LDAP Adapter
  • Dark
    Light
  • PDF

LDAP Adapter

  • Dark
    Light
  • PDF

LDAP adapter is configured to establish connection with Active Directory and OpenLDAP servers.

For an LDAP based system it becomes important to understand which groups a user belongs to when working on the user information. Especially in systems that implement RBAC, understanding the groups for a user is necessary for the authorization process. Fortunately, LDAP has the support for reverse membership mapping if the user and group objects use certain object classes. By default an OpenLDAP system uses the memberOf overlay; however, this default is overridden by the userMembershipAttribute property.

Property Name Type Default Description
domain String example.itential.io uid={0},ou=people,o=support,dc=itential,dc=io The name of the LDAP domain. This is not necessarily the same as the DNS name of the server.
url String ldaps://localhost:636 URL of the LDAP server. For SSL, use LDAPS Default port is 636. For unencrypted connections (not recommended), use LDAP. Default port is 389.
bindUsername String itential@domain cn=itential,ou=services,o=support,dc=itential,dc=io The username of the bind account. This administrative account is used to view all groups/users that IAP needs to know about. Utilize <user@domain> for Active Directory and cn=user,dc=example,dc=com for OpenLDAP.
bindPassword String If $ENC or $SECRET precedes the password, IAP will use it as an encrypted password. Otherwise, the password is stored in plain text.
baseDN String dc=itential,dc=io The base DN from which the LDAP adapter will search for users and groups. If both baseUserDN and baseGroupDN are specified, this parameter will have no effect.
baseUserDN String ou=people,o=support,dc=itential,dc=io The base DN from which the LDAP adapter will search for users. If not provided, baseDN is used. This property was introduced in adapter-ldap version 2.11.0.
baseGroupDN String ou=groups,o=support,dc=itential,dc=io The base DN from which the LDAP adapter will search for groups. If not provided, baseDN is used. This property was introduced in adapter-ldap version 2.11.0.
groupSearchFilter String (objectClass=groupOfNames) Filter for the group search. This property uses the official LDAP Search Filter Syntax.
userSearchFilter String sAMAccountName uid Filter for the user search. This defines the common name (or other object) that defines users in the LDAP server. For example, most Active Directory implementations use sAMAccountName to define users. Utilize uid for OpenLDAP.
userMembershipAttribute String memberOf This field should contain the name of the LDAP attribute on the user object that indicates which group(s) the user is a member of.
healthCheckInterval Number 5000 Set interval to ping the LDAP server to ensure connectivity. Measured in milliseconds.
timeout Number 5000 Set the default timeout for authentication attempts. Measured in milliseconds.
connectTimeout Number 5000 Set the default connection timeout for authentication attempts. Measured in milliseconds.
idleTimeout Number 5000 Set the default idle timeout. Measured in milliseconds.
timeLimit Number 10 The maximum amount of time the server should take in responding, in seconds. Defaults to 10 seconds. Set to higher values to handle nested group searches. Many servers will ignore this.
reconnect Boolean true Determine whether or not to attempt a reconnect.
activeDirectory Boolean false Sets the type of directory service. If true, Active Directory authentication is used. If false, LDAP authentication is used.
tlsOptions.secureProtocol String TLSv1_method Determine the protocol method to use. The possible values are listed as SSL_METHODS. Use the function names as strings.
tlsOptions.requestCert Boolean true If true the server will request a certificate from clients that will connect and attempt to verify that certificate.
tlsOptions.rejectUnauthorized Boolean true If true the server will reject any connection which is not authorized with the list of supplied CAs.
tlsOptions.ca String /etc/ssl/keys/openldap_ca.pem Path to ca key (in PEM format).
customGroups Array of Strings [] A list of predefined groups to search for a user and to list user groups. This property should only be used with Active Directory servers; it is not yet compatible with most OpenLDAP schemas.

Note: Configure the LDAP adapter to be a member of the AAA broker. Only one AAA adapter may be configured at a time.

Active Directory Configuration

Use the following example for Active Directory configuration.

Sample Active Directory Configuration

{
    "id": "ldap",
    "type": "LDAP",
    "properties": {
        "domain": "example.itential.io",
        "url": "ldaps://example.itential.io:636",
        "bindUsername": "itential",
        "bindPassword": "itential-ldap-password",
        "baseDN": "dc=itential,dc=io",
        "baseGroupDN": "ou=groups,o=support,dc=itential,dc=io",
        "baseUserDN": "ou=people,o=support,dc=itential,dc=io",
        "groupSearchFilter": "(objectCategory=Group)",
        "userSearchFilter": "sAMAccountName",
        "userMembershipAttribute": "memberOf",
        "healthCheckInterval": 5000,
        "timeout": 5000,
        "connectTimeout": 5000,
        "idleTimeout": 5000,
        "timeLimit": 10,
        "reconnect": true,
        "activeDirectory": true,
        "tlsOptions": {
            "secureProtocol": "TLSv1_method",
            "requestCert": true,
            "rejectUnauthorized": true,
            "ca": "/etc/ssl/keys/activedirectory_ca.pem"
        },
        "customGroups" : [
         "Group1",
         "Group2"
        ]
    },
    "brokers": [ "aaa" ]
}

OpenLDAP Configuration

Use the following example for OpenLDAP configuration. The hostname in the URL must match the common name of the LDAP server certificate.

Sample OpenLDAP Configuration

{
    "id": "ldap",
    "type": "LDAP",
    "properties": {
        "domain": "uid={0},ou=people,o=support,dc=itential,dc=io",
        "url": "ldaps://example.pronghorn.io:636",
        "bindUsername": "cn=itential,ou=services,o=support,dc=itential,dc=io",
        "bindPassword": "itential-user-password",
        "baseDN": "dc=itential,dc=io",
        "baseGroupDN": "ou=groups,o=support,dc=itential,dc=io",
        "baseUserDN": "ou=people,o=support,dc=itential,dc=io",
        "groupSearchFilter": "(objectClass=groupOfNames)",
        "userSearchFilter": "uid",
        "userMembershipAttribute": "memberOf",
        "healthCheckInterval": 5000,
        "timeout": 5000,
        "connectTimeout": 5000,
        "idleTimeout": 5000,
        "timeLimit": 10,
        "reconnect": true,
        "activeDirectory": false,
        "tlsOptions": {
            "secureProtocol": "TLSv1_method",
            "requestCert": true,
            "rejectUnauthorized": true,
            "ca": "/etc/ssl/keys/openldap_ca.pem"
        }
    },
    "brokers": [ "aaa" ]
}