1. Securing Oracle Enterprise Data Quality
  2. User Authentication
  3. The EDQ login.properties File

The EDQ login.properties File

User authentication in EDQ is configured using a file named security/login.properties in the EDQ configuration area. The file may exist in either the 'home' configuration directory or the 'local' configuration directory, or both. If present in both, the settings are merged with the values in the 'local' directory taking precedence. If you need to make changes to the file, always edit a version in the 'local' directory.

The EDQ 'home' configuration area contains a file security/login.properties.template which contains example settings for several types of LDAP integration.

The login.properties file defines a number of 'realms'. Each realm is an independent store of users. The file will start with global settings, followed by settings for each realm. Standard global settings are: 

realms = realm1, realm2, …
gss    = false

The realms property defines the list of realms configured in this installation. The names are arbitrary, except that the special realm name 'internal' specifies the EDQ internal user store (user dnadmin etc).

The 'gss' setting turns off advanced Kerberos style authentication.

The global settings are followed by blocks of realm specific properties, each prefixed with the realm name from the global list. For example, a configuration which uses the internal realm and an LDAP realm could be:

realms 			              = internal, corpldap
gss                  = false
corpldap.realm       = EXAMPLE.COM
corpldap.ldap.server = dc1.example.com
…

These settings are covered in more detail below.

If more than one realm is defined in login.properties, the EDQ login screens - web console and UIs - will contain a dropdown selector for the realm associated with the username and password.

Static Groups Mapping in login.properties

If you are using an external LDAP user store, and do not wish to use the EDQ internal user store, then you will face a bootstrapping problem when attempting to setup mappings from LDAP groups to EDQ groups. This is done using the EDQ web console and requires an EDQ administrator login. However a LDAP group mapping to the EDQ Administrators group is required before an LDAP user can login to EDQ.

To overcome this problem you can define static group mappings in login.properties. The syntax is: 

realm.xgmap = exgroup1 -> edqgroup1, exgroup2 -> edqgroup2 …

'realm' is the realm name as listed in the global realms list. Each 'exgroup' is the name of an external LDAP group; each 'edqgroup' is the name of an EDQ group.

Static mappings should be used only to set the initial Administration mapping; other mappings should be configured in the EDQ web console External Groups page.

For example, to map an LDAP group named 'EDQ-ADMINS' to the EDQ Administrators group, add:

corpldap.xgmap = EDQ-ADMINS -> Administrators