The specifications and information in this document are subject to change without notice. Companies, names, and data usedin examples herein are fictitious unless otherwise noted. This document may not be copied or distributed by any means, inwhole or in part, for any reason, without the express written permission of RCDevs.

Copyright (c) 2010-2017 RCDevs SA. All rights reserved.http://www.rcdevs.com

WebADM and OpenOTP are trademarks of RCDevs. All further trademarks are the property of their respective owners.

Limited Warranty

No guarantee is given for the correctness of the information contained in this document. Please send any comments orcorrections to info@rcdevs.com.

ACTIVE DIRECTORYWITH WEBADM

Firstly, we have to install OpenOTP and WebADM packages available through RCDevs Repository or on RCDevs Website. In this

how-to, we will install all required packages through the RCDevs repository. So, your servers should have internet access to

download every package.

On a RedHat, Centos or Fedora system, you can use our repository, which simplifies updates. Add the repository on your server(s)

who will host WebADM/OpenOTP:

Clean yum cache and install WebADM with OpenOTP:

Install WebADM and OpenOTP packages:

You can also install Self-Service Desk, Self-Registration or Secure Password Reset apps if needed (optional):

Run the setup script:

It initializes the WebADM PKI, etc… The WebADM setup script will allow you to make a choice between 2 scenarios for Active

Directory: schema extended or schema not extended. Have a look on the next part of this documentation for more information

about these 2 setup.

Active Directory with WebADMActive Directory Proxy User LDAP

1. Installation Packages

1.1 For Redhat/CentOS

yum install https://www.rcdevs.com/repos/redhat/rcdevs_release-1.0.0-0.noarch.rpm

yum clean all

yum install webadm openotp

yum install selfdesk selfreg pwreset

/opt/webadm/bin/setup

On a Debian system, you can use RCDevs repository too. Add the repository with the following command:

Update cache and install WebADM with all WebApps & Services:

Install WebADM and OpenOTP packages:

You can also install Self-Service Desk, Self-Registration or Secure Password Reset apps if needed (optional):

Run the setup script:

It initializes the WebADM PKI, etc… The WebADM setup script will allow you to make a choice between 2 scenarios for Active

Directory: schema extended or schema not extended. Have a look on the next part of this documentation for more information

about these 2 setup.

You have two ways to setup WebADM LDAP schema for Active Directory:

With the WebADM schema extension (preferred).

Without any schema addition (re-uses existing object classes and attributes as a replacement).

In both scenarios, we advise you to create a blank Organizational Unit on your AD to store the WebADM configurations. In this

documentation, the OU will be ou=WebADM and the domain is dc=mydomain,dc=com

Follow below, the scenario that you prefer and skip the other one.

1.2 For Debian/Ubuntu

wget https://www.rcdevs.com/repos/debian/rcdevs-release_1.0.0-0_all.debapt-get install ./rcdevs-release_1.0.0-0_all.deb

apt-get update

apt-get install openotp webadm

apt-get install selfdesk selfreg pwreset

/opt/webadm/bin/setup

2. Scenarios allowed by WebADM setup script

Options 2 and 3 are dedicated to Active Directory.

This option is preferred and WebADM will use the RCDevs IANA-registered Active Directory attributes to store additional LDAP data

in users and groups. The WebADM schema addition is very minimal and is composed of 3 new object classes (webadmAccount,

webadmGroup, webadmConfig) and 3 new attributes (webadmSettings, webadmData, webadmType).

If you choose this installation option, then you must connect WebADM to the domain controller having the Schema Master Role in

Active Directory to let WebADM register its schema additions. If you connect WebADM to two or more domain controllers in the

servers.xml file, the first one should be the one with the Schema Master Role. Without it, the WebADM graphical setup (explained

later) will not be allowed to add the required object classes to your Active Directory.

/opt/webadm/bin/setup

Checking system architecture...OkSetup WebADM as master server or slave (secondary server a cluster) (m/s)? mWebADM proposes 3 default configuration templates: 1) Default configuration (Novell, eDirectory, Oracle, OpenLDAP) 2) Active Directory with schema extention (preferred with AD) 3) Active Directory without schema extentionChoose a template number or press enter default:

in

for

3. AD Schema Extended Configuration

3.1 Prerequisite & Overview

In this file, we will configure LDAP containers for WebADM. This file is:

The file is full here but please, edit the 2nd block code, this is the only part that interests us here.

/opt/webadm/bin/setup

Checking system architecture...OkSetup WebADM as master server or slave (secondary server a cluster) (m/s)? mWebADM proposes 3 default configuration templates: 1) Default configuration (Novell, eDirectory, Oracle, OpenLDAP) 2) Active Directory with schema extention (preferred with AD) 3) Active Directory without schema extentionChoose a template number or press enter default: 2Enter the server fully qualified host name (FQDN): webadm.mycompany.comEnter your organization name: my compagnyGenerating CA private key... OkCreating CA certificate... OkGenerating SSL private key... OkCreating SSL certificate request... OkSigning SSL certificate with CA... OkAdding CA certificate to the trust list... OkSetting file permissions... OkAdding system user to dialout group... OkDo you want WebADM to be automatically started at boot (y/n)? yAdding systemd service... OkDo you want to register WebADM logrotate script (y/n)? yAdding logrotate scripts... OkDo you want to generate a new secret key webadm.conf (y/n)? yGenerating secret key string... OkWebADM has successfully been setup.

in

for

local

in

3.2 WebADM Configuration File

vi /opt/webadm/conf/webadm.conf

## WebADM Server Configuration#

# Administrator Portal's authentication method.# - PKI: Requires client certificate and login password.# - UID: Requires domain name, login name and password.# - DN: Requires login DN and password.# - OTP: Like UID with an OTP challenge.# - U2F: Like UID with a FIDO-U2F challenge.# - MFA: Like UID with both OTP and FIDO-U2F challenge.# Using certificates is the most secure login method. To use certificate login,

admin_auth UID

list_domains Yes

ldap_treebase

proxy_user proxy_password

super_admins , \

container_oclasses , , , , , , \

# Using certificates is the most secure login method. To use certificate login,# you must log in WebADM and create a login certificate for your administrators.# The UID mode requires a WebADM domain to exist and have its User Search Base# set to the subtree where are located the administrator users. When using UID# and if there is no domain existing in WebADM, the login mode is automatically# forced to DN. You will also need to log in with the full user DN and set up# a WebADM domain to be able to use the UID login mode.admin_auth UID

# Show the registered domain list when admin_auth is set to UID, OTP or U2F.# And set a default admin login domain when auth_mode is set to these methods.

#default_domain "Default"

# Manager API's authentication method. Only UID, PKI and DN are supported here.# If you set the admin_auth with multi-factor (PKI, OTP or U2F), then you must# either use manager_auth PKI or UID with a list of allowed client IPs.#manager_auth UID#manager_clients "192.168.0.10","192.168.0.11"

# User level changes the level of feature and configuration for all applications.# WebADM proposes three levels: Beginner, Intermediate and Expert. The default# level (Expert) is recommended as it provides access to all the RCDevs features.#user_level Expert

# If your LDAP directory is setup with a base DN (ex. dc=mydomain,dc=com on AD),# you can optionally set the base_treebase suffix and omit the suffix in other# LDAP configurartions like proxy_user, super_admins and containers.

"dc=mydomain,dc=com"

# The proxy user is used by WebADM for accessing LDAP objects over which the# admin user does not have read permissions or out of an admin session.# The proxy user should have read permissions on the whole LDAP tree,# and write permissions on the users/groups used by the WebApps and WebSrvs.# The use of a proxy user is required for WebApps and WebSrvs.# With ActiveDirectory, you can use any Domain Administrator DN as a proxy user,# which should look like cn=Administrator,cn=Users,dc=mydomain,dc=com.

"cn=Administrator,cn=Users""Password1234"

# Super administrators have extended WebADM privileges such as setup permissions,# additional operations and unlimited access to any LDAP encrypted data. Access# restriction configured in the WebADM OptionSets do not apply to super admins.# You can set a list of individual LDAP users or LDAP groups here.# With ActiveDirectory, your administrator account should be is something like# cn=Administrator,cn=Users,dc=mydomain,dc=com. And you can replace the sample # super_admins group on the second line with an existing security group.

"cn=Administrator,cn=Users""cn=Domain Admins,cn=Users"

# LDAP objectclasses"container" "organizationalUnit" "organization" "domain"

"locality" "country"

, , \ ,

user_oclasses , , , , group_oclasses , , , ,

webadm_account_oclasses webadm_group_oclasses webadm_config_oclasses

certificate_attrs password_attrs , , uid_attrs , , member_attrs , memberof_attrs , memberuid_attrs language_attrs mobile_attrs , mail_attrs , webadm_data_attrs webadm_settings_attrs webadm_type_attrs

adminroles_container

optionsets_container

webapps_container

websrvs_container

mountpoints_container

domains_container

clients_container

admin_session 900manager_session 0webapps_session 600

"locality" "country""openldaprootdse" "treeroot"

# user_oclasses is used to build the LDAP search filter with 'Domain' auth_mode.# If your super admin user user does not have one of the following objectclasses,# add one of its objectclasses to the list.

"user" "account" "person" "inetOrgPerson" "posixAccount""group" "groupOfNames" "groupOfUniqueNames" "dynamicGroup"

"posixGroup"# With ActiveDirectory 2003 only, you need to add the 'user' objectclass to the# webadm_account_oclasses and the 'group' objectclass to the webadm_group_oclasses.

"webadmAccount""webadmGroup""webadmConfig"

# LDAP attributes"userCertificate""userPassword" "unicodePwd" "sambaNTPassword""uid" "samAccountName" "userPrincipalName""member" "uniqueMember""memberOf" "groupMembership""memberUid""preferredLanguage""mobile" "otherMobile""mail" "otherMailbox""webadmData""webadmSettings""webadmType"

# Find below the LDAP containers required by WebADM.# Change the container's DN to fit your ldap tree base.# WebADM AdminRoles container

"cn=AdminRoles,cn=WebADM"# WebADM Optionsets container

"cn=OptionSets,cn=WebADM"# WebApp configurations container

"cn=WebApps,cn=WebADM"# WebSrv configurations container

"cn=WebSrvs,cn=WebADM"# Mount points container

"cn=Mountpoints,cn=WebADM"# Domain and Trusts container

"cn=Domains,cn=WebADM"# Clients container

"cn=Clients,cn=WebADM"

# You can set here the timeout (in seconds) of a WebADM session.# Web sessions will be closed after this period of inactivity.# The Manager Interface cookie-based sessions are disabled by default.

# You can set here the WebADM internal cache timeout. A normal value is one hour.

cache_timeout 3600

languages , , , , ,

encrypt_data Yesencrypt_mode Standardencrypt_hsm Noencrypt_key

data_store LDAP

record_store SQL

group_mode Auto

ldap_cache Yes

# You can set here the WebADM internal cache timeout. A normal value is one hour.

# Application languages"EN" "FR" "DE" "ES" "IT" "FI"

# WebADM encrypts LDAP user data, sensitive configurations and user sessions with# AES-256. The encryption key(s) must be 256bit base64-encoded random binary data.# Use the command 'openssl rand -base64 32' to generate a new encryption key.# Warning: If you change the encryption key, any encrypted data will become invalid!# You can set several encryption keys for key rollout. All the defined keys are used# for decrypting data. And the first defined key is used to (re-)encrypt data.# Two encryption modes are supported:# Standard: AES-256-CBC (default)# Advanced: AES-256-CBC with per-object encryption (stronger)

"49SkOTmgAEDB8O+rxwbBoUWzg5m+z6vvtix76QoKD1A="

# Hardware Cryptography Module# Yubico YubiHSM and RCDevs HSMHub are currently supported for hardware encryption.# Up to 8 HSM modules can be concurrently attached to the server.#hsm_model YubiHSM#hsm_keyid 1

# The data store defines which back-end is used for storing user data and settings.# By default WebADM stores any user and group metadata in the LDAP objects. By setting# the data_store to SQL, these metadata are stored in a dedicated SQL table.# LDAP remains the preferred option because it maximizes the system consistency.# SQL should be used only if you need read-only LDAP access for the proxy_user.

# The record store defines which back-end is used to store SpanKey records.# Choose SQL to store records in the database and NAS to store on a shared NAS folder.# With NAS, the store_path must be configured and accessible from all cluster nodes.

#record_path "/mnt/records"

# The group mode defines how WebADM will handle LDAP groups.# - Direct mode: WebADM finds user groups using the memberof_attrs defined above.# In this case, the group membership is defined in the LDAP user objects.# - Indirect mode: WebADM finds user groups by searching group objects which contain# the user DN as part of the member_attrs.# - Auto: Both direct and indirect groups are used.# - Disabled: All LDAP group features are disabled in WebADM.# By default (when group_mode is not specified) WebADM handles both group modes.

# LDAP cache increases a lot of performances under high server loads. The cache limits# the number of LDAP requests by storing resolved user DN and group settings. When# enabled, results are cached for 300 secs.

ldap_cache Yes

enable_admin Yesenable_manager Yesenable_webapps Yesenable_websrvs Yes

user_warning Yes

check_versions Yescheck_licenses Yes

webapps_theme

# LDAP routing enables LDAP request load-balancing when multiple LDAP servers are# configured in servers.xml. You should enable this feature only if the LDAP server# load becomes a bottleneck due to a big amount of users (ex. more than 10000 users).#ldap_routing No

# You can optionally disable some features if you run multiple WebADM servers with# different purposes. For example, if you don't want to provide admin portal on an# Internet-exposed WebApps and WebSrvs server.# By default, all the functionalities are enabled.

# Enable syslog reporting (disabled by default). When enable, system logs are sent# to both the WebADM log files and syslog.#log_debug No#log_format Default#log_mixsql No#log_syslog No#syslog_facility LOG_USER#syslog_format CEF

# Alerts are always recorded to the SQL Alert log. Additionally, when alert_email# or alert_mobile is defined, the alerts are also sent by email/SMS.#alert_email "me@mydomain.com"#alert_mobile "+33 12345678"

# Alert users via email when a login certificate or ActiveDirectory domain password# is near expiration. The templates are defined in ldap_expire_xxx and cert_expire_xxx.

# If your WebADM server is used behind a reverse-proxy or load-balancer, you need to# set the IP address(es) of your reverse-proxy server(s). Your proxy MUST create the# HTTP_X_FORWARDED_FOR and HTTP_X_FORWARDED_HOST headers.#reverse_proxies "192.168.0.100", "192.168.0.101"# If you use WebADM Publishing Proxy (WAProxy) for publishing applications on public# networks, then you must set the IP address(es) of the WAProxy server(s).# Enable this setting ONLY if you are using RCDevs WAProxy as reverse-proxy!#waproxy_proxies "192.168.0.102"# The public DNS name of your WAProxy server#waproxy_pubaddr "www.myproxy.com"

# Check for new product versions and license updates on RCDevs' website.# These features require outbound Internet access from the server.

# WebApps theme (default or flat)# Comment the following line to disable the default theme.

"default"

Adjust the LDAP containers with your configuration.

webapps_theme

app_unlock_subject app_unlock_message

ldap_expire_subject ldap_expire_message

cert_expire_subject cert_expire_message

"default"

# End-user message templates# The following variables are available: %USERNAME%, %USERDN%, %USERID%, %DOMAIN%, %APPNAME%# Additional variables are available depending on the context: %APPNAME%, %APPID%, %TIMEOUT%, %EXPIRES%

"Unlocked access to %APPNAME%""Hello %USERNAME%,\r\n\r\nYou have a one-time access to the

%APPNAME%.\r\nYour access will automatically expire %EXPIRES%.""Login password near expiration""Hello %USERNAME%,\r\n\r\nYour login password will expire

%EXPIRES%.\r\nPlease reset your password before expiration!\r\n\r\nRegards""Login certificate near expiration""Hello %USERNAME%,\r\n\r\nYour login certificate will expire

%EXPIRES%.\r\nPlease renew your certificate before expiration!\r\n\r\nRegards"

# Personalization options# You can customize your organization name, logo file and website URL.# The logo file must be PNG image with size 100x50 pixels.#org_name "RCDevs SA"#org_logo "rcdevs.png"#org_site "http://www.rcdevs.com/"

# Misc options#treeview_width 300#treeview_items 1500#default_portal Admin#ldap_uidcase No#ntp_server "myserver.local"

Note

You don’t have to change the first part of each container DN. You have to edit LDAP containers DN according to your domain and

your OU. My Organizational Unit DN is ou=WebADM,dc=mydomain,dc=comou=WebADM,dc=mydomain,dc=com . The ldap treebase

(dc=mydomain,dc=com) is not required for LDAP containers, proxy_user and super_admin because of the setting

ldap_treebaseldap_treebase just above.

A proxy user needs to perform a wide LDAP search and reads. It also requires read-only permissions to the WebADM LDAP

configurations (ie. configured containers) and to the user Domains subtrees. A proxy user needs to do some write operations to a

few LDAP attributes because it needs to store dynamic application user data into the users. Have a look on the following

documetation to have more information about proxy_user rights : AD Proxy User.

To allow an administrator or an admin group to log on to the WebADM interface, you have to edit the super_adminsuper_admin setting in

webadm.conf:

Have a look on the following documentation to have more information about the super_admin rights.

adminroles_container

optionsets_container

webapps_container

websrvs_container

mountpoints_container

domains_container

clients_container

# Find below the LDAP containers required by WebADM.# Change the container's DN to fit your ldap tree base.# WebADM AdminRoles container

"cn=AdminRoles,ou=WebADM"# WebADM Optionsets container

"cn=OptionSets,ou=WebADM"# WebApp configurations container

"cn=WebApps,ou=WebADM"# WebSrv configurations container

"cn=WebSrvs,ou=WebADM"# Mount points container

"cn=Mountpoints,ou=WebADM"# Domain and Trusts container

"cn=Domains,ou=WebADM"# Clients container

"cn=Clients,ou=WebADM"

3.3 Proxy User

proxy_user proxy_password

"cn=proxy_user,cn=Users""Password1234"

WebADM OU Rights

Your proxy_user account should have the read right on your WebADM Organizational Unit previously created!

3.4 WebADM Administrator(s)

super_admins , \

"cn=Administrator,cn=Users""cn=Domain Admins,cn=Users"

With this option, WebADM does not make any addition to the Active Directory schema. Instead, the configuration WebADM is

customized to re-use some existing object classes and attributes.

Note

To extend the schema, you need also to configure a schema administrator as a super admin. This schema admin user will be used

for the first login to extend the schema through the WebADM GUI.

WebADM OU Rights

Your super_admin administrator(s) should have the read/write rights on your WebADM Organizational Unit previously created!

4. Schema Not Extended Configuration

4.1 Prerequisite & Overview

/opt/webadm/bin/setup

Checking system architecture...OkSetup WebADM as master server or slave (secondary server a cluster) (m/s)? mWebADM proposes 3 default configuration templates: 1) Default configuration (Novell, eDirectory, Oracle, OpenLDAP) 2) Active Directory with schema extention (preferred with AD) 3) Active Directory without schema extentionChoose a template number or press enter default: 3Enter the server fully qualified host name (FQDN): webadm.mycompany.comEnter your organization name: my compagnyGenerating CA private key... OkCreating CA certificate... OkGenerating SSL private key... OkCreating SSL certificate request... OkSigning SSL certificate with CA... OkAdding CA certificate to the trust list... OkSetting file permissions... OkAdding system user to dialout group... OkDo you want WebADM to be automatically started at boot (y/n)? yAdding systemd service... OkDo you want to register WebADM logrotate script (y/n)? yAdding logrotate scripts... OkDo you want to generate a new secret key webadm.conf (y/n)? yGenerating secret key string... OkWebADM has successfully been setup.

in

for

local

in

WebADM will also use the AD object class bootabledevice as user/group activation class and the object class device for the LDAP

configuration objects’ storage. It will also store user settings and metadata in the bootFile and bootParameter attributes in the

class bootabledevice.

In “conf/objects.xml”, the LDAP object specifications are configured to use the replacement object classes and attributes.

In this file, we will configure LDAP containers for WebADM. This file is:

The file is full here but please, edit the 2nd block code, this is the only part that interests us here.

4.2 WebADM Configuration File

/opt/webadm/conf/webadm.conf

admin_auth UID

list_domains Yes

## WebADM Server Configuration#

# Administrator Portal's authentication method.# - PKI: Requires client certificate and login password.# - UID: Requires domain name, login name and password.# - DN: Requires login DN and password.# - OTP: Like UID with an OTP challenge.# - U2F: Like UID with a FIDO-U2F challenge.# - MFA: Like UID with both OTP and FIDO-U2F challenge.# Using certificates is the most secure login method. To use certificate login,# you must log in WebADM and create a login certificate for your administrators.# The UID mode requires a WebADM domain to exist and have its User Search Base# set to the subtree where are located the administrator users. When using UID# and if there is no domain existing in WebADM, the login mode is automatically# forced to DN. You will also need to log in with the full user DN and set up# a WebADM domain to be able to use the UID login mode.admin_auth UID

# Show the registered domain list when admin_auth is set to UID, OTP or U2F.# And set a default admin login domain when auth_mode is set to these methods.

#default_domain "Default"

# Manager API's authentication method. Only UID, PKI and DN are supported here.# If you set the admin_auth with multi-factor (PKI, OTP or U2F), then you must# either use manager_auth PKI or UID with a list of allowed client IPs.#manager_auth UID#manager_clients "192.168.0.10","192.168.0.11"

# User level changes the level of feature and configuration for all applications.# WebADM proposes three levels: Beginner, Intermediate and Expert. The default# level (Expert) is recommended as it provides access to all the RCDevs features.

ldap_treebase

proxy_user proxy_password

super_admins , \

container_oclasses , , , , , , \

,

user_oclasses , , , , group_oclasses , , , ,

webadm_account_oclasses webadm_group_oclasses webadm_config_oclasses

certificate_attrs password_attrs , , uid_attrs , , member_attrs , memberof_attrs , memberuid_attrs language_attrs mobile_attrs ,

# level (Expert) is recommended as it provides access to all the RCDevs features.#user_level Expert

# If your LDAP directory is setup with a base DN (ex. dc=mydomain,dc=com on AD),# you can optionally set the base_treebase suffix and omit the suffix in other# LDAP configurartions like proxy_user, super_admins and containers.

"dc=mydomain,dc=com"

# The proxy user is used by WebADM for accessing LDAP objects over which the# admin user does not have read permissions or out of an admin session.# The proxy user should have read permissions on the whole LDAP tree,# and write permissions on the users/groups used by the WebApps and WebSrvs.# The use of a proxy user is required for WebApps and WebSrvs.# With ActiveDirectory, you can use any Domain Administrator DN as a proxy user,# which should look like cn=Administrator,cn=Users,dc=mydomain,dc=com.

"cn=Administrator,cn=Users""Password1234"

# Super administrators have extended WebADM privileges such as setup permissions,# additional operations and unlimited access to any LDAP encrypted data. Access# restriction configured in the WebADM OptionSets do not apply to super admins.# You can set a list of individual LDAP users or LDAP groups here.# With ActiveDirectory, your administrator account should be is something like# cn=Administrator,cn=Users. And you can replace the sample # super_admins group on the second line with an existing security group.

"cn=Administrator,cn=Users""cn=Domain Admins,cn=Users"

# LDAP objectclasses"container" "organizationalUnit" "organization" "domain"

"locality" "country""openldaprootdse" "treeroot"

# user_oclasses is used to build the LDAP search filter with 'Domain' auth_mode.# If your super admin user user does not have one of the following objectclasses,# add one of its objectclasses to the list.

"user" "account" "person" "inetOrgPerson" "posixAccount""group" "groupOfNames" "groupOfUniqueNames" "dynamicGroup"

"posixGroup"# With ActiveDirectory 2003 only, you need to add the 'user' objectclass to the# webadm_account_oclasses and the 'group' objectclass to the webadm_group_oclasses.

"bootabledevice""bootabledevice""device"

# LDAP attributes"userCertificate""userPassword" "unicodePwd" "sambaNTPassword""uid" "samAccountName" "userPrincipalName""member" "uniqueMember""memberOf" "groupMembership""memberUid""preferredLanguage""mobile" "otherMobile"

mobile_attrs , mail_attrs , webadm_data_attrs webadm_settings_attrs webadm_type_attrs

adminroles_container

optionsets_container

webapps_container

websrvs_container

mountpoints_container

domains_container

clients_container

admin_session 900manager_session 0webapps_session 600

cache_timeout 3600

languages , , , , ,

encrypt_data Yesencrypt_mode Standardencrypt_hsm Noencrypt_key

"mobile" "otherMobile""mail" "otherMailbox""bootFile""bootParameter""serialNumber"

# Find below the LDAP containers required by WebADM.# Change the container's DN to fit your ldap tree base.# WebADM AdminRoles container

"cn=AdminRoles,cn=WebADM"# WebADM Optionsets container

"cn=OptionSets,cn=WebADM"# WebApp configurations container

"cn=WebApps,cn=WebADM"# WebSrv configurations container

"cn=WebSrvs,cn=WebADM"# Mount points container

"cn=Mountpoints,cn=WebADM"# Domain and Trusts container

"cn=Domains,cn=WebADM"# Clients container

"cn=Clients,cn=WebADM"

# You can set here the timeout (in seconds) of a WebADM session.# Web sessions will be closed after this period of inactivity.# The Manager Interface cookie-based sessions are disabled by default.

# You can set here the WebADM internal cache timeout. A normal value is one hour.

# Application languages"EN" "FR" "DE" "ES" "IT" "FI"

# WebADM encrypts LDAP user data, sensitive configurations and user sessions with# AES-256. The encryption key(s) must be 256bit base64-encoded random binary data.# Use the command 'openssl rand -base64 32' to generate a new encryption key.# Warning: If you change the encryption key, any encrypted data will become invalid!# You can set several encryption keys for key rollout. All the defined keys are used# for decrypting data. And the first defined key is used to (re-)encrypt data.# Two encryption modes are supported:# Standard: AES-256-CBC (default)# Advanced: AES-256-CBC with per-object encryption (stronger)

"10FiU5OKkO8FjthFHfRr5ZbsTr5XCPFUnk6iCDxZqHE="

# Hardware Cryptography Module# Yubico YubiHSM and RCDevs HSMHub are currently supported for hardware encryption.# Up to 8 HSM modules can be concurrently attached to the server.

data_store LDAP

record_store SQL

group_mode Auto

ldap_cache Yes

enable_admin Yesenable_manager Yesenable_webapps Yesenable_websrvs Yes

#hsm_model YubiHSM#hsm_keyid 1

# The data store defines which back-end is used for storing user data and settings.# By default WebADM stores any user and group metadata in the LDAP objects. By setting# the data_store to SQL, these metadata are stored in a dedicated SQL table.# LDAP remains the preferred option because it maximizes the system consistency.# SQL should be used only if you need read-only LDAP access for the proxy_user.

# The record store defines which back-end is used to store SpanKey records.# Choose SQL to store records in the database and NAS to store on a shared NAS folder.# With NAS, the store_path must be configured and accessible from all cluster nodes.

#record_path "/mnt/records"

# The group mode defines how WebADM will handle LDAP groups.# - Direct mode: WebADM finds user groups using the memberof_attrs defined above.# In this case, the group membership is defined in the LDAP user objects.# - Indirect mode: WebADM finds user groups by searching group objects which contain# the user DN as part of the member_attrs.# - Auto: Both direct and indirect groups are used.# - Disabled: All LDAP group features are disabled in WebADM.# By default (when group_mode is not specified) WebADM handles both group modes.

# LDAP cache increases a lot of performances under high server loads. The cache limits# the number of LDAP requests by storing resolved user DN and group settings. When# enabled, results are cached for 300 secs.

# LDAP routing enables LDAP request load-balancing when multiple LDAP servers are# configured in servers.xml. You should enable this feature only if the LDAP server# load becomes a bottleneck due to a big amount of users (ex. more than 10000 users).#ldap_routing No

# You can optionally disable some features if you run multiple WebADM servers with# different purposes. For example, if you don't want to provide admin portal on an# Internet-exposed WebApps and WebSrvs server.# By default, all the functionalities are enabled.

# Enable syslog reporting (disabled by default). When enable, system logs are sent# to both the WebADM log files and syslog.#log_debug No#log_format Default#log_mixsql No#log_syslog No#syslog_facility LOG_USER#syslog_format CEF

user_warning Yes

check_versions Yescheck_licenses Yes

webapps_theme

app_unlock_subject app_unlock_message

ldap_expire_subject ldap_expire_message

cert_expire_subject cert_expire_message

#syslog_format CEF

# Alerts are always recorded to the SQL Alert log. Additionally, when alert_email# or alert_mobile is defined, the alerts are also sent by email/SMS.#alert_email "me@mydomain.com"#alert_mobile "+33 12345678"

# Alert users via email when a login certificate or ActiveDirectory domain password# is near expiration. The templates are defined in ldap_expire_xxx and cert_expire_xxx.

# If your WebADM server is used behind a reverse-proxy or load-balancer, you need to# set the IP address(es) of your reverse-proxy server(s). Your proxy MUST create the# HTTP_X_FORWARDED_FOR and HTTP_X_FORWARDED_HOST headers.#reverse_proxies "192.168.0.100", "192.168.0.101"# If you use WebADM Publishing Proxy (WAProxy) for publishing applications on public# networks, then you must set the IP address(es) of the WAProxy server(s).# Enable this setting ONLY if you are using RCDevs WAProxy as reverse-proxy!#waproxy_proxies "192.168.0.102"# The public DNS name of your WAProxy server#waproxy_pubaddr "www.myproxy.com"

# Check for new product versions and license updates on RCDevs' website.# These features require outbound Internet access from the server.

# WebApps theme (default or flat)# Comment the following line to disable the default theme.

"default"

# End-user message templates# The following variables are available: %USERNAME%, %USERDN%, %USERID%, %DOMAIN%, %APPNAME%# Additional variables are available depending on the context: %APPNAME%, %APPID%, %TIMEOUT%, %EXPIRES%

"Unlocked access to %APPNAME%""Hello %USERNAME%,\r\n\r\nYou have a one-time access to the

%APPNAME%.\r\nYour access will automatically expire %EXPIRES%.""Login password near expiration""Hello %USERNAME%,\r\n\r\nYour login password will expire

%EXPIRES%.\r\nPlease reset your password before expiration!\r\n\r\nRegards""Login certificate near expiration""Hello %USERNAME%,\r\n\r\nYour login certificate will expire

%EXPIRES%.\r\nPlease renew your certificate before expiration!\r\n\r\nRegards"

# Personalization options# You can customize your organization name, logo file and website URL.# The logo file must be PNG image with size 100x50 pixels.#org_name "RCDevs SA"#org_logo "rcdevs.png"#org_site "http://www.rcdevs.com/"

Adjust the LDAP containers with your configuration :

A proxy user needs to perform a wide LDAP search and reads. It also requires read-only permissions to the WebADM LDAP

configurations (ie. configured containers) and to the user Domains subtrees. A proxy user needs to do some write operations to a

few LDAP attributes because it needs to store dynamic application user data into the users. Have a look on the following

documetation to have more information about proxy_user rights : AD Proxy User.

# Misc options#treeview_width 300#treeview_items 1500#default_portal Admin#ldap_uidcase No#ntp_server "myserver.local"

Note

You don’t have to change the first part of each container DN. You have to edit LDAP containers DN according to your domain and

your OU. My Organizational Unit DN is ou=WebADM,dc=mydomain,dc=comou=WebADM,dc=mydomain,dc=com . The ldap treebase

(dc=mydomain,dc=com) is not required for LDAP containers, proxy_user and super_admin because of the setting

ldap_treebaseldap_treebase just above.

adminroles_container

optionsets_container

webapps_container

websrvs_container

mountpoints_container

domains_container

clients_container

# Find below the LDAP containers required by WebADM.# Change the container's DN to fit your ldap tree base.# WebADM AdminRoles container

"cn=AdminRoles,ou=WebADM"# WebADM Optionsets container

"cn=OptionSets,ou=WebADM"# WebApp configurations container

"cn=WebApps,ou=WebADM"# WebSrv configurations container

"cn=WebSrvs,ou=WebADM"# Mount points container

"cn=Mountpoints,ou=WebADM"# Domain and Trusts container

"cn=Domains,ou=WebADM"# Clients container

"cn=Clients,ou=WebADM"

4.3 Proxy User

proxy_user proxy_password

"cn=proxy_user,cn=Users""Password1234"

To allow an administrator or an admin group to log on to the WebADM interface, you have to edit the super_adminsuper_admin setting in

webadm.conf:

Have a look on the following documentation to have more information about the super_admin rights.

LDAP server(s) have to be set in /opt/webadm/conf/servers.xml/opt/webadm/conf/servers.xml file. Edit this file and configure the LDAP section

like below:

WebADM OU Rights

Your proxy_user account should have the read right on your WebADM Organizational Unit previously created!

4.4 WebADM Administrator(s)

super_admins , \

"cn=Administrator,cn=Users""cn=Domain Admins,cn=Users"

WebADM OU Rights

Your super_admin administrator(s) should have the read/write rights on your WebADM Organizational Unit previously created!

5. Servers Configuration

5.1 LDAP Server

< = = = = = = />

LdapServer name "My_AD"host "ip_or_dns_name_of_your_AD"port "389"encryption "TLS"cert_file ""key_file ""

Note

Note : For the extended schema scenario, you have to set the schema master server. And if you provide more than 1 LDAP server

in servers.xml, the schema master will be the first. To provide more than 1 LDAP server you should have an enterprise license.

5.2 SQL Server

WebADM uses a database to store audit logs and localized messages. Application configurations, users and their metadata are

directly stored in LDAP rather than in the databases. WebADM supports both MySQL and PostgreSQL databases. Other databases

are not currently fully tested. You must create a webadm database on your SQL server and a webadm user with password

webadm, having full permissions on that database. Edit the /opt/webadm/conf/servers.xml/opt/webadm/conf/servers.xml file and adjust the

SQL Server parameters such as the database username and password.

Install with Debian repository:

Installation with yum repository:

SQL configuration in servers.xmlservers.xml file :

Configure the SQL information according to your setup.

After editing webadm.conf & servers.xml files, you have to restart or start the WebADM services. Type the following command to

do it:

WebADM configuration through the command line interface is done. We can finish the setup through the Web interface.

apt-get install mariadb-serversystemctl mariadbsystemctl start mariadbmysql_secure_installation/opt/webadm/doc/scripts/create_mysqldb

enable

yum install mariadb-serversystemctl mariadbsystemctl start mariadbmysql_secure_installation/opt/webadm/doc/scripts/create_mysqldb

enable

<SqlServer name= = host= user= password= database= encryption= />

"SQL Server"type "MySQL"

"localhost""webadm"

"webadm""webadm"

"NONE"

6. WebADM Services

/opt/webadm/bin/webadm restart

Please, go to the Web interface, type the IP address or DNS name of your WebADM server in the URL field of your web browser.

For the first login, you have to use the FULL DN of your super_admin user defined in webadm.conf.

Once logged on WebADM interface, you will have a message on the first page saying:

7. WebADM Setup Wizard

Your WebADM installation is not completely configured!

Scroll down at the end of this page and click on the blue button to finish the setup.

Note

If you have chosen the extended schema scenario, you have to log in with the schema admin account defined in webadm.conf file.

Installation and configuration are done. You can log out and log in again now not with the DN but with the username.

To finish, go on WebADM GUI, click on Admin on the top and click on Local Domains option. You can show “Default” in Registered

Local Domains. This object was created during the graphical setup. Click on CONFIGURE and check the box

Domain Name AliasesDomain Name Aliases . In this field, put your Domain name and NetBIOS domain name.

You can also configure your User Search Base here.

8. WebADM Domain Configuration and OpenOTP Registration

Example

If my domain is rcdevs.com and my netbios name is netbiosrcdevs, I will set in the field rcdevs.com, rcdevs, netbiosrcdevs.

You have now to register the OpenOTP application to enable the service. To do it, go on ApplicationsApplications tab, in

CategoriesCategories box, select AuthenticationAuthentication . Under Web Services, you will find

MFA Authentication Server (OpenOTP)MFA Authentication Server (OpenOTP) .

Click on RegisterRegister button.

Configuration is done! You can use your Active Directory with WebADM & OpenOTP.

Play Video on Youtube

This manual was prepared with great care. However, RCDevs S.A. and the author cannot assume any legal or other liability for possible errors and their consequences. Noresponsibility is taken for the details contained in this manual. Subject to alternation without notice. RCDevs S.A. does not enter into any responsibility in this respect. The hardwareand software described in this manual is provided on the basis of a license agreement. This manual is protected by copyright law. RCDevs S.A. reserves all rights, especially fortranslation into foreign languages. No part of this manual may be reproduced in any way (photocopies, microfilm or other methods) or transformed into machine-readable languagewithout the prior written permission of RCDevs S.A. The latter especially applies for data processing systems. RCDevs S.A. also reserves all communication rights (lectures, radio andtelevision). The hardware and software names mentioned in this manual are most often the registered trademarks of the respective manufacturers and as such are subject to thestatutory regulations. Product and brand names are the property of RCDevs S.A. © 2020 RCDevs SA, All Rights Reserved

9. Video Tutorial Without Schema Extension