Active Directory Authentication
After pre-importing users from AD to Txture, it is possible to directly authenticate these users using Active Directory. This avoids keeping extra credentials for users on the Txture server, as authentication is directly done with the domain controller. Additionally, user importers allow for role mapping of your AD roles to Txture roles.
The configuration of this feature can either be done from the System Configuration or in the txture.properties file where a number of configuration options have to be set:
txture.security.auth.enabled=ad
txture.security.auth.ad.url=ldaps://dc1.yourdomain.com:3269 ldaps://dc2.yourdomain.com:3269
txture.security.auth.ad.domain=yourdomain.com
txture.security.auth.ad.filter=(&(objectClass=user)(sAMAccountName={1}))
The following table details the meanings and expected values of these settings (all have to be prefixed with txture.security. as shown above):
| Configuration setting | Example value | Description |
|---|---|---|
| auth.enabled | ad | When set to ad, the Active Directory integration will be enabled (other options are documented in txture.properties). |
| auth.ad.url | dc1.yourdomain.com dc2.yourdomain.com | This property defines the (LDAP) URL to connect to an AD domain controller. Several domain controllers can be space-separated. |
| auth.ad.domain | yourdomain.com | Defines the AD domain to which users that sign in need to be related to. This will usually be a full domain name or alternatively an alias that will get resolved to the full domain name. |
| auth.ad.filter | (&(objectClass=user)(sAMAccountName=1)) | This property defines the filter that allows to match a given username@domain (which in an actual authentication step replaces '1') or just username (which in an actual authentication step replaces '0') to a single AD object. Note that this filter must result in a single AD object to be considered for further credential checks. |
Info:
Please note that changing the AD authentication requires a restart of Txture to be effective.
Debugging
If debug log output is needed for the setup of an Active Directory authentication, you can configure that by using the log level setting in the System Configuration.
In the advanced options mode, navigate to Txture Log Levels and add the following class and log levels:
| Class | Log level |
|---|---|
| org.txture.server.security.authentication.DaoThenActualAuthenticationProvider | TRACE |
| org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider | TRACE |
| org.springframework.security.web.FilterChainProxy | TRACE |
The end result should look like this: