Skip to main content

3.27 – Active Directory, LDAP, RADIUS integration

You can authenticate your users against Active Directory, LDAP or RADIUS server. Please configure your users.json as followings:

For Active Directory or LDAP:

{
  "source": {
    "type": "AD",
    "properties": {
      "server": "192.168.12.128:389", //can also be specified without the port
      "domain": "mydomain.com",
      "groups": "sales, support",
      "transferCredential": false
    }
  }
}

You can let gateway fetch servers from the AD. The following example will fetch all the servers from the "otherLoginWorkstations" attribute:

{
  "source": {
    "type": "AD",
    "properties": {
      "server": "192.168.12.128:389",
      "domain": "mydomain.com",
      "groups": "sales, support",
      "transferCredential": false,
      "serversAttr": "otherLoginWorkstations"
    }
  }
}

Gateway can also change AD user password if:

  1. AD has SSL enabled.
  2. Export the AD certificate (Public key only) in Base-64 encoded X.509 file format.
  3. Import the AD certificate to Java keystore with following commands:
    cd JRE\bin (use JDK\bin instead if JRE is not found, for example, OpenJDK11).
    keytool -importcert -alias "anyName" -keystore \lib\security\cacerts -storepass changeit -file "C:\Users\username\Desktop\exported.cer"
    
    Please check https://blogs.msdn.microsoft.com/microsoftrservertigerteam/2017/04/10/step-by-stepguide-to-setup-ldaps-on-windows-server/ for more details.
  4. users.json:
    {
      "source": {
        "type": "AD",
        "properties": {
          "server": "192.168.12.128:389",
          "secProtocol": "tls",
          "domain": "mydomain.com",
          "groups": "sales, support",
          "transferCredential": false,
          "serversAttr": "otherLoginWorkstations"
        }
      }
    }
    
    "tls" or "ssl" can be used for the security protocol (secProtocol).

For RADIUS:

{
  "source": {
    "type": "RADIUS",
    "properties": {
      "server": "192.168.12.128",
      "port": "1812",
      "accountingPort": "1813",
      "sharedSecret": "test123"
    }
  }
}

The sharedSecret can be gateway wide, can also be passed from the client side. Please check the source code of login.html for more information.

You also need to configure the servers in servers.json.