.png?sv=2019-07-07&sig=C9cKUasTT918isaqhnhZwHwjISpcJuLPUb01ptzLB5I%3D&spr=https%2Chttp&st=2023-05-30T22%3A48%3A48Z&se=2023-05-30T22%3A58%3A48Z&srt=o&ss=b&sp=r){kind=logo}
LDAP Adapter
- 20 Apr 2023
-
DarkLight
-
PDF
LDAP Adapter
- Updated on 20 Apr 2023
-
DarkLight
-
PDF
Article Summary
The LDAP adapter is used to establish a connection with Active Directory and OpenLDAP servers running LDAP version 3.
LDAP Configuration Properties
For an LDAP-based system it becomes important to understand which groups a user belongs to when working on the user information. Especially in systems that implement RBAC, understanding the groups for a user is necessary for the authorization process. Fortunately, LDAP has the support for reverse membership mapping if the user and group objects use certain object classes. By default an OpenLDAP system uses the memberOf overlay; however, this default is overridden by the userMembershipAttribute property.
| Property Name | Type | Default | Description |
|---|---|---|---|
| domain | String | example.itential.io uid={0},ou=people,o=support,dc=itential,dc=io |
The name of the LDAP domain. This is not necessarily the same as the DNS name of the server. Utilize the example.itential.io format when using Active Directory and the uid={0},ou=people,o=support,dc=itential,dc=io format when using OpenLDAP. |
| url | String | ldaps://localhost:636 |
URL of the LDAP server. For SSL, use LDAPS Default port is 636. For unencrypted connections (not recommended), use LDAP. Default port is 389. |
| bindUsername | String | itential@domain cn=itential,ou=services,o=support,dc=itential,dc=io |
The username of the bind account. This administrative account is used to view all groups/users that IAP needs to know about. Utilize <user@domain> for Active Directory and cn=user,dc=example,dc=com for OpenLDAP. |
| bindPassword | String | If $ENC or $SECRET precedes the password, IAP will use it as an encrypted password. Otherwise, the password is stored in plain text. |
|
| baseDN | String | dc=itential,dc=io |
The base DN from which the LDAP adapter will search for users and groups. If both baseUserDN and baseGroupDN are specified, this parameter will have no effect. |
| baseUserDN | String | ou=people,o=support,dc=itential,dc=io |
The base DN from which the LDAP adapter will search for users. If not provided, baseDN is used. This property was introduced in adapter-ldap version 2.11.0. |
| baseGroupDN | String | ou=groups,o=support,dc=itential,dc=io |
The base DN from which the LDAP adapter will search for groups. If not provided, baseDN is used. This property was introduced in adapter-ldap version 2.11.0. |
| groupSearchFilter | String | (objectClass=groupOfNames) |
Filter for the group search. For each group returned by this filter, a corresponding group is created in IAP. Because of this, the scope of this filter should be defined such that it only returns groups desired for use in IAP. Failure to do so may result in significant performance issues. This property uses the official LDAP Search Filter Syntax. Be aware that whitespaces between attribute assertions cannot be used. Examples are shown below. |
| userSearchFilter | String | sAMAccountName uid |
Filter for the user search. This defines the common name (or other object) that defines users in the LDAP server. For example, most Active Directory implementations use sAMAccountName to define users. Utilize uid for OpenLDAP. |
| userMembershipAttribute | String | memberOf |
This field should contain the name of the LDAP attribute on the user object that indicates which group the user is a member of. |
| healthCheckInterval | Number | 5000 |
Set interval to ping the LDAP server to ensure connectivity. Measured in milliseconds. |
| timeout | Number | 5000 |
Set the default timeout for authentication attempts. Measured in milliseconds. |
| connectTimeout | Number | 5000 |
Set the default connection timeout for authentication attempts. Measured in milliseconds. |
| idleTimeout | Number | 5000 |
Set the default idle timeout. Measured in milliseconds. |
| timeLimit | Number | 10 |
The maximum amount of time (in seconds) the server should take to respond. Defaults to 10 seconds. Set to higher values to handle nested group searches. Many servers will ignore this. |
| reconnect | Boolean | true |
Determine whether or not to attempt a reconnect. |
| activeDirectory | Boolean | false |
Sets the type of directory service. If true, Active Directory authentication is used. If false, LDAP authentication is used. |
| tlsOptions.secureProtocol | String | TLSv1_method |
Determine the protocol method to use. The possible values are listed as SSL_METHODS. Use the function names as strings. |
| tlsOptions.requestCert | Boolean | true |
If true the server will request a certificate from clients that will connect and attempt to verify that certificate. |
| tlsOptions.rejectUnauthorized | Boolean | true |
If true the server will reject any connection which is not authorized with the list of supplied CAs. |
| tlsOptions.ca | String | /etc/ssl/keys/openldap_ca.pem |
Path to CA key (in PEM format). |
| customGroups | Array of Strings | [] |
A list of predefined groups to search for a user and to list user groups. This property should only be used with Active Directory servers; it is not yet compatible with most OpenLDAP schemas. |
Note:
Configure the LDAP adapter to be a member of the AAA broker. Only one AAA adapter may be configured at a time.
Spaces Not Recognized in LDAP Search Filters
Whitespaces between attribute assertions are not recognized and cannot be used in LDAP search filters.
This filter example will not work.
(| (&(objectClass=groupOfNames) (cn=UAT Power Users)) (&(objectClass=groupOfNames)(cn=QuickSight Members)) )
This filter example will work.
(|(&(objectClass=groupOfNames)(cn=UAT Power Users))(&(objectClass=groupOfNames)(cn=QuickSight Members)))
Active Directory Configuration
Use the following example for Active Directory configuration.
Sample Active Directory Configuration
{
"id": "ldap",
"type": "LDAP",
"properties": {
"domain": "example.itential.io",
"url": "ldaps://example.itential.io:636",
"bindUsername": "itential",
"bindPassword": "itential-ldap-password",
"baseDN": "dc=itential,dc=io",
"baseGroupDN": "ou=groups,o=support,dc=itential,dc=io",
"baseUserDN": "ou=people,o=support,dc=itential,dc=io",
"groupSearchFilter": "(objectCategory=Group)",
"userSearchFilter": "sAMAccountName",
"userMembershipAttribute": "memberOf",
"healthCheckInterval": 5000,
"timeout": 5000,
"connectTimeout": 5000,
"idleTimeout": 5000,
"timeLimit": 10,
"reconnect": true,
"activeDirectory": true,
"tlsOptions": {
"secureProtocol": "TLSv1_method",
"requestCert": true,
"rejectUnauthorized": true,
"ca": "/etc/ssl/keys/activedirectory_ca.pem"
},
"customGroups" : [
"Group1",
"Group2"
]
},
"brokers": [ "aaa" ]
}
OpenLDAP Configuration
Use the following example for OpenLDAP configuration. The hostname in the URL must match the common name of the LDAP server certificate.
Sample OpenLDAP Configuration
{
"id": "ldap",
"type": "LDAP",
"properties": {
"domain": "uid={0},ou=people,o=support,dc=itential,dc=io",
"url": "ldaps://example.pronghorn.io:636",
"bindUsername": "cn=itential,ou=services,o=support,dc=itential,dc=io",
"bindPassword": "itential-user-password",
"baseDN": "dc=itential,dc=io",
"baseGroupDN": "ou=groups,o=support,dc=itential,dc=io",
"baseUserDN": "ou=people,o=support,dc=itential,dc=io",
"groupSearchFilter": "(objectClass=groupOfNames)",
"userSearchFilter": "uid",
"userMembershipAttribute": "memberOf",
"healthCheckInterval": 5000,
"timeout": 5000,
"connectTimeout": 5000,
"idleTimeout": 5000,
"timeLimit": 10,
"reconnect": true,
"activeDirectory": false,
"tlsOptions": {
"secureProtocol": "TLSv1_method",
"requestCert": true,
"rejectUnauthorized": true,
"ca": "/etc/ssl/keys/openldap_ca.pem"
}
},
"brokers": [ "aaa" ]
}
