LDAP Adapter
  • 10 Dec 2024
  • Dark
    Light
  • PDF

LDAP Adapter

  • Dark
    Light
  • PDF

Article summary

The LDAP adapter is used to establish a connection with Active Directory and OpenLDAP servers running LDAP Version 3.

Configuration Properties

For an LDAP-based system it becomes important to understand which groups a user belongs to when working on the user information. Especially in systems that implement RBAC, understanding the groups for a user is necessary for the authorization process. Fortunately, LDAP has the support for reverse membership mapping if the user and group objects use certain object classes. By default an OpenLDAP system uses the memberOf overlay; however, this default is overridden by the userMembershipAttribute property.

Property Name Type Default Description
domain String example.itential.io
uid={0},ou=people,o=support,dc=itential,dc=io
The name of the LDAP domain. This is not necessarily the same as the DNS name of the server. Utilize the example.itential.io format when using Active Directory and the uid={0},ou=people,o=support,dc=itential,dc=io format when using OpenLDAP.
url String ldaps://localhost:636 URL of the LDAP server. For SSL, use LDAPS Default port is 636. For unencrypted connections (not recommended), use LDAP. Default port is 389.
bindUsername String itential@domain
cn=itential,ou=services,o=support,dc=itential,dc=io
The username of the bind account. This administrative account is used to view all groups/users that IAP needs to know about. Utilize <user@domain> for Active Directory and cn=user,dc=example,dc=com for OpenLDAP.
bindPassword String If $ENC or $SECRET precedes the password, IAP will use it as an encrypted password. Otherwise, the password is stored in plain text.
baseDN String dc=itential,dc=io The base DN from which the LDAP adapter will search for users and groups. If both baseUserDN and baseGroupDN are specified, this parameter will have no effect.
baseUserDN String ou=people,o=support,dc=itential,dc=io The base DN from which the LDAP adapter will search for users. If not provided, baseDN is used. This property was introduced in adapter-ldap version 2.11.0.
baseGroupDN String ou=groups,o=support,dc=itential,dc=io The base DN from which the LDAP adapter will search for groups. If not provided, baseDN is used. This property was introduced in adapter-ldap version 2.11.0.
groupSearchFilter String (objectClass=groupOfNames) Filter for the group search. For each group returned by this filter, a corresponding group is created in IAP. Because of this, the scope of this filter should be defined such that it only returns groups desired for use in IAP. Failure to do so may result in significant performance issues. This property uses the official LDAP Search Filter Syntax. Be aware that whitespaces between attribute assertions cannot be used. Examples are shown below.
userSearchFilter String sAMAccountName
uid
Filter for the user search. This defines the common name (or other object) that defines users in the LDAP server. For example, most Active Directory implementations use sAMAccountName to define users. Utilize uid for OpenLDAP.
userMembershipAttribute String memberOf This field should contain the name of the LDAP attribute on the user object that indicates which group the user is a member of.
healthCheckInterval Number 5000 Set interval to ping the LDAP server to ensure connectivity. Measured in milliseconds.
timeout Number 5000 Set the default timeout for authentication attempts. Measured in milliseconds.
connectTimeout Number 5000 Set the default connection timeout for authentication attempts. Measured in milliseconds.
idleTimeout Number 5000 Set the default idle timeout. Measured in milliseconds.
timeLimit Number 10 The maximum amount of time (in seconds) the server should take to respond. Defaults to 10 seconds. Set to higher values to handle nested group searches. Many servers will ignore this.
reconnect Boolean true Determine whether or not to attempt a reconnect.
activeDirectory Boolean false Sets the type of directory service. If true, Active Directory authentication is used. If false, LDAP authentication is used.
tlsOptions.secureProtocol String TLSv1_method Determine the protocol method to use. The possible values are listed as SSL_METHODS. Use the function names as strings.
tlsOptions.requestCert Boolean true If true the server will request a certificate from clients that will connect and attempt to verify that certificate.
tlsOptions.rejectUnauthorized Boolean true If true the server will reject any connection which is not authorized with the list of supplied CAs.
tlsOptions.ca String /etc/ssl/keys/openldap_ca.pem Path to CA key (in PEM format).
customGroups Array of Strings [] A list of predefined groups to search for a user and to list user groups. This property should only be used with Active Directory servers; it is not yet compatible with most OpenLDAP schemas.

Configure the LDAP adapter to be a member of the AAA broker. Only one AAA adapter may be configured at a time.

Spaces Not Recognized in LDAP Search Filters

Whitespaces between attribute assertions are not recognized and cannot be used in LDAP search filters.

This filter example will not work.

(| (&(objectClass=groupOfNames) (cn=UAT Power Users)) (&(objectClass=groupOfNames)(cn=QuickSight Members)) )

This filter example will work.

(|(&(objectClass=groupOfNames)(cn=UAT Power Users))(&(objectClass=groupOfNames)(cn=QuickSight Members)))

Active Directory Configuration

Use the following example for Active Directory configuration.

Sample Active Directory Configuration

{
    "id": "ldap",
    "type": "LDAP",
    "properties": {
        "domain": "example.itential.io",
        "url": "ldaps://example.itential.io:636",
        "bindUsername": "itential",
        "bindPassword": "itential-ldap-password",
        "baseDN": "dc=itential,dc=io",
        "baseGroupDN": "ou=groups,o=support,dc=itential,dc=io",
        "baseUserDN": "ou=people,o=support,dc=itential,dc=io",
        "groupSearchFilter": "(objectCategory=Group)",
        "userSearchFilter": "sAMAccountName",
        "userMembershipAttribute": "memberOf",
        "healthCheckInterval": 5000,
        "timeout": 5000,
        "connectTimeout": 5000,
        "idleTimeout": 5000,
        "timeLimit": 10,
        "reconnect": true,
        "activeDirectory": true,
        "tlsOptions": {
            "secureProtocol": "TLSv1_method",
            "requestCert": true,
            "rejectUnauthorized": true,
            "ca": "/etc/ssl/keys/activedirectory_ca.pem"
        },
        "customGroups" : [
         "Group1",
         "Group2"
        ]
    },
    "brokers": [ "aaa" ]
}

OpenLDAP Configuration

Use the following example for OpenLDAP configuration. The hostname in the URL must match the common name of the LDAP server certificate.

Sample OpenLDAP Configuration

{
    "id": "ldap",
    "type": "LDAP",
    "properties": {
        "domain": "uid={0},ou=people,o=support,dc=itential,dc=io",
        "url": "ldaps://example.pronghorn.io:636",
        "bindUsername": "cn=itential,ou=services,o=support,dc=itential,dc=io",
        "bindPassword": "itential-user-password",
        "baseDN": "dc=itential,dc=io",
        "baseGroupDN": "ou=groups,o=support,dc=itential,dc=io",
        "baseUserDN": "ou=people,o=support,dc=itential,dc=io",
        "groupSearchFilter": "(objectClass=groupOfNames)",
        "userSearchFilter": "uid",
        "userMembershipAttribute": "memberOf",
        "healthCheckInterval": 5000,
        "timeout": 5000,
        "connectTimeout": 5000,
        "idleTimeout": 5000,
        "timeLimit": 10,
        "reconnect": true,
        "activeDirectory": false,
        "tlsOptions": {
            "secureProtocol": "TLSv1_method",
            "requestCert": true,
            "rejectUnauthorized": true,
            "ca": "/etc/ssl/keys/openldap_ca.pem"
        }
    },
    "brokers": [ "aaa" ]
}

Adding Configurable Search Depth

The LDAP AAA Adapter includes a configurable Search Scope parameter. This feature enables users to control how deeply the adapter searches within the LDAP directory, ensuring optimal performance and precise query results. By setting the appropriate search scope, you can avoid overloading the LDAP server while retrieving the exact entries needed for authentication and authorization. Moreover, the Search Scope parameter may be used to avoid IAP from traversing more of the LDAP Directory tree than necessary, improving the performance or resource usage of a customer’s LDAP server.

Search Scope Options

The Search Scope defines the extent of the directory tree the LDAP adapter will query during a search operation. There are three options as referenced in the table below.

Option Level Description
Base 0 Searches only the specific entry identified by the Base DN.
One 1 Searches only the immediate children of the Base DN.
Sub 2 Searches the Base DN and all its descendants (recursive search).

By default, the LDAP adapter is set to sub.

How to Configure Search Scope

To set the search scope, access the LDAP AAA Adapter Configuration view to update the Search Scope parameter.

  1. Log in to the Itential Platform as administrator.
  2. Navigate to the Admin Essentials → Adapters → LDAP AAA Adapter.
  3. From the Configuration tab, locate the searchScope field in the Adapter settings.
  4. Select the appropriate scope from the dropdown menu:
    • Base: For single-entry searches.
    • One: For searching immediate children.
    • Sub: For deep, recursive searches.
  5. Click the Save icon at the top to retain your settings.

Figure: LDAP Adapter Search Scope Parameter
Figure 01

Search Scope Best Practices

  • Choose the least expensive scope. Always use the most restrictive search scope for your use case.
  • Use base when targeting a single known entry.
  • Use one for organizational units with a manageable number of entries.
  • Use sub (subtree) sparingly, especially in large directories.

Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.