AD integration for sAMAccountName

[ambuj369]

Hello All,

I am trying to integrate Active Directory with Atlas. But there are certain constraints to it :

1. I won't be using <security.ad.principalSuffix>
2. I want to integrate sAMAccountName
3. I have specified following in settings,xml
   <security.ad.url>ldap://url/</security.ad.url>
   <security.ad.searchBase>DC=xxx,DC=yyy,DC=zzz</security.ad.searchBase>
   <security.ad.principalSuffix></security.ad.principalSuffix>
   <security.ad.system.username>user</security.ad.system.username>
   <security.ad.system.password>password</security.ad.system.password>
   <security.ad.searchFilter></security.ad.searchFilter>
   <security.ad.ignore.partial.result.exception>true</security.ad.ignore.partial.result.exception>
   <security.ad.result.count.limit>30000</security.ad.result.count.limit>
   <security.ad.default.import.group>Source user (omop_cdm)</security.ad.default.import.group>
   <security.ad.searchString>(&(objectClass=person)(sAMAccountName=%s))</security.ad.searchString>
   <security.ad.userMapping.usernameAttr>sAMAccountName</security.ad.userMapping.usernameAttr>
4. I am able to login to Atlas using username@yyy.zzz which I don't want to use at all
5. I do not want to use PrincipalName , instead I want to use sAMAccountName so I can have only relevant audience login to Atlas.

Please let me know if there is any additional settings which I missed or required.

Also, I want to enable logs for WebAPI in Linux; as this link https://github.com/OHDSI/WebAPI/wiki/WebAPI-Installation-Guide have it for Windows

Please someone address this issue ASAP.

Thank You
Ambuj

[ambuj369]

@anthonysena @pavgra
Tagging to get early response on this. Need suggestion.

[anthonysena]

@ambuj369 - I think you've listed off all of the relevant settings as described on the wiki (https://github.com/OHDSI/WebAPI/wiki/Security-Configuration#active-directory-ad) and also as described in some of your questions on #1373. It seems your requirements are specific and without knowing your environment, I think this will be hard to solve. Since this is an open-source project, you are welcome to make some code modifications that address your concerns and push that branch for review.

As for Tomcat logging, the instructions provided in the wiki a quick way to get things working on Windows. I'd suggest looking at the Tomcat documentation to understand how to best configure logging in your environment: http://tomcat.apache.org/tomcat-8.5-doc/logging.html. Hope this helps.

[ambuj369]

@anthonysena
It picked up the settings working now. But. the username is getting displayed over after login.

How can we change it to show display name? I have display name attribute set as displayname as in Active Directory. But no luck so far. How to fix it?

Also, I have irrelevant question to this post:
Is there a way we can change the default "public" role that get assigned to every first login? I would like to change it to "Source user (omop_cdm)".

[anthonysena]

@ambuj369 - I believe that to have the user name display instead of a login would require a change to the Atlas JavaScript code. I'd have to look into it but presumably both the login and display name are returned to Atlas via WebAPI so perhaps it is a matter of making that change to see if it works for you?

I believe that you can change the default "public" role via Atlas. Try going to Configuration -> Manage Permissions -> select the "public" role -> Permissions Tab -> search for the "source key" in the list of permissions. Looking at this in my environment, we don't currently support role to role mapping. Meaning, you can't say "anyone in the public role also gets the Source User role". You'd have to copy over the same permissions between the Source User role to the public role for now.