Secure DPF Tracker

---

Activate the Users and Rights Management

---

By default, every user may execute all operations in DPF Tracker. If you want to restrict these, you can configure that the user must logon in order to perform specific operations such as deleting jobs or to get more information such as the job size.

DPF Tracker and SEALCC use the same users and rights management.

Literature - SEALCC documentation

For more information about the users and rights management of DPF Tracker reference and SEALCC, refer to SEAL Control Center - System Description, Chapter 6 Access Control

After restarting DPF Tracker, the login field is displayed in the user interface. Now, the user must logon before being able to execute restricted operations.

The configuration file for the users and rights management is %SEAL_CUSTOMDIR%\server\web\conf\passwd.cfg

Hint - no configuration

If your configuration changes do not have any effect, check if the passwd.cfg configuration file is located in the correct directory: %SEAL_CUSTOMDIR%\server\web\conf\passwd.cfg

---

Connect a Directory Service (LDAP, AD)

Requirements

The following requirements are needed to connect DPF Tracker to a directory service:

• The structure in the directory service has to be known.
• SEALCC must be version 1.0.0.4 or higher.
• The users and rights management is activated, refer to Activate the Users and Rights Management

---

Instructions

This is how you configure the connection from DPF Tracker to a directory service:

1. Edit the following configuration file:

   %SEAL_CUSTOMDIR%\server\web\conf\passwd.cfg
   

2. In the [GLOBAL] section, specify that a directory service is used for authentification:

   LDAP = Y
   

3. In the [GLOBAL] section, specify the connection data, filter and search parameters for the directory service:

   LDAP_SERVER = server
   LDAP_PORT = port
   LDAP_BASE = base
   LDAP_VERSION = version
   LDAP_SEARCH_DN = search_user_dn
   LDAP_USER_DN = user_dn
   LDAP_USER_FILTER = user_filter
   LDAP_GROUP_FILTER = group_filter
   LDAP_GROUP_ATTRIBUTES = attribute
   

4. In the [GLOBAL] section, specify the group to which a user is assigned if an explicit mapping does not exist for them:

   LDAP_GROUP_DEFAULT = sealcc_group
   

5. If required and desired, map SEALCC and LDAP groups in the [GROUP_MAPPING] section:

   [GROUP_MAPPING]
   ldap_group1 = sealcc_group1
   ldap_group2 = sealcc_group2
   ldap_group3 = sealcc_group3
   ...
   

6. Start the following command for entering the password of the search user encrypted into LDAP_SEARCH_PWD:

   tools\sealcc\ldaptest.pl -storepwd -user user
   

7. As result, using the specified search user, the group mapping is searched for the user logged on in DPF Tracker.

---

Example

Example - connection from DPF Tracker to LDAP

[GLOBAL]
LDAP = Y
LDAP_SERVER = roettvmwl
LDAP_PORT = 389
LDAP_BASE = dc=maxcrc,dc=com
LDAP_VERSION = 3
LDAP_SEARCH_DN = CN=searchuser,DC=test,DC=local
LDAP_SEARCH_PWD = encrypted
LDAP_USER_DN = ou=users,dc=test,dc=com
LDAP_USER_FILTER = (&(objectclass=*)(uid=%user%))
LDAP_GROUP_DN = ou=groups,dc=test,dc=com
LDAP_GROUP_FILTER = (&(objectclass=groupOfNames)
(member=uid=%user%,ou=users,dc=test,dc=com))
LDAP_GROUP_ATTRIBUTES = cn
LDAP_GROUP_DEFAULT = USER
[GROUP_MAPPING]
Support = USER
Sysadmin = ADMINISTRATOR

Test the Connection

Check if the connection to the directory service is working with the following command:

tools\sealcc\ldaptest.pl -user search_user

If the test with ldaptest.pl is successful, the connection in SEALCC and DPF Tracker works as well.

---

Configure the Privileges

The privileges are differentiated between the operations for own and all jobs.

By default, the users may list their own jobs.

Requirements

The users and rights management must have been activated, refer to Activate the Users and Rights Management.

Instructions

This is how you configure the user privileges:

1. Edit the following configuration file:

   %SEAL_CUSTOMDIR%\server\web\conf\passwd.cfg
   

2. To configure privileges for all users, specify it in the [DPFTRACKER] section:

   [DPFTRACKER]
   TRACKER = privelege1 privelege2 ...
   

3. To configure privileges for users of a specific user group, specify the keyword in the section of the user group:

   [group_name]
   TRACKER = privelege1 privelege2 ...
   

4. The change takes effect immediately after saving the passwd.cfg configuration file.

   Hint - no configuration

   If your configuration changes do not have any effect, check if the passwd.cfg configuration file is located in the correct directory: %SEAL_CUSTOMDIR%\server\web\conf\passwd.cfg.

---

Example

Example

All users may list their own jobs and with the own jobs only the IP address must match. The users of the USER user group may list and change their own jobs. The users of the ADMINISTRATOR user group may everything with all jobs:

[DPFTRACKER]
TRACKER = READ_OWN MATCH_IP
...
[USER]
TRACKER = READ_OWN CHANGE_OWN
...
[ADMINISTRATOR]
TRACKER = ALL READ_OWN CHANGE_OWN BULK_CHANGE

---