User administration

Overview

In user administration, you group all users together who have the same user profile into user groups, such as "administrators", "internal users" or "external users":

In the user files, you define individual attributes for each user, especially the membership to a user group and the password.
In the group files, you define the profile of the user group using attributes such as "is allowed to write files on the server" or "is allowed to change password".
You can define most attributes for individual users as well as entire user groups; however, user attributes have priority.
You can define other details of the profile, such as keyboard settings, at a later time in the form of templates and auto-start macros in the file system.

User administration enables you to increase your host access security because users must already identify themselves at the front-end LogWeb/Ajax server. The server not only acts as an application firewall in front of your host system but also filters out unauthorized login attempts.

An "empty user administration service" is preconfigured and comes standard; you can use this immediately for initial tests:

Users do not need to enter a user name when logging in.
These users are automatically logged in as "default" users in the "default" group.
All users can save data on the server.
The (global) user directoryuserdb/data/userdata/default is used for this purpose.
In addition, an "admin" user in the "admin" group is set up with special rights.
The group directory userdb/data/groupdata/admin already contains prepared demo connectivity files.

For system operation, you have the following options:

If you have no special requirements, you can continue to use the "empty user administration service".
If required, you can simply customize this by entering the users and groups needed.
If you already use LOG-WEB user administration, you can select this and continue to use it unmodified.
If you manage your users in a LDAP or ActiveDirectory server, you can select this and use these servers for LogWeb/Ajax as well.
If you already use another user administration service, such as web portal integration or LDAP and ActiveDirectory, you can integrate these services here.

Note:

The delivered package includes a few configuration examples in the userdb directory.
If you want to customize these configurations or use them later for system operation, you must change the profile path and the data path in the basic settings and reference the directories that are not part of the Web applications. This enables easier updates and backups in the future.

Whatever you decide, we will be pleased to assist and support you with any required customizations.

Configuration examples

As delivered, the directory

userdb

contains examples for defining user files and group files that you activate by entering the corresponding basic settings:

userdb/empty: Contains a configuration example for an "empty user administration service". This example is a default setting and can be used immediately for initial tests:
```
UserDatabase = file
UserProfiles = userdb/empty/users
GroupProfiles = userdb/empty/groups
```
userdb/logweb: Contains a configuration example for using an existing LOG-WEB user administration. You must add the specific type and the path to your LOG-WEB user directory, for example
```
UserDatabase = logweb
UserProfiles = //logweb73/server/config/user
GroupProfiles = userdb/logweb/groups
```
userdb/ldap: Contains a configuration example for using an existing LDAP or ActiveDirectory user administration. You must add the specific type and the path to your group directory, for example
```
UserDatabase = ldap
# UserProfiles not used
GroupProfiles = userdb/ldap/groups
```
userdb/extern: Contains a configuration example for using an existing external user administration service. For tests, the parameter
```
UserDatabase = file
UserProfiles = userdb/extern/users
GroupProfiles = userdb/extern/groups
```

The common template directories for these examples are found in userdb/data:

UserData = userdb/data/userdata
GroupData = userdb/data/groupdata

Note:

Changes to the basic settings are only applied after the Web application is restarted.
Before system operation, if you want to customize or use one of these examples, you need to save the profile paths and data paths to directories outside of the Web application; this enables easier updates and backups later.

Basic settings: format and paths

You make basic settings for user administration in the central configuration file WEB-INF/ajax.ini:

Parameter	Meaning
`UserDatabase`	Determines the format of user administration: Default setting: `file` The special `LOG-WEB attributes` are transferred to the LOG-WEB server if required. The login name is only transferred to the LOG-WEB server as a comment. Alternative: `logweb` Only the parameters `Group`, `Password`, and `ChangePassword`, as well as all general attributes that begin with an underscore (`_`), are read from the LOG-WEB user files; all other parameters are ignored. The login name is passed to the LOG-WEB server for verification only. Alternative: `ldap` All general attributes are extracted from the group profile.
`UserProfiles`	Directory path to the user profiles `USER.ini` Default setting: `userdb/empty/users` Can also be located outside of the Web application. For `UserDatabase = logweb`, the path to the LOG-WEB user directory must be entered here, for example `c:/logweb73/server/config/user` Not used for `UserDatabase = ldap`
`GroupProfiles`	Directory path to the group profiles `GROUP.ini` Default setting: `userdb/empty/groups` Can also be located outside of the Web application.

Note that changes to this file are only applied after the Web application is restarted. However, you can create, change, or delete profile files for users and groups during operation.

Even if you do not require user administration, do not want to use LOG-WEB user administration, or do not want to integrate another external user administration service, you must specify the path to the user and group profiles because the system then searches for pseudo-files instead for better control.

Note the following when specifying directory paths:

Profile paths can also be located outside of the Web application but must be accessible from the Web application. For example, for UserProfiles you can also reference //myprofiles/companyusers or c:/logweb73/server/config/user.
We recommend that you do this to enable easier updates in the future.

Attributes for users and groups

A few attributes can only be specified in user files or in group files. However, you can assign most attributes for individual users as well as user groups:

Attribute	Meaning
`_WriteUser`	Indicates if the user has write access to his or her user directory. Default setting: `false` Alternative: `true` Regardless of this entry, users who are logged in can always read their own user directories. Missing directories are automatically created when data is created.
`_WriteGroup`	Indicates if the user has write access to his or her group directory. Default setting: `false` Alternative: `true` Regardless of this entry, users who are logged in can always read their own group directories. Missing directories are automatically created when data is created.
`ChangePassword`	Indicates if the user is allowed to create, change, or delete his or her password. Default setting: `false` Alternatives: `true`, `Yes` The password is encrypted and saved as a `Password` attribute in the user profile. Regardless of this entry, an administrator can delete or change every password.
`_ChangeGroup`	Indicates if the user can change his or her group membership at the start of a session. Default setting: `false` (the group cannot be changed) Alternative: `true` (the group can be changed) This entry enables administrators to easily edit the templates and macros of any user group. This entry is required even if an external user administration service is used to specify group membership.

In special cases, you can also assign the following attributes:

Attribute	Meaning
`_CookieMaxAge`	Determines the validity period of the login cookie (value in seconds). < 0: Cookie is only valid for the browser session (default setting) = 0: Login cookie is not used > 0: Validity period in seconds (for example, 64800 for 18 hours) Default setting: `-1` ("use session cookie")
`_UseSessionID`	Determines the identifier that is sent to the server for read access to files. Default setting: `true`: An anonymous SessionID is transmitted. The browser is therefore unable to save these accesses in the cache. Alternative: `false`: Each user name and group name is transmitted. This enables the browser to save the data in the cache.
`_AJAX_XXX`	If required, you can enter other "free" parameters that are transmitted to the session and can be evaluated using your own macros.

Note:

You can specify all attributes for individual users and for all user groups.
User parameters have priority over group parameters.
We recommend that you only use group parameters because these are usually easier to manage.

Special LOG-WEB attributes

In special cases, you may use mainframe connections (3270, 5250 and 9750) but do not want to use the LOG-WEB user administration.

In these cases, you can also pass special parameters to the LOG-WEB server in addition to the standard attributes:

Attribute	Meaning
`StationName`	Station name (LU name) of the dialog terminal. If the parameter is set in the user profile, then you need to check the use of LOG-WEB server "pools". You can enter the name of the pool more easily in the group profile or in a connection template.
`PrinterName`	Station name (LU name) of the printer. If the parameter is set in the user profile, then you need to check the use of LOG-WEB server "pools". You can enter the name of the pool more easily in the group profile or in a connection template.
`LOGWEB_XXX`	Passes any parameter `XXX` and its value for the LOG-WEB server to evaluate. Example: Using the parameter LOGWEB_StationName = TERM0001 the station name `TERM0001` is passed: StationName = TERM0001

Defining users: `USER.ini` files

With the parameter UserProfiles in the basic settings, you specify the path to your user files. For each authorized user, you create a text file in this directory using the corresponding user name, for example, meier.ini.

Note:

User files and group files are simple text files in INI format.
The names of user files and group files are always saved in lower case; special characters or spaces are not permitted.
When logging in to the system, the user name is converted into lower case.
For internal control, the pseudo user files _ANY_.ini and _DEFAULT_.ini are used if required.

Special entries in user files:

Attribute	Meaning
`Group` or `_Group`	Name of the user group for this user. Mandatory, except in the pseudo user file `_ANY_.ini`. Example: `guest` For compatibility reasons, file names can be entered in the form `xxx/guest.ini`. Note that the corresponding group file must be available (here also: `//GroupProfiles/guest.ini`). The `_Group` parameter has priority over `Group`. The parameter can also be set in the LOG-WEB user files.
`Password`	Optional: encrypted password for this user. Example: `19A7..` Default setting: empty (no password) Users can only change, delete, or create their own passwords if you have permitted that in the ChangePassword parameter. An administrator can delete or create a password at any time by setting the parameter in the user file. Password entries are case-sensitive.
`_User`	Special case for redirects: Assigns another user name. In this case, the user file is only used as a placeholder. The final user attributes are derived from the given reference instead. Example: see "Pseudo user file `_DEFAULT_.ini`"

As an exception, you can also enter general attributes that give individual users priority over your attributes in the group file.

Example of a simple user file:

# user profile extern.ini
Group    = extern
Password = 19A7..

You can find other examples under Configuration examples.

Defining user groups: `GROUP.ini` files

You use the GroupProfiles parameter to specify the path to your group files. For each user group, you create a single text file in this directory under the corresponding user name, for example extern.ini.

Note:

User files and group files are simple text files in INI format.
The names of user files and group files are always saved in lower case; special characters or spaces are not permitted.
For internal control, the pseudo group files _ANY_.ini and _DEFAULT_.ini are used if required.

In the group file, you can specify the general attributes mentioned previously. These are then valid for all users of this group, as long as they are not revoked in the user parameters.

Special entries in group files:

Attribute	Meaning
`_Group`	Special case for redirects: Assigns another group name. In this case, the user file is only used as a placeholder. The final group attributes are derived from the given reference instead. Example: see "Pseudo group file `_ANY_.ini`" The parameter can also be set in the LOG-WEB user files.
`_AutoCreateGroup`	Special case: Automatically creates a missing group profile. See LOG-WEB user administration.

Example of a group file:

# group profile extern.ini
_WriteUser = true
ChangePassword = true

You can find other examples under Configuration examples.

Pseudo user file `_ANY_.ini`

The pseudo user file _ANY_.ini is always used if an unknown user name is entered during login.

If the pseudo user file is missing, the user cannot log in.
If the pseudo user file exists, then the parameters contained in the file are used.

The pseudo user file _ANY_.ini is used for an existing external user administration tool:

# pseudo user file _ANY_.ini accepts any user name from external service
    # no individual user profile created

Pseudo user files `_DEFAULT_.ini`

The pseudo user file _DEFAULT_.ini is always used if no user name is entered during login.

If the pseudo user file is missing, the user cannot log in without entering a user name.
If the pseudo user file exists, then the parameters contained in the file are used.

For example, the user file _DEFAULT_.ini is used to implement an empty user administration service, where it redirects to an (existing) default user:

# pseudo user file _DEFAULT_.ini accepts missing user name and redirects to user "default"
_User = default

Pseudo group file `_ANY_.ini`

The pseudo group file _ANY_.ini is always used if an unknown group name is transmitted.

If the pseudo group file is missing, the user cannot log in.
If the pseudo group file exists, then the parameters contained in the file are used.

For example, the pseudo group file _ANY_.ini is used to connect to an existing LOG-WEB or external user administration service:

# pseudo group file _ANY_.ini accepts any group name
# note: user profiles are accessed via LOG-WEB server
_WriteUser = true

Pseudo group file `_DEFAULT_.ini`

The pseudo group file _DEFAULT_.ini is always used if no user name is entered during login.

If the pseudo group file is missing, the user cannot log in without entering a group name.
If the pseudo group file exists, then the parameters contained in the file are used.

The pseudo group file _DEFAULT_.ini is used if an external user administration tool does not provide a group name and redirects to an existing default group:

# pseudo group file _DEFAULT_.ini accepts missing group name
# redirects to group "default"
_Group = default

Working without user administration

If you want to work without using a user administration tool, you must enter "empty" parameters. The configuration example userdb/empty is already provided with the basic settings.

UserDatabase = file
UserProfiles = userdb/empty/users
GroupProfiles = userdb/empty/groups

This configuration example is pre-configured and contains a empty sample user administration service. The configuration can be used immediately for initial tests:

Users do not need to enter a user name when logging in.
These users are automatically logged in as "default" users in the "default" group.
All users can save data on the server.
The (global) user directoryuserdb/data/userdata/default is used for this purpose.
For tests, an "admin" user in the "admin group is defined with special rights.
The group directory userdb/data/groupdata/admin already contains prepared demo connectivity files.

The directory userdb/empty contains the following profile files for this purpose:

userdb
|
+-- empty
|   +-- users
|   |       _DEFAULT_.ini
|   |           _User = default         
|   |       default.ini
|   |           _Group = default        
|   |       admin.ini
|   |           _Group = admin          
|   |
|   \-- groups
|           default.ini
|               _CookieMaxAge = 0       
|               _WriteUser = true       
|           admin.ini
|               _WriteUser = true       
|               _WriteGroup = true      
|               _ChangeGroup = true     
|               _ChangePassword = true  
...

Meaning of profile files

Pseudo user file userdb/empty/users/_DEFAULT_.ini
```
# pseudo user file _DEFAULT_.ini accepts missing user name
# redirects to (existing global) user "default"
_User = default
```
Meaning:
- Users can log in without entering a user name. In this case, the user name "default" is used instead.
- All further information is determined using the user file default.ini.
Global user file userdb/empty/users/default.ini
```
# global user profile default.ini
Group = default
```
Meaning:
- Defines the "default" user.
- All further information is determined using the group file default.ini.
Global group file userdb/empty/groups/default.ini
```
# global group profile default.ini has all (possible) privileges
_CookieMaxAge = 0
_WriteUser    = true
```
Meaning:
- Defines the "default" group.
- Optional: Do not use cookies to save the login name
  (because the user does not enter a name).
- Optional: All users are allowed to write their own files to the common user directory //UserData/default.
- Users are not allowed to write to the group directory //GroupData/default
  (because only one "default" group and one "default" user exist that already have write permissions assigned for the only user directory //UserData/default).

For tests, the empty user administration service also has an "admin" user with special rights:

User file userdb/empty/users/admin.ini
```
# user profile admin.ini has special privileges
Group = admin
```
Meaning:
- Defines the "admin" user in the "admin" group.
- All other parameters are found in the "admin" group.
Group file userdb/empty/groups/admin.ini
```
# group profile admin.ini has special privileges
_WriteUser=true
_WriteGroup=true
_ChangeGroup=true
ChangePassword=true
```
Meaning:
- Defines the privilege settings for all users of the "admin" group.
- Administrators can modify their own templates.
- Administrators can also modify group templates.
- Administrators can change their group membership in order to access other group templates.
- Administrators can set up and change their own password.

The administrator group directory //GroupData/admin also contains the connection templates for quick tests

userdb
|
+-- data
|   +-- groupdata                             // group data
|   |   \-- admin                             // only for admin group
|   |       \-- _login                        // connection templates
|   |               3270-offline.ini
|   |               5250-offline.ini
|   |               9750-offline.ini
|   |               sinix-offline.ini
|   |               telnet-online.ini
|   |               unix-offline.ini
|   |               vt-offline-trcselect.ini
|   |
|   \-- userdata                              // no user data
...

If required, you can expand this example to create and implement a complete user administration tool:

Create a user profile for each user and define the group assignment, similar to the process in the example for administrators.
For each of your user groups, create a group profile with the corresponding attributes.
If you delete the pseudo user file, userdb/empty/users/_DEFAULT_.ini, all users will need to log in to the system.
You can also create, change, or delete all profile files when the system is running.

Continuing use of LOG-WEB user administration

If you have already set up LOG-WEB user administration, you can continue using this without problems. To do this:

In the basic settings, for UserDatabase, enter "logweb" as the type:
```
UserDatabase = logweb
```
This enables the login name to be forwarded to LOG-WEB and also enables LOG-WEB to perform the corresponding tests.
In the basic settings, for UserProfiles, enter your LOG-WEB user directory, for example:
```
UserProfiles = c:/logweb73/server/config/user
```
During login, the system searches in this directory for a user file with the corresponding user name.
During login, user administration extracts the following parameters from the LOG-WEB user files:
- Group: Contains the name of the (LOG-WEB) user group and is used as the default group name for LogWeb/Ajax.
- Password: Contains the encrypted password for a specific user.
- ChangePassword: Controls the password change as described previously.
- All general attributes that begin with underscore _.
  These are not interpreted by LOG-WEB; you can therefore enter these attributes in LOG-WEB user files at a later time for special cases.
In addition to the LOG-WEB parameter
```
Group = group/demo.ini
```
if you also enter
```
_Group = admin
```
the corresponding user still belongs to the demo group in LOG-WEB but has the admin group profile for LogWeb/Ajax.
If required, you can also enter
```
_WriteGroup = true
```
to allow the user to modify his or her group configuration as an exception.

The configuration example userdb/logweb provided shows an example of how LOG-WEB user administration is integrated:

userdb
|
+-- logweb
|   \-- groups
|           _ANY_.ini
|               _AutoCreateGroup = true 
|               _WriteUser = true       
...

The directory userdb/logweb/users is not entered here:
All user files are read without changes from the given path of the LOG-WEB server.
Pseudo group file userdb/logweb/groups/_ANY_.ini
```
# pseudo group file _ANY_.ini accepts any group name
# note: user profiles are accessed via LOG-WEB server
_AutoCreateGroup = true
_WriteUser       = true
```
Meaning:
- Each LOG-WEB group name is permitted and used accordingly.
- Optional: During initial use, a group profile is automatically created with this name. This can enable administrators to easily assign group attributes at a later time.
- Optional: All users are allowed to write their own files to their corresponding directories //UserData/USER.

Note:

You can continue to use the LOG-WEB user files for LogWeb/Ajax, but you cannot use the LOG-WEB group files, because the group files only contain data for internal application selection dialogs in LOG-WEB.
In the basic settings, for GroupProfiles, you do not enter the LOG-WEB group directory; instead, you always reference your own directory.

Using LDAP or ActiveDirectory

If you manage your users in a LDAP or ActiveDirectory server, you can use these servers for LogWeb/Ajax as well.

In the basic settings, for UserDatabase enter the type "ldap":

UserDatabase = ldap
GroupProfiles = userdb/ldap/groups

This enables the login name to be forwarded to the LDAP or ActiveDirectory server and also enables this server to perform the corresponding tests.

Since LogWeb/Ajax does not support the membership of a user in multiple groups, you use the supplied sample configuration userdb/ldap:

userdb
|
+-- ldap
|   \-- groups
|           _DEFAULT_.ini
|               _Group = default        
|           default.ini
|               _CookieMaxAge = 0       
|               _WriteUser = true       
...

With this, all users are assigned to the group "default".

LDAP or ActiveDirectory server access is configured in the file WEB-INF/LdapConfig.ini with the following properties:

Attribute	Meaning
`de.logics.logwebAppV3.login.LdapSpi`	Java class name implementing LDAP or ActiveDirectory server access. Default Setting: de.logics.logwebAppV3.login.LdapExample Please do not modifiy!
`domain.server.url`	URL of the domain server. Example: ldap://my.company.com:389
`domain.fast.binding`	A value of "true" enables "fast binding" for connecting to the domain server.
`domain.return.attributes`	Comma or space separated list of attributes to be returned. Example: cn, sAMAccountName
`global.server.url`	URL of the global catalog. If missing, `domain.server.url` will be used instead.
`global.username`	User name for connecting to the global catalog.
`global.password`	Password for connecting to the global catalog.
`global.search.base`	Base directory of the users in the global catalog. Example: DC\=company,DC\=com
`global.search.filter`	Filter for seaarching for users in the global catalog. The string ${username} will be replaced by the supplied user name. Example: (&(objectClass\=user)(\|(cn\=${username})(sAMAccountName\=${username})))

Please prefix all equal signs = in parameter values by a back slash \.

Example:

# LDAP configuration file

# Classname of LDAP Service Provider Implementation
de.logics.logwebAppV3.login.LdapSpi = de.logics.logwebAppV3.login.LdapExample

# Configure access to the domain server
domain.server.url = ldap://my.company.com:389
domain.fast.binding = false
domain.return.attributes = cn, sAMAccountName

# Configure access to the global catalog
global.server.url = ldap://my.company.com:3268
global.username = Administrator
global.password = Kennwort
global.search.base = DC\=company,DC\=com
# ${username} will be replaced by the supplied user name
global.search.filter = (&(objectClass\=user)(|(cn\=${username})(sAMAccountName\=${username})))

Please contact our support team for more configuration details. The documentation and an example Java implementation of the interface is available on request.

Using external user administration

If you already use another user administration service, for example, through portal integration or services such as LDAP and ActiveDirectory, you can integrate the service here.

The simplest way to do this is by integrating the user and group names that are checked by the external service, as is shown in the configuration example userdb/extern:

userdb
|
+-- extern
|   +-- users
|   |       _ANY_.ini
|   |                                        // no content
|   \-- groups
|           _ANY_.ini
|               _ChangeGroup = true     
|               _WriteUser = true       
...

Pseudo user file userdb/extern/users/_ANY_.ini

# pseudo user file _ANY_.ini accepts any user name from external service
    # creates individual user data "on the fly"
    # no individual user profile created

Meaning:

Each user name is permitted and also used.
All further information is determined using the group file

Pseudo group file userdb/extern/groups/_ANY_.ini
```
# pseudo group file _ANY_.ini accepts any group name from external service
_ChangeGroup = true
_WriteUser   = true
```
Meaning:
- Each externally given group name is permitted and used.
- Optional: All users can write their own files to their user directory //UserData/USER.

If the external service does not provide group names, a group file _DEFAULT_.ini must also be entered

# pseudo group file _DEFAULT_.ini accepts missing group name from external service
# redirects to existing group "default"
_Group       = default

which redirects to an existing global group default.ini:

# global group profile default.ini has default privileges
_WriteUser		= true

The prerequisite is that all users can only access LogWeb/Ajax after they have been checked by the external service.

Alternatively, closer integration can be achieved by using the LogWeb/Ajax login interfaces. Contact us to discuss your requirements, we will be pleased to support you in planning and implementing this task.

User administration

Overview

Configuration examples

Basic settings: format and paths

Attributes for users and groups

Special LOG-WEB attributes

Defining users: USER.ini files

Defining user groups: GROUP.ini files

Pseudo user file _ANY_.ini

Pseudo user files _DEFAULT_.ini

Pseudo group file _ANY_.ini

Pseudo group file _DEFAULT_.ini

Working without user administration

Continuing use of LOG-WEB user administration

Using LDAP or ActiveDirectory

Using external user administration

Defining users: `USER.ini` files

Defining user groups: `GROUP.ini` files

Pseudo user file `_ANY_.ini`

Pseudo user files `_DEFAULT_.ini`

Pseudo group file `_ANY_.ini`

Pseudo group file `_DEFAULT_.ini`