Currently attempting to integrate Active Directory(AD) with a PASOE Server that is set as a WEB transport type, but am unable to achieve successful authentication against AD. The roadblock appears to arise in the oeablSecurity.properties file. In this file I've set the http.all.authmanager to ad and client.login.model to basic. Additionally, configured the section that contains the properties for the AD authentication manager to match my AD settings. To be clear, I am making changes to the oeablSecurity.properties file at the application level and not in the conf directory. The reason being is that authentication may or may not need to be applied to certain web apps. However, when attempting calls to the established endpoint distinct errors are returned. HTTP status code of 403-forbidden when passing correct user credentials. Alternatively, passing in faulty user credentials returns HTTP status code of 401-unauthorized.
After encountering these errors I attempted to switch the http.all.authmanager to ldap, left the client.login.model as basic, and configured the ldap authentication manager properties. Primarily following this, https://knowledgebase.progress.com/articles/Article/How-to-configure-OERealm-LDAP-authentication-with-PASOE, with the exception being that I'm running PASOE 11.7.3. These changes resulted in responses that returned HTTP status code of 401-unauthorized - regardless of accurate or faulty user credentials.
I'm hoping that someone could provide insight into this process as I'm unsure if this strictly related to the oeablSecurity.properties file configuration or if there are additional considerations that I've overlooked entirely. Links to any documentation would also be greatly appreciated.
Hi,
From your description, I understand that you are authenticated but not authorized for valid credentials. You are getting 403 because you were authenticated successfully but you are unauthorized. By default, the roles supported for web transport is ROLE_PSCUser. For LDAP and AD, we convert your AD account group to role. So lets say your group is "acme" for your user, then we convert that to "ROLE_ACME" and change the oeablSecurity.csv to use ROLE_ACME instead of ROLE_PSCUser.
Please try that and let us know if that solves the problem.
Hi,
From your description, I understand that you are authenticated but not authorized for valid credentials. You are getting 403 because you were authenticated successfully but you are unauthorized. By default, the roles supported for web transport is ROLE_PSCUser. For LDAP and AD, we convert your AD account group to role. So lets say your group is "acme" for your user, then we convert that to "ROLE_ACME" and change the oeablSecurity.csv to use ROLE_ACME instead of ROLE_PSCUser.
Please try that and let us know if that solves the problem.
Thanks Irfan! That made things very simple.