Skip to main content

Access to the WiKID server's web UI is very important for security reasons. You may also need to meet certain regulatory requirements for logging access. Using AD is the easiest way to do this.

Access control to the WiKIDAdmin web UI is controlled by the Realm section of the file /opt/WiKID/tomcat/conf/server.xml.  The realm currently is set to use postgres:

        <Realm  className="org.apache.catalina.realm.JDBCRealm"
                driverName="org.postgresql.Driver"
                connectionURL="jdbc:postgresql://localhost:5432/wikid"
                connectionName="tomcat" connectionPassword="" digest="MD5"
                userTable="tomcat_users" userNameCol="username" userCredCol="password"
                userRoleTable="tomcat_roles" roleNameCol="role"/>

You can change this to use Active Directory by commenting the above out and adding a JNDI Realm:

      <!--  <Realm  className="org.apache.catalina.realm.JDBCRealm"
                driverName="org.postgresql.Driver"
                connectionURL="jdbc:postgresql://localhost:5432/wikid"
                connectionName="tomcat" connectionPassword="" digest="MD5"
                userTable="tomcat_users" userNameCol="username" userCredCol="password"
                userRoleTable="tomcat_roles" roleNameCol="role"/>    -->
        <Realm className="org.apache.catalina.realm.JNDIRealm"
               adCompat="true"
               connectionName="AD_ADMIN_DN"
               connectionPassword="AD_ADMIN_DN_PASS"
               connectionURL="ldap://AD_IPADRESS:389"
               userBase="cn=Users,,BASE_DN"
               userSearch="(&amp;(objectClass=user)(sAMAccountName={0})(memberof=cn=WiKIDAdmin,cn=Users,dc=,BASE_DN))"
               userSubtree="true"
               roleBase="cn=Users,,BASE_DN"
               roleName="cn"
               roleSearch="(member={0})"
               roleSubtree="false"
              />

Create a group called WiKIDAdmin in AD and place your Admin users in it.

Be sure to change AD_ADMIN_DN to an Admin AD login name, AD_ADMIN_DN_PASS to their password and BASE_DN to you DN (for example:  dc=wikidsystems,dc=com).  Change the IPADDRESS to the IP of a domain server.   Restart the WiKID server.

If you would like to be able to do both postgres and AD, use the Combined Realm option:

<Realm className="org.apache.catalina.realm.CombinedRealm" >
        <Realm  className="org.apache.catalina.realm.JDBCRealm"
                driverName="org.postgresql.Driver"
                connectionURL="jdbc:postgresql://localhost:5432/wikid"
                connectionName="tomcat" connectionPassword="" digest="MD5"
                userTable="tomcat_users" userNameCol="username" userCredCol="password"
                userRoleTable="tomcat_roles" roleNameCol="role"/>
       <!--
        Create a group in AD called WiKIDAdmin and assign all relevant users. Then change the
        values of AD_ADMIN_DN, AD_ADMIN_PASS, and BASE_DN to match your AD configuration.
        -->
        <Realm className="org.apache.catalina.realm.JNDIRealm"
           adCompat="true"
           connectionName="AD_ADMIN_DN"
           connectionPassword="AD_ADMIN_PASS"
           connectionURL="ldap://IPADDRESS:389"
           userBase="cn=Users,BASE_DN"
           userSearch="(&amp;(objectClass=user)(sAMAccountName={0})(memberof=cn=WiKIDAdmin,cn=Users,BASE_DN))"
           userSubtree="true"
           roleBase="cn=Users,BASE_DN"
           roleName="cn"
           roleSearch="(member={0})"
           roleSubtree="false"
          />
</Realm>

Restart the WiKID server to have the changes take effect!

 

 



 

Copyright © WiKID Systems, Inc. 2024 | Two-factor Authentication