Using LDAP or Active Directory for Authentication
Spectrum Technology Platform can be configured to use an LDAP or Active Directory server for authentication.
When a user logs in to Spectrum Technology Platform, the user's credentials are verified using LDAP or AD. The system then checks to see if there is a Spectrum Technology Platform user with the same name. If there is, the user is logged in. If there is not, then a Spectrum Technology Platform user account is automatically created for the user and given the role user.
Here is how the process works:
Before configuring Spectrum Technology Platform to use a directory service for authentication, confirm that your directory service meets these requirements:
- For LDAP, the directory server must be LDAP Version 3 compliant.
- There are no specific requirements for the Active Directory server.
spectrum.security.account.createNonExisting=true
, Active Directory users are created automatically in Spectrum Technology Platform after their first login to Spectrum. If you turn off the property spectrum.security.account.createNonExisting=false
, LDAP/Active Directory
users will not be authenticated to Spectrum Technology Platform until the administrator manually creates users.-
If there are existing users configured in Spectrum Management Console and you want to use them after you enable LDAP or Active Directory authentication, create those users in your LDAP or Active Directory system. Be sure to use the same user name
as in Spectrum Technology Platform.
Note: You do not need to create the "admin" user in LDAP or Active Directory since this user will continue to use Spectrum Technology Platform for authentication after you enable LDAP or Active Directory authentication.
- Stop the Spectrum Technology Platform server.
-
Turn on LDAP or Active Directory authentication:
-
Configure the connection properties:
- Start the Spectrum Technology Platform server.
If you are running Spectrum Technology Platform in a cluster, you must modify the spectrum-container.properties file and the spectrum-config-ldap.properties file on each of the servers in the cluster. Stop the server before modifying the file, then start the server after you are done modifying the file. If you mapped an LDAP attribute value to a role, this mapping will replicate to all nodes in the cluster, so you do not need to repeat the mapping procedure in the Spectrum JMX console.