Configuration to Authenticate LDAP Service

Updated on 03 Apr 2024

Dark

Light
PDF

Article summary

Did you find this summary helpful?

Thank you for your feedback

Once the LDAP server is running and populated with users and groups, configure the LDAP adapter to authenticate against the LDAP service.

Encrypt the bindPassword for the LDAP server using the IAP encryption tool, or refer to the Vault Encryption guide. To access this guide on the docs.itential.com site, navigate to Admin Guides→Itential Automation Platform→Vault Encryption.
```
cd /opt/pronghorn/current
npm run encrypt <your_password>
```

Verify the service config for LDAP adapter is referenced in the active IAP Profile, and update the service config within the Admin Essentials application. Sample configurations for both Active Directory and Open LDAP can be found in the documentation.md file of the LDAP adapter. The following examples reference the service_config.properties and not the root-level service config document.

/opt/itential/current/node_modules/@itential/adapter-ldap/docs/DOCUMENTATION.md

Example for LDAP Configuration

      {
        "id": "LDAP Server",
        "type": "LDAP",
        "properties": {
          "domain": "uid={0},ou=users,dc=pronghorn,dc=io",
          "url": "ldap://127.0.0.1:389",
          "bindUsername": "cn=admin,dc=pronghorn,dc=io",
          "bindPassword": "<ENTER ENCRYPTED PWD HERE>",
          "baseDN": "dc=pronghorn,dc=io",
          "groupSearchFilter":  "(objectClass=groupOfNames)",
          "userSearchFilter": "uid",
          "healthCheckInterval": 5000,
          "timeout": 5000,
          "connectTimeout": 5000,
          "idleTimeout": 5000,
          "timeLimit": 10,
          "reconnect": true,
          "tlsOptions": {
            "secureProtocol": "TLSv1_method",
            "requestCert": false,
            "rejectUnauthorized": true,
            "ca": "keys/key.pem"
          },
          "customGroups": []
        }
      },
      ...
    }
    ...

Example for OpenLDAP Configuration

"adapters": [
    {
      "id": "LDAP Server",
      "type": "LDAP",
      "properties": {
          "domain": "uid={0},ou=users,dc=pronghorn,dc=io",
          "url": "ldap://127.0.0.1:389",
          "bindUsername": "cn=admin,dc=pronghorn,dc=io",
          "bindPassword": "<ENTER ENCRYPTED PWD HERE>",
          "baseDN": "dc=pronghorn,dc=io",
          "groupSearchFilter": "(objectClass=groupOfNames)",
          "userSearchFilter": "uid",
          "userMembershipAttribute": "memberOf",
          "healthCheckInterval": 5000,
          "timeout": 5000,
          "connectTimeout": 5000,
          "idleTimeout": 5000,
          "timeLimit": 10,
          "reconnect": true,
          "activeDirectory": false,
          "tlsOptions": {
              "secureProtocol": "TLSv1_method",
              "requestCert": false,
              "rejectUnauthorized": false,
              "ca": "keys/key.pem"
          }
      },
      "groups": [],
      "brokers": [
          "aaa"
          ]
    },
 ...

Verify the LDAP adapter is registered as the AAA broker.

LDAP

    "brokerProps": {
      "aaa": [
        "LDAP Server"
      ],
      ...
    }

OpenLDAP

        "groups": [],
        "brokers": [
            "aaa"
        ]
    } ,

Verify the LDAP adapter is registered in provenance.

"authenticationProps": {
      "admins": [
            {
              "provenance": "LDAP Server",
              "group": "pronghorn_admin"
            }
      ],
      "description": "Authentication",
      "uniqueSession": false
},

Restart IAP and verify user can login as the admin@pronghorn user.
```
service pronghorn restart
```

Was this article helpful?

What's Next

Associate LDAP User Groups to Automation