- 10 Dec 2024
-
DarkLight
-
PDF
LDAP Adapter
- Updated on 10 Dec 2024
-
DarkLight
-
PDF
The LDAP adapter is used to establish a connection with Active Directory and OpenLDAP servers running LDAP Version 3.
Configuration Properties
For an LDAP-based system it becomes important to understand which groups a user belongs to when working on the user information. Especially in systems that implement RBAC, understanding the groups for a user is necessary for the authorization process. Fortunately, LDAP has the support for reverse membership mapping if the user and group objects use certain object classes. By default an OpenLDAP system uses the memberOf
overlay; however, this default is overridden by the userMembershipAttribute
property.
Property Name | Type | Default | Description |
---|---|---|---|
domain | String | example.itential.io uid={0},ou=people,o=support,dc=itential,dc=io |
The name of the LDAP domain. This is not necessarily the same as the DNS name of the server. Utilize the example.itential.io format when using Active Directory and the uid={0},ou=people,o=support,dc=itential,dc=io format when using OpenLDAP. |
url | String | ldaps://localhost:636 |
URL of the LDAP server. For SSL, use LDAPS Default port is 636. For unencrypted connections (not recommended), use LDAP. Default port is 389. |
bindUsername | String | itential@domain cn=itential,ou=services,o=support,dc=itential,dc=io |
The username of the bind account. This administrative account is used to view all groups/users that IAP needs to know about. Utilize <user@domain> for Active Directory and cn=user,dc=example,dc=com for OpenLDAP. |
bindPassword | String | If $ENC or $SECRET precedes the password, IAP will use it as an encrypted password. Otherwise, the password is stored in plain text. |
|
baseDN | String | dc=itential,dc=io |
The base DN from which the LDAP adapter will search for users and groups. If both baseUserDN and baseGroupDN are specified, this parameter will have no effect. |
baseUserDN | String | ou=people,o=support,dc=itential,dc=io |
The base DN from which the LDAP adapter will search for users. If not provided, baseDN is used. This property was introduced in adapter-ldap version 2.11.0. |
baseGroupDN | String | ou=groups,o=support,dc=itential,dc=io |
The base DN from which the LDAP adapter will search for groups. If not provided, baseDN is used. This property was introduced in adapter-ldap version 2.11.0. |
groupSearchFilter | String | (objectClass=groupOfNames) |
Filter for the group search. For each group returned by this filter, a corresponding group is created in IAP. Because of this, the scope of this filter should be defined such that it only returns groups desired for use in IAP. Failure to do so may result in significant performance issues. This property uses the official LDAP Search Filter Syntax. Be aware that whitespaces between attribute assertions cannot be used. Examples are shown below. |
userSearchFilter | String | sAMAccountName uid |
Filter for the user search. This defines the common name (or other object) that defines users in the LDAP server. For example, most Active Directory implementations use sAMAccountName to define users. Utilize uid for OpenLDAP. |
userMembershipAttribute | String | memberOf |
This field should contain the name of the LDAP attribute on the user object that indicates which group the user is a member of. |
healthCheckInterval | Number | 5000 |
Set interval to ping the LDAP server to ensure connectivity. Measured in milliseconds. |
timeout | Number | 5000 |
Set the default timeout for authentication attempts. Measured in milliseconds. |
connectTimeout | Number | 5000 |
Set the default connection timeout for authentication attempts. Measured in milliseconds. |
idleTimeout | Number | 5000 |
Set the default idle timeout. Measured in milliseconds. |
timeLimit | Number | 10 |
The maximum amount of time (in seconds) the server should take to respond. Defaults to 10 seconds. Set to higher values to handle nested group searches. Many servers will ignore this. |
reconnect | Boolean | true |
Determine whether or not to attempt a reconnect. |
activeDirectory | Boolean | false |
Sets the type of directory service. If true, Active Directory authentication is used. If false, LDAP authentication is used. |
tlsOptions.secureProtocol | String | TLSv1_method |
Determine the protocol method to use. The possible values are listed as SSL_METHODS. Use the function names as strings. |
tlsOptions.requestCert | Boolean | true |
If true the server will request a certificate from clients that will connect and attempt to verify that certificate. |
tlsOptions.rejectUnauthorized | Boolean | true |
If true the server will reject any connection which is not authorized with the list of supplied CAs. |
tlsOptions.ca | String | /etc/ssl/keys/openldap_ca.pem |
Path to CA key (in PEM format). |
customGroups | Array of Strings | [] |
A list of predefined groups to search for a user and to list user groups. This property should only be used with Active Directory servers; it is not yet compatible with most OpenLDAP schemas. |
Configure the LDAP adapter to be a member of the AAA broker. Only one AAA adapter may be configured at a time.
Spaces Not Recognized in LDAP Search Filters
Whitespaces between attribute assertions are not recognized and cannot be used in LDAP search filters.
This filter example will not work.
(| (&(objectClass=groupOfNames) (cn=UAT Power Users)) (&(objectClass=groupOfNames)(cn=QuickSight Members)) )
This filter example will work.
(|(&(objectClass=groupOfNames)(cn=UAT Power Users))(&(objectClass=groupOfNames)(cn=QuickSight Members)))
Active Directory Configuration
Use the following example for Active Directory configuration.
Sample Active Directory Configuration
{
"id": "ldap",
"type": "LDAP",
"properties": {
"domain": "example.itential.io",
"url": "ldaps://example.itential.io:636",
"bindUsername": "itential",
"bindPassword": "itential-ldap-password",
"baseDN": "dc=itential,dc=io",
"baseGroupDN": "ou=groups,o=support,dc=itential,dc=io",
"baseUserDN": "ou=people,o=support,dc=itential,dc=io",
"groupSearchFilter": "(objectCategory=Group)",
"userSearchFilter": "sAMAccountName",
"userMembershipAttribute": "memberOf",
"healthCheckInterval": 5000,
"timeout": 5000,
"connectTimeout": 5000,
"idleTimeout": 5000,
"timeLimit": 10,
"reconnect": true,
"activeDirectory": true,
"tlsOptions": {
"secureProtocol": "TLSv1_method",
"requestCert": true,
"rejectUnauthorized": true,
"ca": "/etc/ssl/keys/activedirectory_ca.pem"
},
"customGroups" : [
"Group1",
"Group2"
]
},
"brokers": [ "aaa" ]
}
OpenLDAP Configuration
Use the following example for OpenLDAP configuration. The hostname in the URL must match the common name of the LDAP server certificate.
Sample OpenLDAP Configuration
{
"id": "ldap",
"type": "LDAP",
"properties": {
"domain": "uid={0},ou=people,o=support,dc=itential,dc=io",
"url": "ldaps://example.pronghorn.io:636",
"bindUsername": "cn=itential,ou=services,o=support,dc=itential,dc=io",
"bindPassword": "itential-user-password",
"baseDN": "dc=itential,dc=io",
"baseGroupDN": "ou=groups,o=support,dc=itential,dc=io",
"baseUserDN": "ou=people,o=support,dc=itential,dc=io",
"groupSearchFilter": "(objectClass=groupOfNames)",
"userSearchFilter": "uid",
"userMembershipAttribute": "memberOf",
"healthCheckInterval": 5000,
"timeout": 5000,
"connectTimeout": 5000,
"idleTimeout": 5000,
"timeLimit": 10,
"reconnect": true,
"activeDirectory": false,
"tlsOptions": {
"secureProtocol": "TLSv1_method",
"requestCert": true,
"rejectUnauthorized": true,
"ca": "/etc/ssl/keys/openldap_ca.pem"
}
},
"brokers": [ "aaa" ]
}
Adding Configurable Search Depth
The LDAP AAA Adapter includes a configurable Search Scope parameter. This feature enables users to control how deeply the adapter searches within the LDAP directory, ensuring optimal performance and precise query results. By setting the appropriate search scope, you can avoid overloading the LDAP server while retrieving the exact entries needed for authentication and authorization. Moreover, the Search Scope parameter may be used to avoid IAP from traversing more of the LDAP Directory tree than necessary, improving the performance or resource usage of a customer’s LDAP server.
Search Scope Options
The Search Scope defines the extent of the directory tree the LDAP adapter will query during a search operation. There are three options as referenced in the table below.
Option | Level | Description |
---|---|---|
Base | 0 | Searches only the specific entry identified by the Base DN. |
One | 1 | Searches only the immediate children of the Base DN. |
Sub | 2 | Searches the Base DN and all its descendants (recursive search). |
By default, the LDAP adapter is set to sub
.
How to Configure Search Scope
To set the search scope, access the LDAP AAA Adapter Configuration view to update the Search Scope parameter.
- Log in to the Itential Platform as administrator.
- Navigate to the Admin Essentials → Adapters → LDAP AAA Adapter.
- From the Configuration tab, locate the
searchScope
field in the Adapter settings. - Select the appropriate scope from the dropdown menu:
- Base: For single-entry searches.
- One: For searching immediate children.
- Sub: For deep, recursive searches.
- Click the Save icon at the top to retain your settings.
Figure: LDAP Adapter Search Scope Parameter
Search Scope Best Practices
- Choose the least expensive scope. Always use the most restrictive search scope for your use case.
- Use
base
when targeting a single known entry. - Use
one
for organizational units with a manageable number of entries. - Use
sub
(subtree) sparingly, especially in large directories.