Enabling authentication using Talend Administration Center or LDAP - 6.3

Talend Data Fabric Installation Guide for Linux

EnrichVersion
6.3
EnrichProdName
Talend Data Fabric
task
Installation and Upgrade
EnrichPlatform
Talend Activity Monitoring Console
Talend Administration Center
Talend Artifact Repository
Talend CommandLine
Talend Data Preparation
Talend Data Stewardship
Talend DQ Portal
Talend ESB
Talend Identity Management
Talend Installer
Talend JobServer
Talend Log Server
Talend MDM Server
Talend MDM Web UI
Talend Project Audit
Talend Repository Manager
Talend Runtime
Talend SAP RFC Server
Talend Studio

Enabling authentication using Talend Administration Center

To configure MDM to authenticate users via Talend Administration Center, you first need to enable such authentication in the Talend MDM configuration file and provide certain information related to your Talend Administration Center installation.

Note that, although authentication occurs in Talend Administration Center, authorization still takes place in the MDM database.

Therefore, users in both Talend Administration Center and MDM must remain synchronized. That is, user names and email addresses must be consistent.

One way of doing this could be to create a Job which returns a list of users using the Talend Administration Center MetaServlet and creates, removes and updates user information in MDM in line with any changes made in Talend Administration Center. Additionally, if the Talend Administration Center login module cannot find the user who is attempting to authenticate, it will fall back to checking in the MDM database as well.

Warning

If you change the Talend Administration Center authentication details for the admin user before you make the same change in MDM, you may no longer be able to access MDM because the Talend Administration Center login is not the same as the MDM admin login.

To configure authentication via Talend Administration Center:

  1. In <$INSTALLDIR>\conf, open the file jaas_tac.conf.

    This file is a template that contains the configuration information related to Talend Administration Center.

  2. Update the information shown in the table below with the appropriate details for your installation.

    module-option namePurposeExample
    tacUrl

    Provide the URL used to access Talend Administration Center, including the port.

    http://localhost:8080/org.talend.administrator

    http://your-company.com:8080/org.talend.administrator

    useEmailAddress

    In Talend Administration Center, user names are always in the form of an email address. In MDM, this is not the case by default.

    • Set this option to true if user names in MDM are not in the form of email addresses. Subsequently, when a user logs into Talend Administration Center using a user name that is not in the form of an email address, a lookup will be performed in the MDM database to retrieve the corresponding email address, which will then be used to authenticate the user in Talend Administration Center.

    • Set this option to false if user names in MDM are already in the form of email addresses.

    true

    false

    forbidsLoginByMDM

    Indicate whether to fall back to the MDM authentication when a user fails the Talend Administration Centerauthentication.

    false

  3. Save your changes under the file name jaas.conf.

    Warning

    Since this action will replace the existing jaas.conf file, it is strongly recommended that you first make a backup copy of the existing jaas.conf file, and/or copy all the relevant configuration information into your new file.

  4. Restart your MDM server for your changes to be taken into account.

Enabling authentication via LDAP

To configure MDM to integrate an existing LDAP directory, you need to enable authentication via LDAP in the MDM configuration file and to provide certain information related to your LDAP installation.

If all MDM users are defined in LDAP:

  1. Start the MDM server in the default local authentication mode and connect to the Talend MDM Web User Interface as an admin user.

  2. Make sure the LDAP user with the same login as the default administrator user exists.

    If not, on the [Manage Users] page, create a new user with the UUID used by LDAP with the administration and System_Admin rights, save your changes and shut down the MDM server.

  3. Follow the procedure to configure authentication via LDAP (see below).

If some technical users (such as administrator) are not defined in LDAP:

If the MDM user defined in the Talend MDM Web User Interface cannot be found in the LDAP directory, you need to make the server fall back on the MDM existing users during authentication.

  1. To configure this fallback operation, open the file <$INSTALLDIR>\conf\jaas_ldap.conf.

    The jaas_ldap.conf file is a template that contains the configuration information related to LDAP.

  2. Change the value of the LDAP login module value to sufficient and chain the LDAP and MDM login modules together.

    You can use either direct or indirect LDAP authentication.

    For a complete procedure about how to use indirect LDAP authentication, see Talend Help Center (https://help.talend.com).

    An example of using direct LDAP authentication (LdapDirect=true) is shown below:

    MDM {  
      com.amalto.core.server.security.jaas.LDAPLoginModule sufficient
      useFirstPass=false
      java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
      java.naming.security.authentication="simple"
      java.naming.provider.url="ldap://localhost:10389"
      LdapDirect=true
      principalDNPrefix="cn="
      principalDNSuffix=",ou=talend,dc=example,dc=com";
    };
    TDSC {  
      com.amalto.core.server.security.jaas.LDAPLoginModule sufficient
      useFirstPass=false
      java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
      java.naming.security.authentication="simple"
      java.naming.provider.url="ldap://localhost:10389"
      LdapDirect=true
      principalDNPrefix="cn="
      principalDNSuffix=",ou=talend,dc=example,dc=com";  
    };

    An example of using indirect LDAP authentication (LdapDirect=false) is shown below:

    MDM {  
      com.amalto.core.server.security.jaas.LDAPLoginModule sufficient
      useFirstPass=false
      java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
      java.naming.security.authentication="simple"
      java.naming.provider.url="ldap://localhost:10389"
      LdapDirect=false
      LdapAdminDN="uid=admin,ou=system"
      LdapAdminPassword=secret
      searchBase="ou=talend,dc=example,dc=com"
      searchFilter="(&(objectClass=*)&(cn={0}))";
    };
    TDSC {  
      com.amalto.core.server.security.jaas.LDAPLoginModule sufficient
      useFirstPass=false
      java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
      java.naming.security.authentication="simple"
      java.naming.provider.url="ldap://localhost:10389"
      LdapDirect=false
      LdapAdminDN="uid=admin,ou=system"
      LdapAdminPassword=secret
      searchBase="ou=talend,dc=example,dc=com"
      searchFilter="(&(objectClass=*)&(cn={0}))";
    };
  3. If needed, you can set an encrypted password for the parameter LdapAdminPassword for the sake of security. For more information about how to encrypt passwords using the CommandLine, see Encrypting the passwords using the CommandLine.

  4. Save your changes. If the LDAP login module (flagged as sufficient) succeeds, that is to say the user exists both in LDAP and MDM, no further authentication process is performed. If it fails, that is to say the user does not exist in LDAP, authentication continues with the MDM login module (flagged as required).

  5. Follow the next procedure to update the LDAP configuration according to your installation.

To configure authentication via LDAP:

  1. Under the directory <$INSTALLDIR>\conf, open the file jaas_ldap.conf.

  2. Update the information shown in the table below with the appropriate details for your installation.

    module-option namePurposeExample
    java.naming.factory.initial

    Indicate the LDAP library/factory to be used.

    com.sun.jndi.ldap.LdapCtxFactory

    useFirstPass

    Indicate whether to use the stored login name and password for authentication.

    false

    java.naming.security.authentication

    Indicate the LDAP authentication scheme, which can be none, simple or strong.

    simple

    java.naming.provider.url

    Provide the URL of the LDAP server, including the port.

    ldap://monet:389

    ldap://your-company.com:3268

    LdapDirect

    Specify which LDAP authentication method to use.

    • When this option is set to true, a direct attempt is made using the username to build the distinguished name (DN) of the user. In this case, the principalDNPrefix and principalDNSuffix parameters must be set.

    • When it is set to false, the indirect authentication method is used, in which an admin user must browse through the LDAP directory to find the DN for the given username. In this case, the LdapAdminDN, LdapAdminPassword, searchBase and searchFilter parameters must be set.

    true

    false

    principalDNPrefix

    Specify the optional prefix to add to the username to build the DN in the direct method.

    cn=

    principalDNSuffix

    Specify the optional suffix to add to the username to build the DN in the direct method.

    ,ou=talend,dc=example,dc=com

    LdapAdminDN

    Specify the DN of a directory administrator.

    uid=admin,ou=system

    LdapAdminPassword

    Specify the password of a directory administrator.

    plain text password: secret

    encrypted password: pYxdPApRyZ3OYOR+NpqpQg==,Encrypt

    searchBase

    Define the location in the directory from which the LDAP search begins.

    ou=talend,dc=example,dc=com

    searchFilter

    Define an LDAP search criteria.

    (&(objectClass=*)&(cn={0}))

  3. Save your changes under the file name jaas.conf.

    Warning

    Since this action will replace the existing jaas.conf file, it is strongly recommended that you first make a backup copy of the existing jaas.conf file, and/or copy all the relevant configuration information into your new file.

  4. Restart your Talend MDM server for your changes to be taken into account.

Synchronising your LDAP directory with Talend MDM

One way of synchronising the LDAP directory with Talend MDM is:

  1. Create a specific group of Talend MDM users in the LDAP directory.

  2. Create a Job that extracts the information related to the user accounts in the TalendMDM group from the LDAP directory.

  3. Insert these accounts as Users in the PROVISIONING data container using the tMDMBulkLoad component.

Note

The username, familyname, realemail, viewrealemail, registrationdate, enabled and role fields must all be filled, as they are mandatory when creating a User.