LDAP Properties File

The ldap.properties file is used to configure Rhapsody's LDAP settings. It is located in the Rhapsody installation directory in /rhapsody/data/users/ldap.properties, or wherever the data directory has been relocated. It is automatically created when Rhapsody starts or restarts (if the file does not already exist).

Rhapsody reloads ldap.properties file every time the user logs in, or based on the period set in the LDAP refresh property. Therefore, any changes made to the ldap.properties file take effect when the user next logs in, or according to the LDAP refresh property (it may take a few seconds for Rhapsody to synchronize with the LDAP server).

Click on ldap.properties to view the properties file generated by Rhapsody.

The following attributes need to be configured:

Enabling/Disabling LDAP
Refresh of LDAP Users
LDAP Server Connections (Multiple Servers)
Login
UserBase/GroupBase
Attributes
Mappings
Administrator Login on Failure

Enabling/Disabling LDAP

This property enables or disables LDAP.

# Authenticate Rhapsody users using LDAP
ldap=true

# Authenticate Rhapsody users against internal user list
ldap=false

Values can be changed without starting Rhapsody.
Default value is false.

Refresh of LDAP Users

This property controls how often the Rhapsody user list is synchronized with the LDAP server.

# Update counts and lists of users shown in the Management Console at 2am every day
ldap.refresh.cron=0 0 2 * * ? *

Updates the list of users shown in the Management Console.
Updates the count of users for each Access Group shown in the User Manager in Rhapsody IDE.
Refreshes using a cron expression. Refer to Advanced Scheduling for details on how to write a cron expression for Rhapsody.
Default refresh is every day at 2am (0 0 2 * * ? *).
When refreshing thousands of users over a slow remote connection, refresh times may exceed 30 seconds.
If the ldap.properties file has been edited and the user manager is open, an unscheduled refresh will start.

LDAP Server Connections (Multiple Servers)

This property specifies LDAP servers. If the network has both a main LDAP server and a redundant backup LDAP server, it is highly recommended that you specify both of these, as users would not be able to login to Rhapsody if none of the listed LDAP servers are reachable.

# Connect to LDAP server "dc1" on default LDAP port
server.1.host=dc1

# Connect to LDAP server 10.0.0.2 on non-standard port 12345
server.2.host=10.0.0.2
server.2.port=12345

Multiple servers can be supplied.
Tries to connect to the servers in order by their number: server 1 is tried before server 2 and so on.
Port defaults to 389 for non-SSL.
Port defaults to 636 for SSL.

SSL Certificates in Files

This property specifies the certificate to use to identify the LDAP server when using LDAPS (LDAP over SSL). Using LDAPS results in the connection between Rhapsody and the LDAP server being encrypted. A different certificate can be specified for each LDAP server, and multiple certificates can be provided for each server. There is also the option to auto-fetch the certificate from the LDAP server (disabled by default). Automatically fetching the certificate should only be done over a trusted network.

# Connect to LDAP server on dc1 with default SSL LDAP port and SSL
# The SSL certificate is stored in ldap.1.cer. If the certificate is
# missing, it is fetched and stored while connecting.
server.1.host=dc1
server.1.ssl=true
server.1.autofetch=true

# Connect to LDAP server on 10.0.0.2 with SSL. The LDAP certificate is in
# ldap-failover.cer. Fail to connect if the certificate is missing
server.2.host=10.0.0.2
server.2.ssl=true
server.2.autofetch=false
server.2.cert.file.1=ldap-failover.cer

# To cater for updating certificates on the LDAP server, supply three
# certificate files
server.3.host=dc3
server.3.ssl=true
server.3.cert.file.1=last_year.cer
server.3.cert.file.2=current_year.cer
server.3.cert.file.3=next_year.cer

SSL Certificates in Java Keystore File

This property specifies a Java Keystore that contains the certificates used to identify the LDAP server when using LDAPS (LDAP over SSL). Using LDAPS results in the connection between Rhapsody and the LDAP server being encrypted.

# Connect to dc1 and fallback to 10.0.0.2. Both with SSL and default ports
# Certificates for LDAP servers stored in Java keystore file ldap.ks.

server.1.host=dc1
server.1.ssl=true

server.2.host=10.0.0.2
server.2.ssl=true

ssl.keystore.file=ldap.ks
ssl.keystore.password=changeit

Expired SSL Certificates

This property controls whether Rhapsody should allow the LDAP server to present expired certificates to identify itself. Although it is not a recommended security practice to accept expired certificates, this may be required in some networks.

# Connect to SSL LDAP severs with expired certificates.
accept.expired.certs=true

# Do not connect to SSL LDAP servers with expired certificates.
accept.expired.certs=false

This property specifies the name and password that Rhapsody can use to login to the LDAP server in order to query the LDAP server. It is recommended that a special user be created on the LDAP server for this purpose.

# User for querying LDAP specified by DistinguishedName (DN)
login=CN=DomainSupportUser,OU=SupportStaff,DC=acmelabs,DC=internal
password=secret

In general, you can use special characters within a value. However, certain special characters require an additional escape character. The special characters that must be escaped when used in value are determined by the LDAP server you are connecting to. In the following example, " and , are escaped:

login=CN=\"Service Account\, rhapsody\"

UserBase/GroupBase

These properties specify the DN ending for LDAP users and groups.

userBase=DC=acmelabs,DC=internal
groupBase=DC=acmelabs,DC=internal

Attributes

Depending on the server, these properties specify the LDAP attributes to read user and group information from:

Microsoft® Active Directory.
OpenLDAP.

# LDAP attribute names for Microsoft Active Directory
userClass=user
groupClass=group
usernameAttribute=sAMAccountName
memberOfAttribute=memberOf
groupMembersAttribute=member
fullNameAttribute=cn
emailAttribute=mail

# LDAP attribute names for OpenLDAP
userClass=inetOrgPerson
groupClass=groupofnames
usernameAttribute=uid
memberOfAttribute=
groupMembersAttribute=member
fullNameAttribute=cn
emailAttribute=mail

Mappings

These properties map LDAP groups and user DNs to a Rhapsody access group. They give all users in specific LDAP groups or specific LDAP users access to Rhapsody by assigning them to one of more Rhapsody access groups. The default Rhapsody groups are Administrator, Developer and Monitoring.

The group and user mappings are case-sensitive.

group.1.dn=CN=Rhapsody Admins,OU=Groups,DC=acmelabs,DC=internal
group.1.accessGroup=Administrator

group.2.dn=CN=Rhapsody Developers,OU=Groups,DC=acmelabs,DC=internal
group.2.accessGroup=Developer

group.3.dn=CN=Rhapsody Monitors,OU=Groups,DC=acmelabs,DC=internal
group.3.accessGroup=Monitoring
 
group.4.dn=CN=Rhapsody DevOps,OU=Groups,DC=acmelabs,DC=internal
group.4.accessGroup.1=Developer
group.4.accessGroup.2=Monitoring

user.1.dn=CN=John Doe,OU=Users,DC=acmelabs,DC=internal
user.1.accessGroup=Administrator

user.2.dn=CN=Richard Roe,OU=Users,DC=acmelabs,DC=internal
user.2.accessGroup.1=Monitoring
user.2.accessGroup.2=Developer

In the preceding example, the default access groups contain the following LDAP groups and users:

Administrator:
- All users in the Rhapsody Admins LDAP group (CN=Rhapsody Admins,OU=Groups,DC=acmelabs,DC=internal).
- John Doe (CN=John Doe,OU=Users,DC=acmelabs,DC=internal).
Developer:
- All users in the Rhapsody Developers LDAP group (CN=Rhapsody Developers,OU=Groups,DC=acmelabs,DC=internal).
- All users in the Rhapsody DevOps LDAP group (CN=Rhapsody DevOps,OU=Groups,DC=acmelabs,DC=internal).
- Richard Roe (CN=Richard Roe,OU=Users,DC=acmelabs,DC=internal).
Monitoring:
- All users in the Rhapsody Monitors LDAP group (CN=Rhapsody Monitors,OU=Groups,DC=acmelabs,DC=internal).
- All users in the Rhapsody DevOps LDAP group (CN=Rhapsody DevOps,OU=Groups,DC=acmelabs,DC=internal).
- Richard Roe (CN=Richard Roe,OU=Users,DC=acmelabs,DC=internal).

Administrator Login on Failure

This property enables or disables the ability of an Administrator user to log in if the LDAP server is unavailable. This property is false by default. Note that if LDAP is enabled, all local user accounts are disabled, including Administrator user.

Enabling this property may reduce the security of your engine unless the Administrator password is secure.

## Allow the "Administrator" user to login when the LDAP server is unreachable. If this property
## is enabled the Administrator user should have a secure password. To update the password for
## the Administrator user LDAP needs to be disabled then enabled again once the change is made.
#ldap.failover.administrator.enabled=false