Setting up LDAP access control
To set up LDAP access control, select LDAP as your access method in kwauthconfig, and specify values for LDAP parameters and attributes.
Tip: If you are using an Active Directory on Windows, you may want to use Single Sign-on. See Setting up single sign-on.
In order to set up this access control method, you will need to complete the following steps:
- Collect all relevant information, where appropriate
- Use Klocwork security utility to modify the server configuration. See Configuring your access control method
- Restart the Klocwork Server to switch to the new configuration
Once the set up is complete, the LDAP server will provide the names of individuals and groups for you to choose from in Validate. Validate's access to the LDAP server is read-only, but you can also create your own groups in Validate.
As the Klocwork administrator, you may configure access control yourself, or you may provide the data to the domain server administrator, who will do the setup.
What you need to know
Make sure that the common names presented in the LDAP server map to user IDs. Klocwork uses the user IDs (for example, jlee) rather than the common name (Jean Lee), so it's important that these user IDs are available to Static Code Analysis.
Passwords of LDAP users, including yours as the Klocwork administrator, are managed in LDAP.
The following table lists the setting information required in order to configure LDAP access in kwauthconfig:
Klocwork setting | Description | Example |
---|---|---|
Provider URL | The URL for your LDAP server, which is ldap://<host>:<port>, where:
|
ldap://server.mycompany.com:389 ldap://21.1.0.160:389 |
Group providers | The optional distinguished names (DNs) of the LDAP objects that store user group definitions. The DN is the path from the LDAP directory tree node that contains user groups to the directory tree root, with the node names separated by commas. | ou=userGroups,dc=mycompany,dc=com |
LDAP Group Filter | Used to filter the group entries in the directory and produce the desired set of matching records within the set of group providers. | OpenLDAP: (objectClass=posixGroup) |
User Providers | The distinguished names (DNs) of the LDAP objects that store user definitions. The DN is the path from the LDAP directory tree node that contains users to the directory tree root, with the node names separated by commas. | ou=People,dc=mycompany,dc=com |
LDAP User Filter | Used to filter the user entries in the directory in order to produce the desired set of matching records within the set of user providers. | OpenLDAP: (objectClass=posixAccount) or (objectClass=account) |
User attributes |
Every entity in the LDAP directory can have multiple attributes. Any particular user's name is a value associated with an attribute of the corresponding LDAP entity. One user can have several names by means of different attributes. In the User Attributes field, you can specify one or more attributes that contain user names. The default user attribute is cn (which stands for Common Name). Validate displays only the value of the first (left-most) attribute as the user's name. Therefore, if you have multiple users with identical common names, it will display identical names for these users. To prevent confusion, put a unique attribute first. |
cn, sAMAccountName |
Search Page Size | To optimize server load and prevent hacker attacks, organizations sometimes limit the number of entries the LDAP server can return (in server settings). The Klocwork Server can time out waiting for the rest of the information. If you know that your LDAP server has limits to the number of entries it can return, you can set the access control to retrieve users and groups from the LDAP server in chunks. These chunks are called pages. To enable paging, set the value of Search Page Size to the number of the LDAP entries which should be returned in one page. | 1000 |
User email attribute | Defines a user attribute that will hold an email address for users. | |
Principal user's name | The optional DN for the Klocwork Server to use to log in to the LDAP server for retrieval of the list of users. This setting is used only when the LDAP server needs an authenticating user. |
cn=Directory Manager,ou=People,dc=mycompany,dc=com ortest@mycompany.com |
Password | The password for the optional principal user. |
Configuring your access control method
- Launch the Klocwork security utility, kwauthconfig.
For more information, see 'Launching Klocwork's security utility' here: Setting up access control
- After the utility launches, you will be prompted to provide the location of the project root structure. This location was specified during installation, and is typically: <server_install>\projects_root.
- Click Configure.
- Select LDAP.
- Click Next.
- Enter a Provider URL for the LDAP server in the form ldap://<host>:<port>. If you don't specify a port, Klocwork uses 389.
- To use the groups configured on your LDAP server, click Add beside the box, and enter a DN for each LDAP group object, separated by a space, in the Group Providers field. If you don't want to use LDAP groups, or if your server doesn't have groups, you can create them in Validate.
- To use any ancestor of the group nodes as a valid Group Provider, click Enable Depth Search and enter the group filter in the LDAP Group Filter field.
- Click Add beside the User Providers box, and enter a DN for each LDAP user object, separated by a space, in the box.
- To use any ancestor of the user nodes as a valid User Provider, click Enable Depth Search and enter the user filter in the LDAP User Filter field.
- Optional: If your LDAP server needs the Klocwork Server to have an authenticating user ID, click My LDAP server requires an authenticating user.
- Click Next on the LDAP server settings screen
- If your LDAP server is configured for it, enter any user attributes Klocwork will need to find LDAP users or groups in the User Attributes field.
- If your LDAP server is configured for a limited page size, enter a value for Search Page Size.
- If your LDAP server uses an attribute other than 'mail' for users' email addresses, enter it in the User Email Attribute field.
- Click Next.
- Enter the principal user's name.
- Enter the principal user's password, and re-enter it in the field below to confirm it.
- Click Finish and the initial configuration utility screen will appear. Click OK to finalize your changes.
You can test your configuration by clicking Test Connection to check that Klocwork does connect to the LDAP server with the properties you set. The Check LDAP connection dialog shows detected server type by Klocwork (if it was detected). If your LDAP server was not detected, you'll want to verify your group membership information in Validate (after you finish this procedure).
- Your LDAP server is down, or
- The user running kwauthconfig is not a valid LDAP user, or
- You have specified a bad user provider and/or user filter
If you are able to log in to Validate, the user provider and filter settings are correct. To verify group settings, log in as projects_root admin and access the Users tab. From here, you can search for groups that satisfy the 'ldap.groups.provider' and 'ldap.group.filter' settings that were set using the kwauthconfig tool.
You must restart the Klocwork Server with the command validate service --projects-root <projects_root> restart klocwork or with Windows Services administration.
What's next?
Now that you've set up LDAP access control in kwauthconfig, you're ready to create roles for your users in Validate.