restrict the Domains that are usable for the client application. . When the Client does not provide the user domain name in the SOAP requests. The syntax is the a commaseparated list of value-pairs in the form OpenOTP. . In order to know the syntax for the Priority Application Settings. .Excluded Groups : You can define a set of groups which cannot use the client application.Priority Application Settings : You can force some Web Service settings for the client application to implement client application custom behaviors.Disable Client : Enables or disables the Client profile. it will be use in priority. Only the users part of at least one of the listed groups will be authorized. . WebADM will look at the targeted Web Service configuration for a default Domain.LoginMode=OTP.OTPType=TOKEN. For example. If a user is part to at least one of the excluded groups. Put the mouse over one of the setting names and the real setting will appear.Page 50 of 76 . then configure one application. But if the Client object corresponding to that request has a default Domain set. OpenOTP Login Mode will display LoginMode (public list). . then he cannot use the client application. The setting name must be prefixed by the Web Service Name and a separating dot.Default Domain : The Web Services SOAP APIs under WebADM support multiple Domains.OpenOTP.Allowed Groups : Another possibility is to restrict the client application access based on the user groups. And only the public settings can be set in a Client object.RCDevs WebADM Administrator’s Guide . By default.WebApp Logs : Contains all the actions reported by the WebApps registered in WebADM.Page 51 of 76 Figure 48. . Log Viewer The WebADM SQL logs are accessible from the Databases menu.RCDevs WebADM Administrator’s Guide . WebADM provides the following logs: . . Web Service Client Settings 12. .WebSrv Logs : Contains all the actions reported by the Web Services registered in WebADM.Admin Logs : Contains all the actions performed by administrators in the WebADM Administrator Portal. So the administrators will only see the user action logs corresponding to user DNs under their own scope of visibility. Creating Log Filters You can create filters with different criteria. You can control the number of visible logs in the area using: .Page 52 of 76 Figure 49.RCDevs WebADM Administrator’s Guide . WebADM WebSrv Logs Important: If you define an OptionSet with a Tree Base restriction. By default. all log entries found in the WebADM logs database are shown... You can click the links in the log items to generate automatic filters too. If the number of logs is large. 12. Figure 50. .1.2. The log results are paginated and you can switch page with the links at the bottom right of the page. all log entries found in the WebADM logs database are shown.The Per page results value controls the number of log entries shown per page. Log Filters 12. If number of logs is large. . There are a number of filters types that can be combined with operators and the searched value to produce accurate filtering results. application names. administrator names. you can narrow down the number of logs shown on the screen. you can create log filters to narrow down the number of logs shown on the screen. session IDs.The Retrieve last value controls the number of last log entries retrieved from the logs database. You can also filter the logs by time. Log Display Options By default. the same restriction will apply to the log entries to be displayed in the log viewer. You can select the column by checking the checkbox in the appropriate column title in the log result list.Page 53 of 76 Figure 51. .The Delete Selected deletes the logs selected by checking the checkbox next to the log entry in the log result list. . .4. Log Display Options 12. Log Database Pruning . You can get statistics grouped by time steps with the Group By value. Pruning the Log Database In time.The Export (CSV) link exports the selected logs to comma separated value text (CSV) file.3. You can define the number of entries in the statistics with the Display First value. Log Result Actions A number of log result actions is available to you.The Statistics (CSV) link creates comma separated value text (CSV) statistics of the selected log column. Figure 53. Figure 52. You can save this file and view it in the application of you choice. the log database grows and you have to prune it. Log Display Options 12. Enter the pruning time values in the data entry fields press the Clean button to delete logs older than specified from the log database.RCDevs WebADM Administrator’s Guide . WebADM checks if the LDAP schema is extended and proposes to add the extension if not present.RCDevs WebADM Administrator’s Guide . 14. The schema of your LDAP server is extended during the WebADM graphical setup (see WebADM Installation Guide for details). Localized Messages Editor The list of supported languages is configurable in the WebADM main configuration file (conf/ webadm. Once you created a MountPoint. There are two way to configure WebADM applications localized messages. Figure 54. the LDAP in the mounted LDAP server must be extended too. This does not work with OpenLDAP where the WebADM schema file must be added to the server configuration manually. Extending the LDAP Schema WebADM relies on its own LDAP objectclasses and attributes. When you create a MountPoint. 1) You can review all the messages from all the applications using the messages editor accessible from the Databases menu.Page 54 of 76 13. 2) You can go through application configurations. . locate the message templates and click the Localized buttons to edit the messages in other languages. These informations constitute the WebADM schema and the LDAP server using WebADM and its applications must include the WebADM schema informations. Localized Messages Editor The WebADM localized messages editor allows configuring message templates for the registered applications in different languages.conf). WebADM must be connected to a Domain Controller having the schema master role for the extension to succeed. The schema extension link is included in the contextual object action box. you can link the user certificate to one specific WebADM Domain. .WebApp login domain : With WebApp User certificates.conf). If the user is part of several domains. The WebADM schema includes OIDs registered at IANA under the RCDevs’ Private Enterprise Numbers 34617. 15. but WebApp User certificates are not usable to log in the Administrator Portal. And you can create WebApp User certificates for your WebApp end-user if you enabled the PKI login mode for the WebApps.Email address : If the user has an email address defined. .Certificate usage : You can create WebADM Administration certificates for your WebADM administrators if you enabled the certificate-based login mode in the WebADM main configuration file (conf/webadm. . . With Active Directory.conf). The PKI functionalities are completely transparent and allows issuing certificates for your administrators and users using the certificate wizards. then only the selected domain is usable with the certificate.RCDevs WebADM Administrator’s Guide .Send by email : If the user has an email address defined. .Certificate validity period : Defines how long the certificate will remain valid. you have the following options: . you can select one email address to be part of the certificate informations. When you create a certificate for a user. Managing User Certificates WebADM includes its own PKI subsystem to handle user certificates. Note that administration certificates are working with WebApps too (those configured with PKI login mode). Note that the generated PKCS12 certificate package is encrypted by WebADM with a random password that is not sent in the email. WebADM can automatically send the new certificate package to the user’s email address.Page 55 of 76 You can extend the mounted LDAP schema by editing the MountPoint object or the LDAP container where the remote LDAP is mounted. This period is limited to the default_cert_validity setting in the Rsignd signing server configuration file (conf/ rsignd. Page 56 of 76 Figure 55. User Certificate Creation Form When you issue or renew a user certificate. Figure 56. The certificate and its public key are bundled into a PKCS12 encrypted package that must be provided to the user. WebADM creates a certificate request based on the user informations and calls the Rsign PKI subsystem for signing the certificate with the Internal CA. The issued public certificate is stored in the user account and can be displayed or downloaded later. This certificate PKCS12 package is generated once and cannot be redownloaded later. User Certificate Creation .RCDevs WebADM Administrator’s Guide . and WebADM will refuse the user login. Rsignd Server It is the server component. The other WebADM servers will use the main Rsignd service and become PKI slaves. WebADM accepts any valid certificate it has issued. you can enable the certificate revocation system in the OptionSet. It includes a configuration file (conf/rsignd. Rsign system works in client-server mode and provides a set of network remote procedure call (RPC) functions. It provides the minimal features needed to automatically and immediately deliver administrator’s and user’s client certificates without requiring human process. This can be useful when the main Rsignd CA is located on a private network but should be accessed by clients on the public side through a proxy in a DMZ.RCDevs WebADM Administrator’s Guide . Being a network service. You can set the Sign Mode to Ext in your OptionSet for this purpose. By default. The Rsign internal signing mode is required by some WebApps (such as SelfDesk) and Web Services which need an automated certificates signing system. only one of the WebADM servers is running the Rsignd service. 15. Moreover.3. It maintains the CA serial number. It is multithreaded and allows processing concurrent requests.conf) where each client IP address must be declared and optionally given a shared access secret. The CA is accessible to root user only but the request-processing threads run in a user-protected environment for security reasons.2. When you configure the user certificate as login method (auth_mode in conf/webadm. indexes issued certificates. Rsignd can work in proxy mode. These functions are available from a client library and are directly usable by WebADM. Rsign PKI Subsystem WebADM Rsign is designed for the WebADM application only. That means that you can revoke a certificate simply by removing it from the user account. 15. In a clustered installation. 15. It uses a proprietary protocol over SSL to communicate with the client library and WebADM.conf) for the WebADM Administrator Portal authentication. WebADM requires the login certificate used by the user to be listed in the account’s public certificate list. When revocations are enabled. The CA server component is configured to accepts or refuses client requests based on the clientprovided information and rule-based filtering. Rsign client requests are sent over SSL with two-way authentication.Page 57 of 76 WebADM can use an external CA for signing the user certificates.1. revocation is an OptionSet setting so you can adjust your revocation policy depending on the administrator’s contexts. Note that with the OptionSets. you can also specify different signing method for different parts of your LDAP tree. It proxies the incoming requests to the next configured Rsignd server. Rsign Client . the CA server component can be installed anywhere on a protected network if necessary. The application configurations are accessible from the WebADM Applications menu. Configure Application . 16. Figure 58.xml). The client authenticates the server through its SSL certificate. Or the client functions can be implemented in a dedicate program that can be called from other programs.RCDevs WebADM Administrator’s Guide . WebADM relies on XML schema files. The schema files are provided with the applications and should not be edited. To setup an application in WebADM: 1) Install the application on the system with its self-installer. WebADM uses a Rsign PHP dynamic extension to implement the Rsign RPC functions. 2) Enter WebADM and navigate to the Applications menu. Managing Applications WebADM registered applications provide their own configuration schemas to the system. The WebADM Rsign client requires server configuration in the WebADM servers configuration file (conf/servers. Figure 57. Rsign can be integrated into C/C ++ programs. Register Application 4) Click to configure the application. WebADM provides a very high-level interface for managing very complex application configurations. which transparently make the mapping between the application configuration requirements and the graphical configuration editors.Page 58 of 76 Rsign client is available as a client program and a shared library. 3) Click to register the application. or click the Edit WebADM Settings button in the object attribute list. This has the side effect that user groups and group settings' changes may be delayed for a maximum time of 5 minutes when used by WebApps and Web Services. WebADM processes the settings in the following order: 1) Application level settings are applied first. some settings can be re-defined per user or groups.RCDevs WebADM Administrator’s Guide . That means That the user settings have priority over the group settings which have themselves priority over the application default settings.1.. They are considered as default settings. The Web Service’s API provides a Settings SOAP field to dynamically pass user settings to the WebADM services. Yet. Note : User groups and group settings are cached for 5 minutes in order to optimize group searches and user setting resolutions. 3) User settings (if any) are applied. the groups settings are merged. . edit the object and click the links in the information box (at the top middle of the edition page).Page 59 of 76 5) Save the settings and your application is now immediately operational. etc. or the group is not extended with the webadmGroup objectclass.. If the user is a member of multiple groups. 4) Web Service Client settings are applied if the client requesting the service matches a Client object name. 16. To modify the user/group settings in a webadmAccount/webadmGroup object. you must extend it first with the Add Extension action to be able to add settings. 5) Request settings (if any) are applied. select the WebADM Settings in the Add Attribute action for the user. To add settings to a user or group (when no setting is defined yet). User Application Settings The default application’s settings are defined as described just before. 2) Group settings (if any) are applied. If the user/group is not extended with the webadmAccount objectclass. User Settings Editor 17. You can find the JSON-RPC specification at http://jsonrpc.0 specification. Using the Manager Interface The Manager interface provides access to some WebADM user management functions and operations exported by your registered applications.org/spec.. removal.. The operations exported by the registered applications provide access to any feature which are accessible from the application actions in the Admin Portal.html. etc.Page 60 of 76 Figure 59. The method names for applicationexported functions are in the form Application. WebADM settings and data management. The interface communication protocol is based on the JSON-RPC v2. The method names for internal management functions are in the form Manager_Method. update. The user management functions provide LDAP operations such as object creation.RCDevs WebADM Administrator’s Guide . You can go to the Manager Interface page in the WebADM Infos menu to have a full listing of the supported Manager functions and parameters.Manager_Method. You can then navigate between applications to get the Manager functions supported by a specific registered application. The Manager also allows external systems such as Web portals to remotely trigger user management operations and actions from the network. The authentication mechanism which is enforced is always the same as . The Manager API requires authentication and a WebADM administrator account must be provided to access the interface. Note that any LDAP permission or OptionSet restriction configured in WebADM will be enforced within the Manager interface.x.gz 4) Set installer as UNIX executable with the command chmod 755 application-x. 18. . .x. the administrator’s user certificate must be used for establishing the HTTPs connection to the interface and the administrator password must be provided in the HTTP-Basic Authorization header.x. proceed as follows: 1) Get the application self-installer package from the the RCDevs website.Page 61 of 76 the mechanism configured for the WebADM Admin Portal (i.RCDevs WebADM Administrator’s Guide ./application-x. the administrator user ID and password must be provided in the HTTPBasic Authorization header. Installing WebApps and Web Services WebADM has been designed to ease as much as possible the installations. To install a new RCDevs application (WebApp or Web Service) in WebADM.x. Note that the Manager sessions have a short expiration time are are automatically closed after 10 seconds of inactivity.With PKI login mode.With UID login mode.sh. .conf file).sh. 5) Run the self installer and answer the setup questions with the command .sh. you can force the closure of the session by passing the “Connection: close” header to the requests. The Manager responses return a session cookie called WEBADMMANAG in the response headers.With DN login mode. WebApps application files will be installed in the webapps/ system folder. 3) Uncompress it with the command gunzip application-x. the administrator DN and password must be provided in the HTTP-Basic Authorization header. Yet. . Look at Appendix D for some simple examples of function calls using the PHP language to use the Manager Interface.x. The Manager interface is accessible at the URL: https://yourserver/manag/.x.e. You can pass the session cookie in the next Manager requests to avoid starting new sessions. upgrades and removal of applications (WebApps and Web Services). 2) Copy it to you Linux server running WebADM. under a folder having the name of your WebApp. The auth_mode setting in the webadm. A connections to the Manager automatically creates an Administrator session in WebADM for processing the requested methods. Administrators have also the same level of access in the Manager as they have in the the Admin Portal. conf). Read the CHANGELOG and README files to get the list of changes and proceed with the required modifications. After a WebApp or Web Service upgrade. WebApps are accessible from the WebApps portal at the URL http://yourserver/ Webapps/.1. 7) Navigate to the Applications menu and click the Register button for the new application (see section Applications Administrators for details). under a folder having the name of your Web Service. Insert the following code in your website to embed a WebApp directly into your website. do not remove the previous version and proceed exactly like for the installation. 18. Figure 60. adjust the application settings and save the settings (see section Applications Administrators for details). WebADM will update the LDAP configuration object with the new settings. WebADM will create a LDAP configuration object for the new application in the webapps_container for WebApps and in the websrvs_container for Web Services. You can embed a WebApp directly into a part of your website in an HTML iFrame or HTML Object. Embedding a WebApp By default. Important: You do not have to modify any file in the application installation directory! The applications configurations are managed and stored in LDAP by WebADM from the Applications menu only. To upgrade an application. If a configuration update is required. Application Registered in LDAP 8) Click the Configure button for the new application.Page 62 of 76 Web Services application files will be installed in the websrvs/ system folder. . And a specific WebApp (mywebapp) can be accessed at the URL http://yourserver/ webapps/mywebapp. click the Not Configured button to update the configuration and save the application settings again. 6) Log in WebADM as with a super administrator account. Log in WebADM and check the installed application status in the home page or in the Applications menu.RCDevs WebADM Administrator’s Guide . the application configurations may need to be updated. as defined in the WebADM main configuration file (conf/webadm. For example. all the WebADM servers are automatically informed when an application configuration is changed by an administrator. and the OTP challenge response request can come to Server2.Page 63 of 76 <object data="https://myserver/webapps/mywebapp?inline=1" /> Replace myserver and mywebapp with your WebADM server address and the WebApp name. The session manager and PKI server are very high performance systems. multithreaded and written in C. . footers and stylesheets. the second request will be recognized by Server2 and part of a valid session. As Server1 and Server2 use the same session manager. There can be multiple session managers for failover but all the systems must be configured to work with the same session manager at one time. The parameter inline=1 informs WebADM that the WebApp is embedded. Several servers can be configured to play the same role without any consequence because the application configurations and user informations are stored in LDAP (which is a network service). you mainly have to respect the following conditions: 1) All the servers of the cluster must use the same session manager at one moment. This is mandatory to keep the Certificate Authority consistent. Those components do not call external network services such as LDAP or SQL servers and can also handle very high numbers of request. an OpenOTP SMSTOP login request can come to Server1. 3) All the servers must have basically the same configurations and especially must use the same LDAP encryption key. It will stream only the HTML BODY content for the WebApp. Please look at the WebADM High Availability Guide for Cluster installations. Moreover. A WebADM server can be dedicated to one specific task such as administrator portal. Several Web Services servers can be accessed in the same time and client requests can even go randomly to any of the servers without problem (as long as all the servers use the same session manager). Clustering WebADM has been entirely designed for clustering. WebADM will skip the HTML headers. multiple server can be assigned the same task. WebApp server or Web Services servers. 19. 2) All the servers of the cluster must use the same PKI server (as for session manager). In a clustered system. all the servers automatically refresh their configuration caches. So as long as all the clustered servers are connected to the same services (or multiple real-time replicated services) the whole system should not be impacted by the clustering.RCDevs WebADM Administrator’s Guide . A WebADM system can be divided into more than one server for failover or load-balancing purposes. and then. For a clustered configuration. you may need to re-create your users in WebADM. In that case. Else. 2) With Microsoft ActiveDirectory. WebADM will not be able to create users or set passwords. . Common Issues 1) OpenLDAP server may forbid adding the inetOrgPerson objectclass to an existing user. Be sure have the SSL enabled and to respect the domain password complexity policy for the proxy user password and user passwords. or remove the inetOrgPerson objectclass from the user object specifications in the conf/objects.xml file.RCDevs WebADM Administrator’s Guide .Page 64 of 76 20. you must add the WebADM proxy user to the Domain Admins group. You will also need to login with the the full user DN and setup # a WebADM domain to be able to use the UID login mode. Access # restriction configured in the WebADM OptionSets do not apply to super admins.dc=WebADM" # Any other WebADM administrator must be defined in the other_admins to be able # to login. # and write permissions on the users / groups used by the WebApps and WebSrvs.dc=mydomain. "organizationalUnit". you can use another existing security group here. # .Page 65 of 76 Appendix A : Sample webadm. # . your administrator account should be is something like # cn=Administrator. You can set access restrictions for other admins in WebADM OptionSets. "locality". # You can set a list of individual LDAP users or LDAP groups here.UID: Requires domain name. # The UID mode requires a WebADM domain to exist and have its User Search Base # set to the subtree where are located the administrator users. # With ActiveDirectory. # The use of a proxy user is required for WebApps and WebSrvs.dc=mydomain. auth_mode DN # Show the registered domain list when auth_mode is set to UID. "domain".dc=com. "openldaprootdse" . # You can comment the setting not to use other administrators. \ "cn=super_admins. # You can set a list of individual LDAP users or LDAP groups. # With ActiveDirectory.cn=Users.conf file # # WebADM Server configurations # # WebADM login mode # . And you can replace the sample # super_admins group on the second line with an existing security group. # With ActiveDirectory. # additional operations and unlimited access to any LDAP encrypted data.RCDevs WebADM Administrator’s Guide . proxy_user "cn=webadm. super_admins "cn=admin. # you must login WebADM and create a login certificate for your administrators.dc=WebADM" proxy_password "Password1234" # Super administrators have extended WebADM privileges such as setup permissions.dc=com. # which should look like cn=Administrator.dc=WebADM" # LDAP objectclasses container_oclasses "container". the login mode is automatically # forced to DN.o=root". When using UID # and if there is no domain existing in WebADM. # The proxy user should have read permissions on the whole LDAP tree. other_admins "cn=other_admins. you can use any Domain Administrator DN as proxy user.cn=Users. To use certificate login. "country".DN: Requires login DN and password. login name and password. list_domains Yes # The proxy user is used by WebADM for accessing LDAP objects over which the # admin user does not have read permissions or out of an admin session. # Using certificates is the most secure login method. "organization".PKI: Requires client certificate and login password. cn=WebADM. "posixAccount" group_oclasses "group".cn=WebADM. "groupMembership" language_attrs "preferredLanguage" mobile_attrs "mobile" mail_attrs "mail" webadm_data_attrs "webadmData" webadm_settings_attrs "webadmSettings" webadm_type_attrs "webadmType" # ignore some AD attributes ignored_attrs "ntsecuritydescriptor". "objectcategory".dc=com" #websrvs_container "cn=WebSrvs.dc=WebADM" # Mount points container mountpoints_container "dc=MountPoints. "account". you need to add the 'user' objectclass to the # webadm_account_oclasses and the 'group' objectclass to the webadm_group_oclasses.dc=mydomain. # If your super admin user user does not have one of the following objectclasses. "lastlogoff".cn=WebADM. # Change the container's DN to fit your ldap tree base.dc=WebADM" # Domain and Trusts container domains_container "dc=Domains. "samaccounttype" # Find below the LDAP containers required by WebADM.dc=mydomain.dc=com" #webapps_container "cn=WebApps.cn=WebADM. "dynamicGroup".dc=com" .dc=mydomain.RCDevs WebADM Administrator’s Guide . "badpasswordtime".dc=mydomain. "objectsid".dc=mydomain. "person".cn=WebADM.dc=WebADM" # WebSrv configurations container websrvs_container "dc=WebSrvs. "logoncount". "samAccountName" member_attrs "member" memberof_attrs "memberOf". \ "pwdlastset". "groupOfUniqueNames". "posixGroup" # With ActiveDirectory 2003 only. \ "badpwdcount".dc=WebADM" # WebApp configurations container webapps_container "dc=WebApps. "groupOfNames". webadm_account_oclasses "webadmAccount" webadm_group_oclasses "webadmGroup" webadm_config_oclasses "webadmConfig" # LDAP attributes certificate_attrs "userCertificate" password_attrs "userPassword". user_oclasses "user". "unicodePwd" uid_attrs "uid".dc=WebADM" # Clients container clients_container "dc=Clients. "inetOrgPerson".Page 66 of 76 # user_oclasses is used to build the LDAP search filter with 'Domain' auth_mode. # WebADM Optionsets container optionsets_container "dc=OptionSets.dc=com" #mountpoints_container "cn=Mountpoints. # add one of its objectclasses to the list. "lastlogon".dc=com" #domains_container "cn=Domains.dc=com with your AD domain DN #optionsets_container "cn=OptionSets. "lastlogontimestamp". "primarygroupid".dc=WebADM" # With MS Active Directory use the following settings instead of the previous ones # Note: Replace dc=mydomain. # indirect mode: WebADM finds user groups by searching group objects which contain # the user DN as part of the member_attrs. # By default. # By default (when group_mode is not specified) WebADM handles both group modes. A normal value is one hour.log and soapd. # Use the command 'openssl rand -base64 32' to generate a key."IT". the alerts are also sent by email to the configured recipient.cn=WebADM. # IMPORTANT: If you change the encryption key.dc=com" # Temporary WebADM work directory where temporary work files should be created. # direct mode: WebADM finds user groups using the memberof_attrs defined above. # In this case. Additionally.log files (enabled by default).log files. time_zone "Europe/Paris" # Application languages languages "EN".RCDevs WebADM Administrator’s Guide .txt for the list of time zones. #alert_email "me@mydomain. the group membership is defined in the LDAP user objects.log and soapd. For example. # Records all WebApps and Web Service events to the httpd."FR". if you dont want to provide admin portal on an # Internet-exposed WebApps and WebSrvs server.dc=mydomain. enable_admin Yes enable_manager Yes enable_webapps Yes enable_websrvs Yes # Enable extended logging to the httpd. keys # and session manager sessions with the AES-256 algorithm. # Sessions will be closed after this period of inactivity.com" ."ES". # The encryption key must be a 256bit base64-encoded random binary data. session_timeout 900 # You can set here the WebADM internal cache timeout."FI" # WebADM can encrypt LDAP sensitive data such as password."DE". log_webapps Yes log_websrvs Yes # Alerts are always recorded to the SQL Alert log. all the functionalities are enabled. cache_timeout 3600 # Time zone # Look at the docs/timezones.Page 67 of 76 #clients_container "cn=Clients. #group_mode direct # You can optionally disable some features if you run multiple WebADM server with # different purposes. tmp_dir "/tmp" # You can set here the timeout (in seconds) of a WebADM session. when alert_email # is defined. any encrypted data will become invalid! encrypt_data Yes encrypt_key "cq19TEHgHLQuO09DXzjOw30rrQDLsPkT3NiL6l3BH2w=" # The group mode defines how WebADM will handle LDAP groups. Page 68 of 76 # Check for new versions on RCDevs' website (requires HTTP connectivity). webapps_theme "default" .RCDevs WebADM Administrator’s Guide . check_versions Yes # WebApps theme # Comment the following line to disable the default theme. 0" encoding="UTF-8" ?> <Servers> <!-************************************************* *** WebADM LDAP/SQL/Session/Proxy/PKI Servers *** ************************************************* You can specify multiple LDAP servers here.xml file <?xml version="1.RCDevs WebADM Administrator’s Guide . PostgreSQL. Oracle. SSL and TLS.encryption: connection type Allowed type are NONE. --> <SqlServer name="SQL Server" type="MySQL" host="localhost" . Allowed LDAP parameters are: .name: server friendly name .host: server hostname or IP address . Spported SQL type: MySQL. Sybase. MSSQL. WebADM will try to connect the servers in the same order they appear in this file and will use the first one it successfully established the connection to.Page 69 of 76 Appendix B : Sample servers. default: 'none' --> <LdapServer name="LDAP Server" host="localhost" port="389" encryption="TLS" cert_file="" key_file="" /> <!-<LdapServer name="LDAP Server 2" host="remotehost" port="389" encryption="TLS" cert_file="" key_file="" /> --> <!-SQL servers are used for logs and message localizations.port: LDAP port number default: 389 . At logon. You can specify one or more SQL server here. --> <!-<ProxyServer name="HTTP Proxy" host="proxy" port="8080" user="" password="" /> --> <!-SMTP mail servers can be used by WebADM for sending emails. You can specify one or more PKI servers here. So you can keep the default settings. WebADM will use the local mailer in /usb/sbin/sendmail to send emails. You can specify one or more SQL servers here.RCDevs WebADM Administrator’s Guide . You can specify one or more SMTP servers here. --> <SessionServer name="Session Server" host="localhost" port="11211" /> <!-A PKI server (or CA) is required for signing user certificates. You can specify one or more HTTP proxy servers here. --> <PkiServer name="PKI Server" host="localhost" port="5000" secret="secret" /> <!-HTTP proxy servers can be used by WebADM for connecting remote Web services and version checking. If no server is specified. The Rsign PKI server is included in WebADM. --> <!-<MailServer name="SMTP Server" host="localhost" port="25" . The session server is included in WebADM. So you can keep the default settings.Page 70 of 76 user="webadm" password="webadm" database="webadm" /> <!-A session server is required for webservices using sessions such as OpenOTP. RCDevs WebADM Administrator’s Guide .Page 71 of 76 user="" password="" encryption="NONE" /> --> </Servers> . # You do not need "ca_cert". . trusted_ca_path /opt/webadm/pki/trusted # # client sections # # Declare here the Rsign clients with the allowed services. # Specify the real rsignd server IP and service port number. # This is needed for rsignd to read the trusted CA certificates. "ca_key" and "ca_serial" too.RCDevs WebADM Administrator’s Guide .xxx.conf file # # WebADM PKI Server configuration file # port 5000 logfile /opt/webadm/logs/rsignd.log pidfile /opt/webadm/logs/rsignd. the secondary servers must be defined. type a "make" in the "trusted_ca_path" # to rebuild certificate's hash.xxx. # Comment "trusted_path" to diasble rsignd certificate's trust restrictions. you do not need a CA.key ca_serial /opt/webadm/pki/ca/serial # Server settings max_data_size 16000 # # Proxy settings # # If the server is a rsignd proxy.crt rsignd_key /opt/webadm/pki/rsignd.pid # uid used for rsignd sub process execution user webadm # # Certificates and keys # # default validity period for issued certificates default_cert_validity 365 # certificate and key used for ssl connection rsignd_cert /opt/webadm/pki/rsignd.xxx #server_port 5000 # # Directory or file containing trusted CA certificate(s) (in PEM format) # After adding a new certificate. ca_cert /opt/webadm/pki/ca/ca.Page 72 of 76 Appendix C : Sample rsignd.crt ca_key /opt/webadm/pki/ca/ca. # In cluster mode. use "proxy yes" here.key # In proxy mode. proxy_mode no #server_name xxx. Page 73 of 76 client { hostname 127.0.1 secret secret services getcacert signcsr #cert_validity 180 } #client { # hostname Slave_Server_IP # secret secret # services getcacert signcsr #} .0.RCDevs WebADM Administrator’s Guide . $json = json_encode($request). CURLOPT_USERPWD. array("connection: close")). 1). CURLOPT_SSL_VERIFYPEER. ! 'method' => $method. 1. $request = array( ! 'jsonrpc' => "2. Set the user mobile number and email address $method = ‘Set_User_attrs’. $params = array( ! ‘dn’ => ‘cn=test. Will return: .RCDevs WebADM Administrator’s Guide . 1)."default\\admin:password"). ! ‘domain’ => ‘Default’.0". curl_setopt($ch.o=Root [id] => 0 ) 2. Resolve the DN of an existing user <?php $method = ‘Get_User_DN’.com’)). ! 'id' => 0). 1). ! ‘attrs’ => array(‘mobile’ => array(‘12345678’). $ch = curl_init(). curl_setopt($ch. CURLOPT_FOLLOWLOCATION. curl_setopt($ch.o=root’. 0). ). curl_setopt($ch. CURLOPT_POST. CURLOPT_POSTFIELDS. CURLOPT_RETURNTRANSFER. CURLOPT_HTTPHEADER. print_r(json_decode($out)).Page 74 of 76 Appendix D : Sample Manager Interface usage Find below 2 simple examples of use of the WebADM Manager interface. ‘mail’ => array(‘test@test. CURLOPT_URL. curl_setopt($ch. ! 'params' => $params. ?> The manager will return a structure int the form: stdClass Object ( [jsonrpc] => 2. $out = curl_exec($ch). $json).0 [result] => cn=test. $params = array( ! ‘username’ => ‘test’. curl_setopt($ch. curl_close($ch). curl_setopt($ch. ). curl_setopt($ch. "https://localhost/manag/"). 0 [result] => stdClass Object ( [mobile] => Array ( [0] => 12345678 ) [mail] => Array ( [0] =>
[email protected] ) ) [id] => 0 ) 4.o=root’. ! ‘settings’ => array(‘OpenOTP.0 [result] => 1 [id] => 0 ) 3. Set some user application settings $method = ‘Set_User_Settings’. Will return: stdClass Object ( [jsonrpc] => 2.LoginMode’ => ‘LDAPOTP’.Page 75 of 76 stdClass Object ( [jsonrpc] => 2. ‘OpenOTP. ). Will return: stdClass Object ( [jsonrpc] => 2. $params = array( ! ‘dn’ => ‘cn=test.0 [result] => 1 [id] => 0 ) .RCDevs WebADM Administrator’s Guide . ! ‘attrs’ => array(‘mobile’.o=root’. $params = array( ! ‘dn’ => ‘cn=test. Get the user mobile number and email address $method = ‘Get_User_attrs’. ‘mail’).SecureMail’ => false). ). $params = array( ! ‘dn’ => ‘cn=test.RCDevs WebADM Administrator’s Guide . Will return: stdClass Object ( [jsonrpc] => 2. ! ‘counter’ => 0 ).o=root’.HOTP_Register’.0 [result] => 1 [id] => 0 ) . Register a HOTP Token with OpenOTP $method = ‘OpenOTP. ! ‘key’ => base64_encode(“12345678901234567890”).Page 76 of 76 5.