Defining LDAP User and Groups

Prerequisites

The LDAP adapter is used to establish a connection with Active Directory and OpenLDAP servers running LDAP version 3.

For an LDAP based system it becomes important to understand which groups a user belongs to when working on the user information. This is especially important in systems that implement RBAC because understanding the groups for a user is necessary for the authorization process. Fortunately, LDAP has support for reverse membership mapping if the user and group objects use certain object classes. By default, an OpenLDAP system uses the memberOf overlay; however, this default can be overridden by the userMembershipAttribute property.

Enable MemberOf Module

If using LDAP in a VM or bare-metal (not a container) environment, you must include the memberof module in your LDAP config file, otherwise admin permissions will not be granted in IAP. In order for this to take effect in prior releases of Itential, every group created prior to enabling this module must be deleted and remade.

sudo ldapdelete -c -D dc=example,dc=com -w <password> -H ldap:/// -f <ldif_file>

Be sure to include just the DN for each group you want to remove inside the LDIF file.

dn: cn=pronghorn_admin,ou=groups,dc=example,dc=com

Then re-add the groups using the following command:

sudo ldapadd -c -D dc=example,dc=com -w <password> -H ldap:/// -f <ldif_file>

Define LDAP Groups

The groups that will be associated with various IAP applications must be defined in the authentication server.

• SystemAdmin
• DSOperator
• DSManager
• DSEngineer
• Developer

Below is an example of defined groups.

Figure 1: Defined Groups

Create LDAP User for IAP

An LDAP user must be set up in the authentication database for IAP to use to connect to the LDAP server to run queries. This user does not need to be a member of any of the defined groups; user simply needs to be able to access the LDAP server.

Confirm Connection to LDAP Server

Before proceeding, verify the LDAP user can connect to the LDAP server. In addition to verifying the ability to connect to the LDAP server, this will provide multiple values needed later in this setup procedure.

This verification can be performed using the following command line tool, which needs to be installed on the IAP server. Once the tool has been installed, execute the following two commands.

Command: Ignore certificate key

export LDAPTLS_REQCERT=never

• The purpose of this command is to force the connection to not use a certification key.
• Run this command only once per SSH session.
• Run this command only if you are connecting via SSL. It is best practice to do this.

Command: Connect LDAP search

ldapsearch -H ldaps://<IP Address of LDAP Server>:<Port> -b '<Base DN>' -D <UserName>@<Domain> -w '<Password>' cn='<Common Name>' -s sub -x

• IP Address of LDAP Server: This will be the IP of your LDAP server. This will be provided by an AD administrator.
• Port: This is the port of the LDAP server. 636 is the standard for SSL connections. 389 is the standard port for non SSL connections.
• Base DN: This is provided by an AD administrator.
• UserName: This is the username that was created for IAP to connect to AD.
• Domain: This is provided by an AD administrator.
• Password: Password for IAP user.
• Common Name: This is provided by an AD administrator.

Below is an example of a successful ldapsearch connection.

Figure 2: LDAP Search Connection