ODK2 Sync - Active Directory Settings for security.properties

gt3o0o · February 15, 2019, 1:12am

I can’t believe there are no examples for this. I have tried many combinations with no luck. If anyone has done this before please let me know if I made any mistakes:

security.server.secureChannelType=ANY_CHANNEL
security.server.channelType=ANY_CHANNEL
security.server.hostname=odkv2.affengeld.ch

currently supported options are activeDirectory, ldap and dhis2

security.server.authenticationMethod=activeDirectory

Settings for both Active Directory (ldap) and LDAP Authentication

Username and password for doing read-only queries.

For activeDirectory, use username@domain

For LDAP, use dn

security.server.ldapQueryUsername=readonly-queries@affengeld.ch
security.server.ldapQueryPassword=R3ad0Nly123

Exclude Active Directory (ldap) and LDAP groups that don’t begin with groupPrefix + space + …

For those that do, replace all punctuation and spaces with underscore and replace

the groupPrefix with GROUP_ The resulting group membership will be propagated down

to the device during a sync.

security.server.groupPrefix=default_prefix

Settings for ActiveDirectory Domain Controller

NOTE: the DC Url should ALWAYS be ldaps

The bind authentication uses basic auth and therefore is not

secure unless a TLS channel is used (i.e., ldaps).

security.server.ldapDomainDClevel2=affengeld
security.server.ldapDomainDClevel1=ch
security.server.ldapDomain=${security.server.ldapDomainDClevel2}.${security.server.ldapDomainDClevel1}
security.server.ldapDomainControllerUrl=ldaps://${security.server.ldapDomainDClevel2}.${security.server.ldapDomainDClevel1}
security.server.ldapDomainDC=DC=${security.server.ldapDomainDClevel2},DC=${security.server.ldapDomainDClevel1}

Settings for LDAP Authentication

enter in this format ldaps://LDAP_ADDRESS:636/

security.server.ldapUrl=ldaps://172.16.20.201:636
security.server.ldapBaseDn=dc=affengeld,dc=ch
security.server.ldapPooled=false
security.server.userSearchBase=ou=Zurich-Benutzer
security.server.groupSearchBase=ou=${security.server.groupPrefix},ou=Afg-Gruppen
security.server.groupRoleAttribute=cn
security.server.userFullnameAttribute=givenName
security.server.usernameAttribute=uid

{0} is username entered during basic auth

security.server.userDnPattern=${security.server.usernameAttribute}={0},${security.server.userSearchBase}

{0} is user dn, {1} is username, this filter is for searching groups that a user belongs to

security.server.memberOfGroupSearchFilter=(memberUid={1})

{0} is groupPrefix, {1} is groupRoleAttribute, this filter is for searching all groups

security.server.serverGroupSearchFilter=(&(objectClass=posixGroup)({1}={0} *))

Settings for DHIS2 Authentication

security.server.dhis2ApiUrl=http://YOUR_DHIS2_SERVER/api/VERSION

a DHIS2 user with privilege to enumerate organizaion units, groups and users

security.server.dhis2AdminUsername=YOUR_ADMIN_USERNAME
security.server.dhis2AdminPassword=YOUR_ADMIN_PASSWORD

name of a DHIS2 orgnaization unit / group to assign Sync Endpoint Site Admins role to

security.server.dhis2SiteAdmins=ODK_SITE_ADMIN
security.server.dhis2AdministerTables=ODK_ADMIN_TABLES
security.server.dhis2SuperUserTables=ODK_SUPER_USER_TABLES
security.server.dhis2SyncTables=ODK_SYNC_TABLES
security.server.dhis2FormManagers=ODK_FORM_MNGR
security.server.dhis2DataViewers=ODK_DATA_VIEWERS
security.server.dhis2DataCollectors=ODK_DATA_COLLECTORS

wink.handlersFactoryClass=org.opendatakit.aggregate.odktables.impl.api.wink.AppEngineHandlersFactory

realm definition

realmString – what should be sent to users when BasicAuth or DigestAuth is done

security.server.realm.realmString=affengeld.ch AFG ODK Sync Endpoint

sync.preference.appName=default
sync.preference.anonymousTablesSync=false
sync.preference.anonymousAttachmentAccess=false