Skip to main content
Version: 2.8

Configuring LDAP

You can configure D1 to be accessed by users from an external LDAP system, such as OpenLDAP or ActiveDirectory. It needs to be set up via runtime properties during D1 deployment.

LDAP setups might be quite complex, as there are multiple configuration parameters and LDAP setups might look differently.

Best practice

We recommend that you deploy D1 without LDAP configuration for an initial evaluation of the configuration parameters.

After you find out the parameters and values needed for LDAP configuration, you can store them in the installation-settings.yaml. When you have the complete configuration of LDAP, you can redeploy D1 to enable external LDAP.

To configure LDAP for Document.One

You configure connection to an external LDAP user directory by updating the LDAP runtime properties section in the the installation-settings.yaml with the connection values of your LDAP directory. See LDAP runtime properties for details about the available properties.

  1. Use a third-party LDAP client to verify if the settings planned to be used are correct.

    info

    To check the configuration details required for connecting to your LDAP system, you can use Apache Directory Studio. By using this directory client, find out values for the LDAP mandatory properties.

  2. Put the LDAP runtime properties into [PATH_TO_ADX]/conf/tribefire.properties, and then restart the client.

  3. To test if the LDAP configuration works, login as an LDAP user into D1.

  4. Put the corresponding runtime properties into installation-settings.yaml.

    Note

    You must encrypt the value of the LDAP_ADMIN_PASSWORD property, and use it for the setting up the ADX_AUTH_LDAP_CONN_PASSWORD property in the installation-settings.yaml file.

    For this, you need to use the encrypt.sh script. For more information about how to encrypt passwords, see Encrypting system passwords.

  5. Redeploy the D1 with the applied LDAP configuration.

  6. (Optional) Check the updated system properties in the RUNTIME PROPERTIES section available through the Settings menu > About page. For more information about these settings, see Monitoring D1 server settings and status.

LDAP configuration example

The following example shows an example of how you can integrate an external LDAP into D1. The accordingand D1 runtime properties are attached.

LDIF example

The following snippet shows an example of the LDIF (LDAP Data Interchange Format) settings:

dn: cn=microsoft, ou=schema
cn: microsoft
objectclass: metaSchema
objectclass: top

dn: ou=attributetypes, cn=microsoft, ou=schema
ou: attributetypes
objectclass: organizationalUnit
objectclass: top

dn: m-oid=1.2.840.113556.1.4.221, ou=attributetypes, cn=microsoft, ou=schema
m-syntax: 1.3.6.1.4.1.1466.115.121.1.15
m-name: sAMAccountName
m-oid: 1.2.840.113556.1.4.221
objectclass: metaAttributeType
objectclass: metaTop
objectclass: top
m-equality: caseIgnoreMatch
m-singlevalue: TRUE

dn: m-oid=1.2.840.113556.1.4.222, ou=attributetypes, cn=microsoft, ou=schema
m-syntax: 1.3.6.1.4.1.1466.115.121.1.15
m-name: memberOf
m-oid: 1.2.840.113556.1.4.222
objectclass: metaAttributeType
objectclass: metaTop
objectclass: top
m-equality: caseIgnoreMatch
m-singlevalue: FALSE

dn: m-oid=1.2.840.113556.1.4.223, ou=attributetypes, cn=microsoft, ou=schema
m-syntax: 1.3.6.1.4.1.1466.115.121.1.15
m-name: objectCategory
m-oid: 1.2.840.113556.1.4.223
objectclass: metaAttributeType
objectclass: metaTop
objectclass: top
m-equality: caseIgnoreMatch
m-singlevalue: TRUE

dn: ou=objectclasses, cn=microsoft, ou=schema
ou: objectClasses
objectclass: organizationalUnit
objectclass: top

dn: m-oid=1.2.840.113556.1.5.6, ou=objectclasses, cn=microsoft, ou=schema
m-may: memberOf
m-must: sAMAccountName
m-must: objectCategory
m-name: simulatedMicrosoftSecurityPrincipal
m-supobjectclass: top
m-typeobjectclass: AUXILIARY
m-oid: 1.2.840.113556.1.5.6
objectclass: metaObjectClass
objectclass: metaTop
objectclass: top

Creating new partition for DN=dc=document,dc=one

dn: dc=document,dc=one
objectclass: top
objectclass: domain
dc: document

dn: ou=users,dc=document,dc=one
ou: users
objectclass: organizationalUnit
objectclass: top

dn: ou=roles,dc=document,dc=one
ou: roles
objectclass: top
objectclass: organizationalUnit

dn: cn=tf-admin,ou=roles,dc=document,dc=one
member: uid=ldap_cortex,ou=users,dc=document,dc=one
cn: tf-admin
objectclass: groupOfNames
objectclass: top

dn: cn=ldap_role,ou=roles,dc=document,dc=one
member: uid=ldap_user_role,ou=users,dc=document,dc=one
cn: ldap_role
objectclass: groupOfNames
objectclass: top

dn: uid=ldap_cortex,ou=users,dc=document,dc=one
uid: ldap_cortex
mail: ldap-cortex.dev@document.one
objectcategory: User
cn: LDAP cortex User
sn: ldap_cortex
memberof: cn=tf-admin,ou=roles,dc=document,dc=one
objectclass: top
objectclass: person
objectclass: inetOrgPerson
objectclass: simulatedMicrosoftSecurityPrincipal
objectclass: organizationalPerson
samaccountname: ldap_cortex
userpassword: cortex

dn: uid=ldap_user_role,ou=users,dc=document,dc=one
uid: ldap_user_role
mail: ldap-user-role.dev@document.one
objectcategory: User
cn: LDAP User in role
sn: ldap_user_role
memberof: cn=ldap_role,ou=roles,dc=document,dc=one
objectclass: top
objectclass: person
objectclass: inetOrgPerson
objectclass: simulatedMicrosoftSecurityPrincipal
objectclass: organizationalPerson
samaccountname: ldap_user_role
userpassword: cortex

dn: uid=ldap_user,ou=users,dc=document,dc=one
uid: ldap_user
mail: ldap-user.dev@document.one
objectcategory: User
cn: LDAP User
sn: ldap_user
objectclass: top
objectclass: person
objectclass: inetOrgPerson
objectclass: simulatedMicrosoftSecurityPrincipal
objectclass: organizationalPerson
samaccountname: ldap_user
userpassword: cortex

LDAP runtime properties configuration example

The following snippet shows an example of the LDAP runtime properties specified in the installation-settings.yaml file:

ADX_AUTH_MODE=ldap

ADX_AUTH_LDAP_HOST=127.0.0.1
ADX_AUTH_LDAP_PORT=10389
ADX_AUTH_LDAP_CONN_USERNAME=uid=admin,ou=system
ADX_AUTH_LDAP_CONN_PASSWORD=${decrypt('q4l8iNb0YvyaSs9OhqIE0Np9kowFKtYBQPAedn3gR/sr5uSmdWiXJRbsSQQhS0be/kDTaw==')}

ADX_AUTH_LDAP_BASE_GROUPS=ou=roles,dc=document,dc=one
ADX_AUTH_LDAP_BASE_USERS=ou=users,dc=document,dc=one

ADX_AUTH_LDAP_GROUP_ID=distinguishedName
ADX_AUTH_LDAP_GROUP_MEMBER=member
ADX_AUTH_LDAP_GROUP_NAME=cn
ADX_AUTH_LDAP_GROUPS_ARE_ROLES=true
ADX_AUTH_LDAP_MEMBER_ATTRIBUTE=memberOf
ADX_AUTH_LDAP_GROUP_OBJECT_CLASSES=groupOfNames

ADX_AUTH_LDAP_ROLE_ID=distinguishedName
ADX_AUTH_LDAP_ROLE_NAME=cn

ADX_AUTH_LDAP_USER_ID=distinguishedName
ADX_AUTH_LDAP_USER_FIRSTNAME=givenName
ADX_AUTH_LDAP_USER_LASTNAME=sn
ADX_AUTH_LDAP_USER_NAME=sAMAccountName
ADX_AUTH_LDAP_USER_DESCRIPTION=displayName
ADX_AUTH_LDAP_USER_MAIL=mail
ADX_AUTH_LDAP_USER_FILTER=(sAMAccountName=%s)
ADX_AUTH_LDAP_USER_LASTLOGON=lastLogon
ADX_AUTH_LDAP_USER_MEMBER_OF=memberOf
ADX_AUTH_LDAP_USER_OBJECT_CLASSES=inetOrgPerson

ADX_AUTH_LDAP_SEARCH_PAGESIZE=20

ADX_AUTH_LDAP_REFERRAL_FOLLOW=false
ADX_AUTH_LDAP_CONNECT_TIMEOUT=30000
ADX_AUTH_LDAP_DNS_TIMEOUT_INITIAL=10000
ADX_AUTH_LDAP_DNS_TIMEOUT_RETRIES=3

ADX_AUTH_LDAP_BASE=ou=schema,dc=document
ADX_AUTH_LDAP_USE_EMPTY_ASPECTS=false
ADX_AUTH_LDAP_USE_TLS=false