LDAP Authentication for Sterling B2B Integrator

Sterling B2B Integrator has its own internal Authentication and Authorization support. But it is also support for offloading the Authentication to an LDAP or similar.

One important thing to notice is that the users still has to exist both in SB2BI and the LDAP. The reason for that is that the Authorization still has to be in SB2BI. That is in short what the logged in user has access to see and do. So by integrating to an LDAP, it is only the authentication that is offloaded. But if there are users who should have access to multiple solutions, it is practical to have the login credentials stored in only one repository.

I will in this post go through a basic setup to connect Sterling B2B Integrator to an Open LDAP server.

Prerecuisites

In this example I will use my following servers with installed software:

Address: Software: OS:
sidb.demos.ibm.int IBM DB2 Workgroup Server 9.5 CentOS 7
sinode1.demos.ibm.int Sterling B2B Integrator 5.2.5 RHEL 7
ldap.demos.ibm.int OpenLDAP Debian 7

LDAP configuration

My LDAP is installed on my server with the address ldap.demos.ibm.int. It is listening on port 389 for external connections.

I start by creating an Organizational Unit named “SB2BI” to be able to organize my users. Within that Organizational Unit i create a user for my self, with username “esmines” and I give the user a password.

LDAP User

And that’s all for the LDAP part of it. Next is to configure Sterling B2B Integrator to connect to the LDAP.

Sterling B2B Integrator Configuration

It is two things to do in SB2BI. First is to change the properties to add the LDAP as an Authentication Method. Second is to create the user and link it to the correct Authentication Method.

Update Properties

In SB2BI, the LDAP connection is configured in the Properties file named authentication_policy.properties. But it is best practice to add all properties changes in the customer_overrides.properties.in customer_overrides.properties file to avoid changes to be overwritten when patching and upgrading SB2BI.

Shut down Sterling B2B Integrator to update the properties.

The file is in my installation stored in /opt/IBM/SI52/install/properties/

In my customer_overrides.properties.in customer_overrides.properties file i add the following parameters:

######################################################
# LDAP Configuration 2 - ldap.demos.ibm.int ou=SB2BI #
######################################################

authentication_policy.authentication_2.className=com.sterlingcommerce.woodstock.security.LDAPAuthentication
authentication_policy.authentication_2.display_name=ldap.demos.ibm.int - OpenLDAP SB2BI
authentication_policy.authentication_2.enabled=true
authentication_policy.authentication_2.jndi_factory=com.sun.jndi.ldap.LdapCtxFactory
authentication_policy.authentication_2.server=ldap.demos.ibm.int
authentication_policy.authentication_2.port=389
authentication_policy.authentication_2.security_type=simple
authentication_policy.authentication_2.principle=cn=admin, dc=demos, dc=ibm, dc=int
authentication_policy.authentication_2.credentials=password
authentication_policy.authentication_2.password_attribute=userPassword
authentication_policy.authentication_2.search_root=ou=SB2BI, dc=demos, dc=ibm, dc=int
authentication_policy.authentication_2.search_filter=(uid=<userid>)
authentication_policy.authentication_2.with_user_bind=false

The parameter names is on the following structure:

Part of structure: Meaning:
authentication_policy Refers to the properties file to update. In this case the authentication_policy.properties.
authentication_2 Refers to this being my second LDAP connection (I already have another one from earlier). Increase the number by one for each Authentication method created. Authentication_0 is the default SB2BI Authentication.
variable name It is the variable in the properties file to be changed.

On line 15 I have set the Organizational Unit (ou) “SB2BI” as the Search Root. So it is within this Organizational Unit it searches for the Username (UID) and the Password.

It is the LDAP Admin that is set as Principle, and is performing the connection to the LDAP.

When the customer_overrides.properties.in customer_overrides.properties file is updated with the correct information, run the “setupfiles.sh” in the bin directory of your installation. The changes should then be populated to customer_overrides.properties, and when that is done, start SB2BI again.

Add user

Log in to SB2BI as an Administrator and go to User Accounts -> User Accounts.

Add a new User Account. The important things is to select “External” as Authentication Type. And the correct Authentication Host. The rest of the setup can be more or less default based on the requirements on what the user should be Authorized to do.

New Account

Log out as Admin, and log in as the new user. I gave the user Authorization as a Dashboard User only.

New user logged in

The fact that I was able to log in at all, proves that the authentication towards the LDAP works. But it is also possible to show the log, to see what happens in more detail. I have the authentication.log on Debug in my demo solution to see everything.

[2016-01-10 17:05:24.847] DEBUG SecurityManager user:esmines attempting to log in (SSO:false)
[2016-01-10 17:05:24.848] DEBUG LDAPAuthentication user:esmines is identified as an EXTERNAL User
[2016-01-10 17:05:24.848] DEBUG LDAPAuthentication performing LDAP search....
[2016-01-10 17:05:24.848] ALL LDAPAuthenticationLDAP port:ldap://ldap.demos.ibm.int:389
[2016-01-10 17:05:24.849] DEBUG LDAPAuthentication ...search filter:(uid=esmines)
[2016-01-10 17:05:24.849] DEBUG LDAPAuthentication ...selected attributes:userPassword
[2016-01-10 17:05:24.849] DEBUG LDAPAuthentication ...search root:ou=SB2BI, dc=demos, dc=ibm, dc=int
[2016-01-10 17:05:24.849] DEBUG LDAPAuthentication entry found -> cn=esmines,ou=SB2BI, dc=demos, dc=ibm, dc=int
[2016-01-10 17:05:24.849] DEBUG LDAPAuthentication ...performing password comparison directly
[2016-01-10 17:05:24.849] DEBUG LDAPAuthentication ......performing password comparison...
[2016-01-10 17:05:24.849] DEBUG LDAPAuthentication has performed an LDAP authentication for user:esmines and the user is  Authenticated
[2016-01-10 17:05:24.849] ALL LDAPAuthentication LDAP Authentication Policy (authentication_2) has been used by esmines.
[2016-01-10 17:05:24.849] DEBUG LDAPAuthentication LDAP Authentication:Enabled
[2016-01-10 17:05:24.849] DEBUG SecurityManager user:esmines authorization SUCCEEDED (SSO:false)

 Summary

This was a simple example on how to offload the Authentication to a LDAP. if SB2BI is the only solution where the users will have access there might be hard to see the great need for this. But if users should authenticate towards multiple solutions, it gives a great deal of meaning to have the authentication in one repository.

2 comments on “LDAP Authentication for Sterling B2B IntegratorAdd yours →

  1. good write up…
    no need to create customer_overrides.properties.in and execute setupfiles. Just work with customer_overrides.properties and simply restart SI for any change to take effect.

    1. Thanks! You are correct! Don’t really know why I did it by the .in file. Probably because that is what I am doing those very few times I do changes directly in a property file, and not through customer_overrides. I have updated the post to reflect the changes.

Leave a Reply to Alex Cancel reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: