PhixFlow Help
PhixFlow Active Directory Guide
You can set up access to PhixFlow either through PhixFlow Users, by integrating with your Active Directory infrastructure, or both. If you integrate with Active Directory, Access Control is maintained by mapping Active Directory Groups to PhixFlow User Groups, as described below. By using the Active Directory integration users will login to PhixFlow using the same username and password as their Microsoft Windows domain login.
This page describes how to integrate PhixFlow with Active Directory:
Configure phixflow-domains.xml
Connection details to the domain servers are configured in the file phixflow-domains.xml, under [tomcat root]/webapps/phixflow/WEB-INF/classes. When you first install PhixFlow, you probably created a copy of this file by simply copying the example file phixflow-domains.xml.example (see PhixFlow Server Installation).
Create domain reference
To create a reference to a domain, update the section in the example file:
<!-- Template of a authentication-provider --> <!-- <security:authentication-provider ref="exampleActiveDirectoryAuthProvider" /> -->
For example, if this domain will be referred to as corporate, update this to (remembering to remove the surrounding comment):
<!-- Template of a authentication-provider --> <security:authentication-provider ref="corporate" />
Add connection details
Simple connection
The simplest type of connection is illustrated below, referencing a single AD server.
Update the section in the example file:
<!-- Template of a bean providing domain and url to authentication-provider --> <!-- <bean id="exampleActiveDirectoryAuthProvider" parent="activeDirectoryAuthProvider"> <constructor-arg index="0" value="narnia.local" /> <constructor-arg index="1" value="ldap://192.168.150.81" /> </bean> -->
to include connection details to the domain. For example, if the domain is called corporate.local and this is manged by the domain controller at 10.23.109.45, update this to (remembering to remove the surrounding comment):
<!-- Template of a bean providing domain and url to authentication-provider --> <bean id="corporate" parent="activeDirectoryAuthProvider"> <constructor-arg index="0" value="corporate.local" /> <constructor-arg index="1" value="ldap://10.23.109.45" /> </bean>
Advanced options
For the connection you can also specify:
Option | Purpose | Example |
---|---|---|
Multiple servers | Some domains are served by multiple servers, to provide resilience and load balancing. These can be specified in a list. PhixFlow will try each of these in turn. | <constructor-arg index="1" value="ldap://ad1.example.com ldap://ad2.example.com" /> |
Root DN | If you have a large AD tree, searches may take some time, and this could lead to slow authentication for users. Therefore it is possible to specify a root DNÂ (Distinguished name) at which PhixFlow will begin searching for the user. The Distinguished Name format is standard and further details can be found on the web. | <constructor-arg index="2" value="ou=User Accounts,ou=Operations,dc=emea,dc=example,dc=com" /> |
Timeout | You can specify a timeout. For each server specified, if the server does not respond within the limit specified by the timeout, it will try the next server. If the last server in the list times out, then the authentication will fail. The timeout is specified in milliseconds. | <property name="timeout" value="5000"/> |
The following example, in phixflow-domains.xml.example, illustrates the application of all advanced options:
<!-- Template of a bean providing domain, multiple servers, connection timeout and separate rootDn --> <!-- <bean id="exampleActiveDirectoryAuthProvider" parent="activeDirectoryAuthProvider"> <constructor-arg index="0" value="example.com" /> <constructor-arg index="1" value="ldap://ad1.example.com ldap://ad2.example.com" /> <constructor-arg index="2" value="ou=User Accounts,ou=Operations,dc=emea,dc=example,dc=com" /> <property name="timeout" value="5000"/> </bean> -->
PhixFlow Active Directory Setup
System Configuration
Go to the Active Directory tab in the System Configuration window.
There are two fields to configure:
Field | Value | Example |
---|---|---|
Default Domain | This is the domain that users will be presented with when they open PhixFlow. They will be able to select a different domain by selecting from a drop-down list, which will show all configured domains, as well as local. The local domain is used when logging in as an internal PhixFlow user. | local narnia.local |
Active Directory Login Group | The list of names of Active Directory groups authorized to use this instance of PhixFlow, separated by semicolons. There must be no spaces between the groups listed, just semicolons. Use {instance} to include the PhixFlow instance name (this is set up in System configuration). Note that these groups do not have to be mapped to any of the PhixFlow User Groups (see below), although they can be if you wish. | PHIXFLOW_ADMINS; PHIXFLOW_USERS_{instance} |
With the given configuration, assuming the instance name is ‘LIVE’, members of the following Active Directory groups will be authorized to log in into this PhixFlow instance:
- PHIXFLOW_ADMINS
- PHIXFLOW_USERS_LIVE
User Groups
When Active Directory users log into PhixFlow, their Active Directory groups are mapped to PhixFlow User Groups. You can set up this mapping by specifying an Active Directory Group in a PhixFlow User Group. When an AD user in that Active Directory group logs into PhixFlow, they will be put into that PhixFlow User Group. You do not need to map all of a user's Active Directory Groups to PhixFlow User Groups. For each user, any Active Directory groups that are not mapped are simply ignored.
The mapping is configured in the field Active Directory Group in the user group configuration form.
You can use {instance} to include the PhixFlow instance name.
With the given configuration, assuming the instance name is ‘LIVE’, members of the Active Directory ‘PHIXFLOW_USERS_LIVE’ will be members of the ‘Designers’ PhixFlow User Group.
Active Directory users appear on the Group Members list. There is a new column which indicates if the user is a local user or a Active Directory user. Only local users can be added or removed from the list.
User Details
While editing an Active Directory user some fields are invisible. Login name cannot be changed. The domain of the User is shown in the header of the editor.
Logging in as a Active Directory user
There is a new Domain field on the PhixFlow login screen. The value this will have by default is set in System Configuration (see above).
To log in, users must select the domain they need - if this is not the default, they can select one from the drop down list, which will show all configured domains.
After choosing a domain, the suffix will be added to the username automatically:
While logging as an Active Directory user, the user must use their Active Directory password, which cannot be changed through PhixFlow.
If the Active Directory user is not a member of an Active Directory group authorised to use PhixFlow (see above), they will get a standard failure to login message.
If the user is in an Active Directory Group authorised to use PhixFlow, but none of their Active Directory groups are mapped to PhixFlow user groups, they will be able to successfully log in, but will have no access.
Use the encrypted connection
To use the encrypted connection, the protocol of the connection specified in phixflow-domains.xml must be set to ldaps:// instead of ldap://.
The AD server’s certificate must be installed in the Java Certification Store on the PhixFlow application server. To do this you must obtain a certificate file from the AD server and install it.
One way of installing the certificate on the PhixFlow Application server is using keytool. In the command prompt type:
keytool -import -alias example -keystore /path/to/java/cacerts -file example.der
keytool is provided as part of the standard Java installation.
Troubleshooting
Enhanced diagnostics can be generated by adding the lines
# detailed logging for AD connection attempts log4j.logger.org.springframework.security=debug log4j.logger.com.accipia.centerview.util.ContextUserExtractor=debug log4j.logger.com.accipia.centerview.util.security=debug log4j.logger.com.accipia.centerview.model.POJOImpl=debug
to your log4j.properties file - see Server Logging for details on controlling logging options with this file, and where to find the results.
Note that with all options applied, the log files generated will be very large. You must switch off these options as soon as you have completed your tests. You can comment out the lines in the log4j.properties file, if you want to keep them in the file, by placing a # at the beginning of each line.
You could also consider applying a more limited set of debugging options, e.g.
log4j.logger.org.springframework.security=debug log4j.logger.com.accipia.centerview.util.security=debug
This will not give you as complete a log of what is happening during a login attempt, but the log files generated will be smaller. In particular, this reduced set of debugging options will include messages from
com.accipia.centerview.util.security.ActiveDirectoryLdapAuthenticationProvider
which provides information about what groups the user attempting to login belongs to.
Please let us know if we could improve this page feedback@phixflow.com