miniOrange LDAP Gateway

miniOrange LDAP Gateway allows login to publicly/privately hosted sites using credentials stored in Active Directory, OpenLDAP and other LDAP servers. If the LDAP Server is not publicly accessible from your site, this module can be used in conjunction with the miniOrange LDAP Gateway, which is deployed at the DMZ server in the intranet. Another benefit of this module is that multiple LDAP Configurations can be stored for multiple customers of a WordPress based Cloud Service Provider and mapping to the username can be done on the basis of the domain name.

miniOrange gateway is a small piece of software that can reside on a shared machine. It wont need its own machine and our customers generally install it on any server thats already in the DMZ.

Why LDAP Gateway?

LDAP with non public IP - This can be very beneficial if your aim is single sign on but your LDAP exists within your intranet with a non public IP. You can still authenticate your site (which could be anywhere outside your network) and with the help of this two part plugin (plugin + gateway) you can authenticate against your LDAP and achieve single sign on.
Secure calls using HTTPS - All remote calls happen through an encrypted channel.
Setup LDAP configuration once and access from multiple sites - You only need to setup your LDAP configuration once and you can access from multiple sites, thereby achieving ease of use.
Your LDAP stays secure since its behind your firewall.
Cloud based LDAP authentication system - This means that the libraries that are needed to authenticate against your LDAP/AD is not PHP based so it can support a much larger variety of LDAP.

Setup and Installation Guide for LDAP Gateway

Download the miniOrange Gateway zip file.
Extract the package to get the Tomcat Embedded LDAP Gateway
Navigate to <miniOrange Gateway Directory>/conf and edit the catalina.properties file.
Scroll down to the bottom of the file and change the value of the external.properties.file
1. If you are using Windows Machine use this value: external.properties.file=\\webapps\\miniorangegateway\\WEB-INF\\classes\\application.properties
2. If you are using Linux Machine use this value: external.properties.file=/webapps/miniorangegateway/WEB-INF/classes/application.properties
Navigate to <miniOrange Gateway Directory>/bin and start the server using the following commands in the terminal:
1. For Windows Machine: catalina.bat jpda start
2. For Linux Machine: sh catalina.sh start
Access the gateway from your browser using the url "<hostname:port>/miniorangegateway". Replace "<hostname>" with your hostname or server IP .
Eg:localhost:8080/miniorangegateway.

NOTE: If you want to run the gateway on some other port, you can refer the instruction below in the "How to run miniOrange LDAP Gateway on a Custom Port" Section.
You will be redirected to the following login form.

Use Username:"admin" and Password:"changeit" to log in.
Reset Password form will appear. Change the password and proceed.
Go to login.xecurify.com and log into your Xecurify Account.
After logging in, click on the settings tab on the top right corner.
Copy the Account Details and paste it in your Configure Keys page in your miniOrange Gateway .
Press the Save button and then proceed to the LDAP Configuration tab in your miniOrange Gateway and click on the Add LDAP Configuration button on top right.
Configure the miniOrange Gateway by adding the following LDAP Configuration details.
1. Configuration Identifier: Any name that will specify this set of configuration.
2. LDAP Server URL: Specify the host name for the LDAP server Eg: ldap://myldapserver.domain:389
3. Bind Account DN:This will be used to establish the connection with LDAP Server. Specify it in the following ways:
  Username@domainname or Distinguished Name(DN) format
4. Bind Account Password: Password for the Bind Account in the LDAP Server.
5. Search Bases: Provide distinguished name of the Search Base object Eg:cn=User,dc=domain,dc=com
6. Search Filter: Search filters enable you to define search criteria and provide more efficient and effective searches. Eg: "(&(objectClass=*)(cn=?))"
7. Domain Name: Semi-colon separated list of domain. Eg: miniorange.com
8. First Name Attribute: LDAP attribute for the First Name. Eg: givenName
9. Last Name Attribute: LDAP attribute for the Last Name. Eg: sn
10. Email Attribute: LDAP attribute for the First Name. Eg: mail
11. Username Attribute: LDAP attribute for the First Name. Eg: sAMAccountName
12. Phone Attribute: LDAP attribute for the First Name. Eg: telephoneNumber
13. LDAP Attribute List: Semi-colon separated list of attributes. Eg: cn;mail;givenName
The following fields will be used to during the sync operation from miniOrange Gateway to miniOrange IdP:
1. First Name Attribute
2. Last Name Attribute
3. Email Attribute
4. Username Attribute
5. Phone Attribute
Press the Save button and proceed to the Schedules tab in the miniOrange Gateway.
Schedules tab allows you to configure the functionality to Sync users to miniOrange IdP on One-Time as well as schedule basis.
Configure the following details
1. Base Sync OU: Search Base from which all the users should be synced.
2. Start Time(hh:mm): Start time for the schedule sync.
  NOTE: If you want to start the sync immediately then input time which has already passed.
3. Sync Interval (in hrs): Time Interval between periodic sync.
You have successfully installed and configured miniOrange LDAP Gateway.

How to run miniOrange LDAP Gateway on a Custom Port

To run miniOrange LDAP Gateway on a port other than 8080, Navigate to <miniOrange Gateway Directory>/conf and edit server.xml
Search for " Connector port="8080" protocol="HTTP/1.1" "
Change the port from 8080 to the required port. Eg: 80
Access the gateway from your browser using the url "<hostname:port>/miniorangegateway". Replace "<hostname>" with your hostname or server IP .

How to run miniOrange LDAP Gateway as a Tomcat Service (For Windows)

Install Tomcat as a service using a Tomcat Service Installer
Copy the miniorangegateway folder from the webapps of the package provided to the webapps of the Tomcat that is installed as a service
Add the external.properties.file entry at the bottom in catalina.properties file in the conf directory.

How to setup SSL for miniOrange LDAP Gateway.

Click here to follow the steps if you have CA certificates.
Follow the below steps if you want dont have CA certificates.
1. Generate Keystore:
  - Navigate to the %JAVA_HOME%\bin directory in the file explorer. Create a certs directory in it.
  - Navigate to the %JAVA_HOME%\bin directory in the command line ( in Administrator mode ) and execute the command:
    keytool -genkey -alias <ALIAS> -keyalg RSA -keystore <JAVA_HOME>\bin\certs\keystore.jks
    
    This creates a keystore in the certs folder created in (a).
2. Configure Connector:
  This is required to configure Tomcat to run on port 443(SSL Port).
  - Navigate to the <Tomcat Directory>\conf and edit the server.xml file.
  - Add a connector element under <Service name="Catalina"> . The following configuration needs to be placed in the connector element:
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https"
    secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="<PATH_TO_KEYSTORE>"
    keystorePass="KEYSTORE_PASSWORD" />
3. Assign Server Name to Tomcat:
  - Edit the %windows%\system32\drivers\etc\hosts file and add the following line:
    127.0.0.1 <newhostname>
  - Navigate to the <Tomcat Directory>\conf and edit the server.xml file.
  - Search for the <Engine name="Catalina" defaultHost="localhost"> and replace localhost with the newhostname of the server.
  - Search for the <Host> element and replace name=localhost with name=<IP Address/DNS> of the server.
  - Restart Tomcat by running startup.bat under <Tomcat Directory>\bin. Navigate to the following address:
    https://<newhostname:port>/miniorangegateway.