Change authentication and authorisation

If upgrading to Dekho 3.2 from a lower version; then ‘authentication’ setting has to be set to ‘Anonymous authentication’ and ‘authorisation’ setting has to be set to ‘Dekho roles’ prior to upgrade. This is because new settings related to other authentication and authorisation methods has been introduced with Dekho version 3.2 and these settings have to be updated prior to reverting back to the original authentication and authorisation modes, after the upgrade

For further information please read Security Settings and Authentication and Authorisation sections in the Dekho Administrators Guide.

The existing upgrade script will take care of the standard roles (Dekho Users, Dekho Administrators and Dekho Default) and set appropriate value to role types. But if you have any customized roles already (other than mentioned above), roletypeid needs to be set to an appropriate value depending on the use of your custom role.

 

For further information please read the ‘Roles’ sections in the ‘Dekho Administrators Guide’.

Updating Kerberos Authentication Settings (If configured)

Two new settings for ‘Kerberos (i.e., Active Directory) Authentication’ have been introduced in Dekho v3.2. This is due to framework level changes to support better Kerberos integration. 

 

authentication.kerberos.keytab.location – Full path to the keytab file location. (This is the same location as the ‘keyTab’ specified in the configuration file under setting authentication.kerberos.config

 

authentication.kerberos.servicePrincipal – Dekho server machines full domain name. This is the ‘Principal’ specified in configuration file             under    setting authentication.kerberos.config

 

The administrator will have to update these new settings for an existing Kerberos setup to work.

Updating LDAP Authentication/Authorisation Settings (If configured)

Several new settings for ‘LDAP’ authentication and authorisation have been introduced in Dekho v3.2. This is due to framework level changes to support better LDAP integration. 

 

ldap.group.roleattribute – Attribute name under group DN (Distinguished Name) which describes the role id or name (for example, cn)

ldap.group.searchfilter – Group filter statement to check if use is a member (i.e., use exists in that group)(for example, member={0})

ldap.user.searchfilter – Filter statement to use for searching ldap users for authentication (for example, (uid={0}) or (sAMAccountName={0})

ldap.user.userdn – The system user distinguished name (DN) to connect to the LDAP server as (implementation dependant) (for example, cn=Administrator,cn=users,dc=company,dc=com,dc=au)

 

Following changes to the existing settings for ‘LDAP’ authentication has to be considered if applicable;

 

ldap.principal – The value under the ldap attribute name specified for the setting ‘ldap.user.searchfilter’, in the            LDAP directory for the LDAP system user.  (for example, if ‘ldap.user.searchfilter’ value is ‘(sAMAccountName={0}), then this property will have the value specified for ‘sAMAccountName’ in LDAP directory for the specified system user.)

 

 

 

If migrating from a previous LDAP authentication configuration, the ‘ldap.principal’ value might be set to a value like ‘userid@domain.com’. This has to be modified to the value as     described above.

 

 

 


Query Display Types