Configuring an LDAP Connection
To configure Itential Platform to use an LDAP server for AAA, changes must be made to both the LDAP Adapter and the active Itential Platform Profile.
Configure LDAP Adapter
To configure the LDAP Adapter:
- Navigate to the Admin Essentials homepage.
- In the side navigation menu, expand the Adapters collection and select your LDAP adapter. The details view of the adapter will open.
- From the Configuration tab of the adapter details view, define the properties of the LDAP adapter according to your environment. For example configurations, refer to the Adapter Configuration Templates section of this document.
- Click the Save icon to retain your changes to the adapter properties.
Configure Itential Platform Profile
To configure the Itential Platform Profile:
-
Navigate to the Admin Essentials homepage.
-
In the side navigation menu, expand the Profiles collection and select the active profile. The details view of the profile will open.
-
On the Configure tab of the profile details view, select authenticationProps from the Edit Profile Properties menu. The authentication properties of the profile will be displayed.
-
Define the default admin groups. You may add a list of LDAP groups whose members will be treated as Itential Platform administrators. Use the new Adapter ID as Provenance, and the LDAP group name as the Group.
-
Click Save  to retain your changes to the profile properties.
Adapter Configuration Templates
Use the following configuration templates to define Active Directory and OpenLDAP.
Active Directory
Use the following example for an Active Directory configuration.
{
"id": "ldap",
"type": "LDAP",
"properties": {
"domain": "example.pronghorn.io",
"url": "ldaps://example.pronghorn.io:636",
"bindUsername": "itential",
"bindPassword": "<your_activeDirectory_password>",
"baseDN": "dc=itential,dc=io",
"baseGroupDN": "ou=groups,dc=pronghorn,dc=io",
"baseUserDN": "ou=people,dc=pronghorn,dc=io",
"groupSearchFilter": "(objectCategory=Group)",
"userSearchFilter": "sAMAccountName",
"userMembershipAttribute": "memberOf",
"healthCheckInterval": 5000,
"timeout": 5000,
"connectTimeout": 5000,
"idleTimeout": 5000,
"timeLimit": 10,
"reconnect": true,
"activeDirectory": true,
"tlsOptions": {
"secureProtocol": "TLSv1_method",
"requestCert": true,
"rejectUnauthorized": true,
"ca": "/etc/ssl/keys/activedirectory_ca.pem"
},
"customGroups" : [
"Group1",
"Group2"
]
},
"brokers": [ "aaa" ]
}
OpenLDAP
Use the following example for an OpenLDAP configuration. The hostname in the URL must match the common name of the LDAP server certificate.
{
"id": "ldap",
"type": "LDAP",
"properties": {
"domain": "uid={0},ou=people,o=support,dc=itential,dc=io",
"url": "ldaps://example.pronghorn.io:636",
"bindUsername": "cn=itential,ou=services,o=support,dc=itential,dc=io",
"bindPassword": "itential-user-password",
"baseDN": "dc=itential,dc=io",
"baseGroupDN": "ou=groups,o=support,dc=itential,dc=io",
"baseUserDN": "ou=people,o=support,dc=itential,dc=io",
"groupSearchFilter": "(objectClass=groupOfNames)",
"userSearchFilter": "uid",
"userMembershipAttribute": "memberOf",
"healthCheckInterval": 5000,
"timeout": 5000,
"connectTimeout": 5000,
"idleTimeout": 5000,
"timeLimit": 10,
"reconnect": true,
"activeDirectory": false,
"tlsOptions": {
"secureProtocol": "TLSv1_method",
"requestCert": true,
"rejectUnauthorized": true,
"ca": "/etc/ssl/keys/openldap_ca.pem"
}
},
"brokers": [ "aaa" ]
}