Configuring Secure Sections using LDAP
Before you begin, please note: In order for Secure Sites/Sections to work, you must publish to a Tomcat server.
Preparing the Tomcat Server
1) Copy the secure properties file to your Tomcat server if it does not already exist. Copy $CM1-Root/Delivery/perc-secured-sections.properties to $TomcatRoot/conf/perc/perc-secured-sections.properties.
2) Update the .properties file to match your environment.
The ldap.manager.* properties should match your ldap environment. These properties are referenced by WEB-INF/config/security-auth-manager.xml.
Note: RFC-4519 "Lightweight Directory Access Protocol (LDAP): Schema for User Applications" defines the rules for proper formatting of a LDAP URL. Of particular note is that in certain areas or the URL <spaces> should be escaped using percent encoding. (for example: a value of "CN=Some Company" is incorrect, and should be formatted as "CN=Some%20Company")
perc-secured-sections.properties
# percLogin - Secure Sections Properties
#
# ldap.manager.password (bind password) is initially
# entered in clear text, and is encrypted on start
ldap.manager.password=ENC(RCLgJj2gNo3HzdE7pU5BDA\=\=)
#
# ldap.manager.url is the network location of the user's LDAP instance.
ldap.manager.url=ldap://10.10.10.33:389/CN=Users,DC=test,DC=local
#
# ldap.manager.dn is the distinguished name of the bound user
ldap.manager.dn=CN=Administrator,CN=Users,DC=test,DC=local
#
# ldap.manager.user.search.filter is the attribute being
# passed to the authentication framework.
ldap.manager.user.search.filter=(sAMAccountName={0})
#
# ldap.manager.group.role.attribute is the attribute containing
# the name of the authority defined in the group.
ldap.manager.group.role.attribute=cn
#
# ldap.manager.group.search.filter is the attribute to be
# returned for role/access mapping.
ldap.manager.group.search.filter=member={0}
#
# ldap.manager.group.search.base is the attribute specifying
# the base ou to use for searching for ldap groups, empty
# defaults to the base dn.
ldap.manager.group.search.base=
#
# perc.login.login.page is the published location of the
# page containing the login form.
perc.login.login.page=/login-page
#
# perc.login.login.success.page is the location of an
# (optional) published page for redirect in cases in which
# no secure resource has been requested
perc.login.login.success.page=/login-success
#
# membership.service.host is the host name to use to access
# the membership service for authentication
membership.service.host=localhost
#
# membership.service.protocol is the protocol to use to access
# the membership service for authentication, either http or https
membership.service.protocol=http
#
# membership.service.port is the port to use to access
# the membership service for authentication, should be the correct
# port for the specified membership.service.protocol
membership.service.port=9980
#
# perc.webserver.http.port is the HTTP port of the web server
# which services all published pages.
perc.webserver.http.port=9980
#
# perc.webserver.https.port is the HTTPS port of the web server
# which services all published pages.
perc.webserver.https.port=8443
Note: the LDAP settings and ports listed are defaults and must be updated to match your published environment. |
Selecting the Sites/Sections to Secure
1) Create a Login page.
2) Open the Layout tab and add the Secure Login widget to your page.
3) Select the configure icon to edit Secure Login widget properties.
4) Click OK to save and close.
5) Click Save to save the Layout.
6) Open the Content tab, select the Secure Login widget.
7) Select the edit icon to edit the Secure Login widget content.
8) Click Save to save your changes.
9) Under Admin, open the Navigation for your site.
10) To use secure sites/section, under the Top Level, edit the configuration.
11) Under the security option, be sure "Use site security" is checked off.
12) Choose the login page that you created by selecting browse.
13) Click Save to save.
14) To secure a section, select the configure icon to edit the section preferences.
15) Under the security option, be sure "Requires Log in" is checked off and enter the name of the groups which have access.
16) After the Secure Sites/Section feature is setup, a full publish is required.
As of 2.8, when configuring a publishing environment with secure sites/sections the "Use Percussion web server setup (default)" option should be selected so that the web-inf files related to secure sections are copied over during the full publish. Learn more about "Setting Up a Publishing Server" in our Publishing Guide.
|