How to let users add themselves using AD credentials

The WiKID server now includes a page where users login with AD credentials and can add themselves to the WiKID server.

Allowing users to add themselves to the WiKID server reduces the administrative costs of implementing two-factor authentication. This document will show you how to edit the ADRegister.jsp file on the WiKID server for your environment.

You will find the file in /opt/WiKID/tomcat/webapps/wikid/. Edit it with vi

vi /opt/WiKID/tomcat/webapps/wikid/ADRegister/ADRegister.jsp

The file is well commented:

  This file provides an example of using Active Directory (or other LDAP enabled directory) to authorize user registration with WiKID. 

    You will need to modify the factory configuration to matche your directory environment.  The parameters that need setting are:
    ============================================================================================
    Directory parameters:
    directoryDomainSuffix - The directory suffix.  In AD this is the part after the "@" in the userPrincipalName (username@ad.domain.com)

    ldapURL - The LDAP URL that identifies the AD server for authentication.  Should be of the form: ldap://servername.ad.domain.com:389

    WiKID Parameters:
    domainCode - This should be set to the 12-digit code that users should be registered in if their directory credentials are valid.

    wikidIPAddress - The IP address of the wikid server.  By default it is 127.0.0.1 assuming this script will be running on the WiKID server.
    wikidPort - the port that the WiKID server is listening on for wAuth communications.  The default is 8388.

    wikidClientCert - the path to the client certificate issued by the WiKID server for this wAuth network client.  By defualt it is /opt/WiKID/private/localhost.p12 assuming this script will be running on the WiKID server.

    wikidClientPass - the passphrase to open the wikidClientCert file defined above.

    cACertStore - the file containing the certificate authorities trusted by this client.  By default it is /opt/WiKID/private/CACertStore assuming this script will be running on the WiKID server.

As you can see, the JSP page can be run on a different machine. It just needs to be set up as a Network Client to the WiKID server. Assuming you are setting this up on the WiKID server, all you need to change is:

String directoryDomainSuffix = "windows.yourdomain.com";
String ldapURL = "ldap://youradserver.yourodomain.com:389";

To the settings appropriate to you AD setup and:

String domainCode = "127000000001";

To your WiKID domain code. (Remember a WiKID domain is not the same as a Windows Domain.) And finally, you need to change the localhost passphrase to yours (remember, you created two certs, the intermediate CA and the localhost cert):

String wikidClientPass = "passphrase";

In addition to using Vi, you can download the file to your local computer using SFTP or SCP, edit it with your preferred editor and SCP/SFTP it back to the server.

Once edited, browse to https://<yourWiKIDServer>/wikid/ADRegister/ADRegister.jsp and you will get the log in screen:

AD login

Once logged in with your AD credentials, you will be prompted for the registration code:

WiKID reg code

If successful, there will be a new user:

AD new users

Please feel free to edit this file for look and feel as well as functionality.

If you intend to run this on the WiKID server, you will need to open the firewall for port 389. The easiest way to do this is to add your AD server as a network client and restart WiKID.

NB: We assume that you have port 443 locked to internal LAN traffic only. You should not have this page exposed to the internet!

Questions? Feedback?Olark live chat software