LDAP Installation and Configuration

Itential Automation Gateway (IAG) out-of-box authentication is configured for local authentication. Using local authentication, IAG administrators can configure basic username and password authentication for IAG users. IAG administrators can further associate users with IAG groups and roles, adding a level of authorization to the local authentication process to limit the types of operations users can perform.

For customers who want to make use of their existing user authentication systems, IAG now offers the ability to disable local authentication, and replace it with LDAP user authentication. This supports customer efforts to centralize their identity management system, and puts in place a framework for future support of Multi-Factor Authentication (MFA).

LDAP Authentication

The process for performing LDAP authentication to IAG is depicted in the high-level procedure (Figure 1) below.

Figure 1: LDAP-Based User and Machine Authentication to IAG

To support this approach, make sure the following steps are taken:

1. Add LDAP users who will access IAG to appropriate group memberships in LDAP.

2. If using Itential Automation Platform (IAP) to authenticate to IAG, create an IAP service account/user in LDAP and assign it to an appropriate group.

   Note:

   Itential recommends selecting a group membership for an IAP user that is unique, and the IAP user has no other group memberships or permissions in your environment.

3. Enable basic password-based authentication for those users (both regular and IAP) who will be authenticating to IAG. In this release, IAG does not support authentication factors other than a password.

Configure IAG for LDAP Authentication

Set the LDAP configuration options in the Automation Gateway GUI (Figure 2) under Configuration > LDAP.

Figure 2: LDAP Configuration

After saving the the LDAP configuration, test that the BIND Username and BIND Password work as expected by using the Test Connection button next to the Save butto (Figure 3). Set LDAP to ldap_auth_enabled: True in the properties.yml file, and then restart Automation Gateway.

Figure 3: Test Connection

Configure Authorization Groups and Roles

In this step, configure the authorization characteristics that determine what capabilities logged-in users have. To configure a group in IAG, a name must be provided, and all the roles that will be associated with any user that is part of that group must be assigned. The name that is seleced is important, because of how IAG LDAP authentication maps LDAP users to IAG groups and roles.

Each user coming from an LDAP is typically associated with one or more groups through an LDAP attribute, such as the memberOf attribute. When configuring the IAG LDAP properties, specify which LDAP user attribute holds the user group membership information.

When a user authenticates to IAG, IAG will request the users LDAP attributes, and apply a mapping to map the LDAP group member names to IAG group names.

For example, the following groups are defined in IAG: iag-admin, iag-operator, iag-user. If IAG has been configured to look at the memberOf LDAP attribute for group memberships then users may have the following group memberships:

memberOf: group=iag-operator,cn=example,cn=com 
memberOf: group=iag-user,cn=example,cn=com

Configure IAG to recognize the format of the information provided in the memberOf attribute so that IAG can extract the relevant information. In the example above, IAG will determine that this user belongs to both the iag-operator and iag-user groups. IAG will combine the roles defined for both IAG groups and provide that authorization to the user.

Review the LDAP groups, IAG groups, and the associated IAG group roles to ensure that users are being given only those role permissions that are required to fulfill their responsibilities in IAG.

At least one IAG group must be created that will allow roles to act as the administrator role, otherwise IAG cannot be managed once LDAP authentication has been enabled. There is no special group designated as an administrator group. The group must be configured to ensure the name of the group is mapped uniquely from your LDAP user group memberships.

Configure Direct Bind

By default, the backend of LDAP authentication uses a Search Bind to connect to LDAP, find the user DN, and then authenticate with the correctly found DN and provided password combination. To utilize direct binds to make login times faster the User DN and Base DN must point directly to the LDAP user location.

In addition, the User Login RDN and User Login Attribute must be the same and set to use a direct bind. If you would prefer to login users via their e-mail address, you would not be able to do a direct bind, but could instead set the User Login Attribute to mail.

Direct Bind Configuration Example

Search Bind: Unchecked
User DN: "OU=users"
User Login Attribute: cn
User Login RDN: cn

Restart IAG

Once IAG LDAP authentication has been configured or changed, IAG must be restarted for IAG to switch to the LDAP authentication provider.

When IAG LDAP is enabled, and IAG is restarted, users and IAP can authenticate to IAG using their LDAP credentials. Enabling IAG LDAP disables IAG local authentication.

Disabling IAG LDAP and Enabling Local Authentication

In situations that require a return to using IAG local authentication, such as not being able to authenticate any IAG admins to IAG, log into the host machine where IAG is installed, and edit the IAG properties file to disable LDAP authentication and then restart IAG.

Troubleshooting LDAP Configuration

If you encounter a problem in LDAP configuration:

1. Check the IAG groups and group names.
2. Verify users in LDAP are associated with the correct groups.
3. If IAG is unable to authenticate, make sure IAG has been configured with the correct credentials.
4. Review the IAG logs to determine what, if any, LDAP connectivity or bind errors are returned.