Configuring the LDAP Adapter

Configuring an LDAP Connection

To configure Itential Automation Platform (IAP) to use an LDAP server for AAA, changes must be made to both the LDAP Adapter and the active IAP Profile.

Configure LDAP Adapter

To configure the LDAP Adapter:

1. Navigate to the Admin Essentials homepage.
2. In the side navigation menu, expand the Adapters collection and select your LDAP adapter. The details view of the adapter will open.
3. From the Configuration tab of the adapter details view, define the properties of the LDAP adapter according to your environment. For example configurations, refer to the Adapter Configuration Templates section of this document.
4. Click the Save icon to retain your changes to the adapter properties.

Configure IAP Profile

To configure the IAP Profile:

1. Navigate to the Admin Essentials homepage.

2. In the side navigation menu, expand the Profiles collection and select the active profile. The details view of the profile will open.

3. On the Configure tab of the profile details view, select authenticationProps from the Edit Profile Properties menu. The authentication properties of the profile will be displayed.

4. Define the default admin groups. You may add a list of LDAP groups whose members will be treated as IAP administrators. Use the new Adapter ID as Provenance, and the LDAP group name as the Group.

   

5. Click Save  to retain your changes to the profile properties.

Adapter Configuration Templates

Use the following configuration templates to define Active Directory and OpenLDAP.

Active Directory

Use the following example for an Active Directory configuration.

{
    "id": "ldap",
    "type": "LDAP",
    "properties": {
        "domain": "example.pronghorn.io",
        "url": "ldaps://example.pronghorn.io:636",
        "bindUsername": "itential",
        "bindPassword": "<your_activeDirectory_password>",
        "baseDN": "dc=itential,dc=io",
        "baseGroupDN": "ou=groups,dc=pronghorn,dc=io",
        "baseUserDN": "ou=people,dc=pronghorn,dc=io",
        "groupSearchFilter": "(objectCategory=Group)",
        "userSearchFilter": "sAMAccountName",
        "userMembershipAttribute": "memberOf",
        "healthCheckInterval": 5000,
        "timeout": 5000,
        "connectTimeout": 5000,
        "idleTimeout": 5000,
        "timeLimit": 10,
        "reconnect": true,
        "activeDirectory": true,
        "tlsOptions": {
            "secureProtocol": "TLSv1_method",
            "requestCert": true,
            "rejectUnauthorized": true,
            "ca": "/etc/ssl/keys/activedirectory_ca.pem"
        },
        "customGroups" : [
            "Group1",
            "Group2"
        ]
},
    "brokers": [ "aaa" ]
}

OpenLDAP

Use the following example for an OpenLDAP configuration. The hostname in the URL must match the common name of the LDAP server certificate.

{
    "id": "ldap",
    "type": "LDAP",
    "properties": {
        "domain": "uid={0},ou=people,o=support,dc=itential,dc=io",
        "url": "ldaps://example.pronghorn.io:636",
        "bindUsername": "cn=itential,ou=services,o=support,dc=itential,dc=io",
        "bindPassword": "itential-user-password",
        "baseDN": "dc=itential,dc=io",
        "baseGroupDN": "ou=groups,o=support,dc=itential,dc=io",
        "baseUserDN": "ou=people,o=support,dc=itential,dc=io",
        "groupSearchFilter": "(objectClass=groupOfNames)",
        "userSearchFilter": "uid",
        "userMembershipAttribute": "memberOf",
        "healthCheckInterval": 5000,
        "timeout": 5000,
        "connectTimeout": 5000,
        "idleTimeout": 5000,
        "timeLimit": 10,
        "reconnect": true,
        "activeDirectory": false,
        "tlsOptions": {
            "secureProtocol": "TLSv1_method",
            "requestCert": true,
            "rejectUnauthorized": true,
            "ca": "/etc/ssl/keys/openldap_ca.pem"
        }
    },
    "brokers": [ "aaa" ]
}