Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This document covers the Yarngate service setup, LDAP configuration and Browser access

Table of Contents

Info

It is assumed that yarnman has been deployed and installed as per Yarnman Installation and Setup for standalone install

Note that the authentication setup requires specific configuration for Yarngate

Yarngate Authentication setup

Note

Yarngate MUST use a LDAP authentication policy, local DB authentication policy cannot be used and if configured the Yarngate service will not start

Yarngate

...

Authentication Database

  1. From Administration Menu select Databases to create an authentication database

    Image Added
  2. Name the LDAP authentication database

    Image Added
  3. Configure the required roles

    Image Added
  4. Configure the required roles for yarngate application, it is expected that there would be both a Yarngate-Admin and Yarngate-User. These permissions control what options are available in the yarngate application after a user is Authenticated and Authorised. Repeat this process for as many roles as required

...

Yarngate Authentication

  1. Create Authentication Policy

  2. Image Added

    Name the authentication policy and select Authentication Method LDAP + Database with Roles

    Image Added
  3. Select Linked authentication Database created previously for Yarngate

    Image Added

  4. Configure LDAP authentication

    Image Added
    1. The LDAP server address should be in the format LDAPS://<FQDN>:<port> - Note that LDAP:// can be used but passwords will not be encrypted in transit

    2. Verify TLS/SSL certificates can be enabled - Note that the LDAPS server certificate or trusted root CA certificate must be uploaded via the administration app

    3. LDAP username match regex can be used to match username formats - This is a generic username match regex that can be adjusted as needed(^[A-Za-z0-9]+(?:[ _-][A-Za-z0-9]+)*$)

    4. LDAP replace regex allows to adding prefixes/suffices to suit the authentication requirements such as adding a domain suffix

  5. Save the authentication policy - Note that new tabs will now become visible

  6. Configure LDAP authorisation and roles

    Image Added
    1. The LDAP interface field is optional - this can be used if an out of band check using another LDAP user is required for LDAP user group search on LDAP. If this option is not selected, the LDAP groups are retreived using the authenticated LDAP user

    2. Base DN - provide the base DN for LDAP searches

    3. Username Match Field - this is the LDAP username field used typically sAMAccountName

    4. LDAP group to role mapping - this provide a mapping from LDAP groups to the Autentication Database roles defined previously. The LDAP groups can be entered in as global group name of LDAP distingushed name

Configure Yarngate Service and Browser Access

Note

It is recommended to add a local authentication administration app on a dedicated port if LDAP access will be used on the default HTTPS TCP/443 access - The process is described hereAdding Secondary Local Auth Administration Access as this provides access to yarnman incase of LDAP issues.

The following process assumes that LDAP authentication will be used for the default proxy and administration application

  1. Add the yarngate application service

    Image Added
  2. Configure the yarngate services

    Image Added
    1. Configure service name

    2. Select node/arm

    3. Host should use localhost as yarngate will be behind the proxy service

    4. HTTPS can remain default

    5. Select Authentication policy configured previously for Yarngate

  3. Open the Proxy Service

    Image Added
  4. Select proxy service - service routing

  5. Image Added

    Add the yarngate application and save

    Image Added
  6. Test Access to Yarngate using the LDAP authentication policy

    Image Added
    1. Copy the base path - this will be randomly generated /yarngate-app-16a85c5e89e142e5bebaa547bc5eeda5

    2. Logout of yarnman

    3. browse to the yarngate application https://<yarngate IP address>/<base url>

      • Example https://<yarngate IP address>/yarngate-app-16a85c5e89e142e5bebaa547bc5eeda5

    4. The login prompt should appear

      Image Added
    5. If login is sucessful

      1. proceed to next step

        Image Added
      2. If login is not successful refer to the following LDAP authentication troubleshooting guide LDAP Authentication and Authorisation Troubleshooting or raise a support case including the yarnman logs to resolve before proceeding

  7. Finalise LDAP configuration

    1. Before completing step b. below, it is important to complete one of the following not to lock yourself out of the Administration Application

      1. Create a second administration application as flagged in warning note at the beginning of this section. Process for this may be found here Adding Secondary Local Auth Administration Access

      2. Give Administration Application access to one of the roles created earlier. Open Database created earlier, select Roles, then under Administration Tab, check the app access check box for the required role.

        Image Added
    2. Update default administration application access policy - NOTE that this service will be named Standalone Yarnman Administration App by default

      Image Added
    3. Optionally set the yarngate application to be the default application for the proxy so that when users browse to yarngate and login they will go directly to Yarngate

      Image Added