Configuration to Authenticate LDAP Service

  • Updated on Jan 31, 2025
Prev Next

Once the LDAP server is running and populated with users and groups, configure the LDAP adapter to authenticate against the LDAP service.

  1. Encrypt the bindPassword for the LDAP server using the Itential Platform encryption tool, or refer to the Vault Encryption guide. To access this guide on the docs.itential.com site, navigate to Admin Guides→Itential Platform→Vault Encryption.

    cd /opt/pronghorn/current
npm run encrypt <your_password>

  2. Verify the service config for LDAP adapter is referenced in the active Itential Platform Profile, and update the service config within the Admin Essentials application. Sample configurations for both Active Directory and Open LDAP can be found in the documentation.md file of the LDAP adapter. The following examples reference the service_config.properties and not the root-level service config document.

    /opt/itential/current/node_modules/@itential/adapter-ldap/docs/DOCUMENTATION.md

    Example for LDAP Configuration

          {
        "id": "LDAP Server",
        "type": "LDAP",
        "properties": {
          "domain": "uid={0},ou=users,dc=pronghorn,dc=io",
          "url": "ldap://127.0.0.1:389",
          "bindUsername": "cn=admin,dc=pronghorn,dc=io",
          "bindPassword": "<ENTER ENCRYPTED PWD HERE>",
          "baseDN": "dc=pronghorn,dc=io",
          "groupSearchFilter":  "(objectClass=groupOfNames)",
          "userSearchFilter": "uid",
          "healthCheckInterval": 5000,
          "timeout": 5000,
          "connectTimeout": 5000,
          "idleTimeout": 5000,
          "timeLimit": 10,
          "reconnect": true,
          "tlsOptions": {
            "secureProtocol": "TLSv1_method",
            "requestCert": false,
            "rejectUnauthorized": true,
            "ca": "keys/key.pem"
          },
          "customGroups": []
        }
      },
      ...
    }
    ...

    Example for OpenLDAP Configuration

    "adapters": [
    {
      "id": "LDAP Server",
      "type": "LDAP",
      "properties": {
          "domain": "uid={0},ou=users,dc=pronghorn,dc=io",
          "url": "ldap://127.0.0.1:389",
          "bindUsername": "cn=admin,dc=pronghorn,dc=io",
          "bindPassword": "<ENTER ENCRYPTED PWD HERE>",
          "baseDN": "dc=pronghorn,dc=io",
          "groupSearchFilter": "(objectClass=groupOfNames)",
          "userSearchFilter": "uid",
          "userMembershipAttribute": "memberOf",
          "healthCheckInterval": 5000,
          "timeout": 5000,
          "connectTimeout": 5000,
          "idleTimeout": 5000,
          "timeLimit": 10,
          "reconnect": true,
          "activeDirectory": false,
          "tlsOptions": {
              "secureProtocol": "TLSv1_method",
              "requestCert": false,
              "rejectUnauthorized": false,
              "ca": "keys/key.pem"
          }
      },
      "groups": [],
      "brokers": [
          "aaa"
          ]
    },
 ...

  3. Verify the LDAP adapter is registered as the AAA broker.

    LDAP

        "brokerProps": {
      "aaa": [
        "LDAP Server"
      ],
      ...
    }

    OpenLDAP

            "groups": [],
        "brokers": [
            "aaa"
        ]
    } ,

  4. Verify the LDAP adapter is registered in provenance.

    "authenticationProps": {
      "admins": [
            {
              "provenance": "LDAP Server",
              "group": "pronghorn_admin"
            }
      ],
      "description": "Authentication",
      "uniqueSession": false
},

  5. Restart Itential Platform and verify user can login as the admin@pronghorn user.

    service pronghorn restart