Skip to main content
Version: 2.8

LDAP Configuration

ADx can be linked to an LDAP system (e.g. OpenLDAP or ActiveDirectory) to have access to the configured users/groups/roles. It needs to be setup via runtime properties at deployment time (for setting up LDAP integration initially, check this section)

Evaluating LDAP settings

LDAP setups might be quite complex, e.g. there are a lot of configuration parameters available and LDAP setups might look different, it is recommended to deploy ADx without LDAP configuration for an inital evaluation of the configuration parameters. After the correct parameters are found out they can then be stored in the installation-settings.yaml to have it availble for every deployment.

Steps to be done:

  1. Optionally: use a third party LDAP client to verify if the settings planned to be used are correct

For checking the configuration (e.g. user/password for login,...) e.g. Apache Directory Studio can be used for connecting to the LDAP system. There, especially the mandatory properties (as described in Runtime Properties) needs to be found out.

  1. Deploy ADx without LDAP configuration

See Installing ADx core for deploying ADx.

  1. Put LDAP runtime properties into [PATH_TO_ADX]/conf/tribefire.properties

The LDAP settings needs to be put into the [PATH_TO_ADX]/conf/tribefire.properties. After a restart the changes gets applied. For available LDAP configuration options see Runtime Properties

  1. Test LDAP setup by logging in using LDAP users

To test if the LDAP configuration works fine login as an LDAP user into ADx.

  1. Put the according runtime properties into installation-settings.yaml and redeploy.

After the correct LDAP configuration is found it runtime properties needs to be put into installation-settings.yaml to have it available for upcoming deployments.

Comments on passwords

Encrypt the password by running ./encrypt.sh -v [LDAP_ADMIN_PASSWORD] (.bat on Windows). The encrypted password can be used for ADX_AUTH_LDAP_CONN_PASSWORD.

Using the encrypted password in [PATH_TO_ADX]/conf/tribefire.properties can be done with ${decrypt('insert_key_here')} - e.g. ADX_AUTH_LDAP_CONN_PASSWORD=${decrypt('q4l8iNb0YvyaSs9OhqIE0Np9kowFKtYBQPAedn3gR/sr5uSmdWiXJRbsSQQhS0be/kDTaw==')}

Checking actual loaded LDAP configuration

To check the actual values used in an running ADx the about page can be used. In the section for RUNTIME PROPERTIES the according values can be seens.

LDAP configuration example

The following example shows how to link ADx to an LDAP. The according LDIF and ADx runtime properties are attached.

Example LDIF

dn: cn=microsoft, ou=schema
cn: microsoft
objectclass: metaSchema
objectclass: top

dn: ou=attributetypes, cn=microsoft, ou=schema
ou: attributetypes
objectclass: organizationalUnit
objectclass: top

dn: m-oid=1.2.840.113556.1.4.221, ou=attributetypes, cn=microsoft, ou=schema
m-syntax: 1.3.6.1.4.1.1466.115.121.1.15
m-name: sAMAccountName
m-oid: 1.2.840.113556.1.4.221
objectclass: metaAttributeType
objectclass: metaTop
objectclass: top
m-equality: caseIgnoreMatch
m-singlevalue: TRUE

dn: m-oid=1.2.840.113556.1.4.222, ou=attributetypes, cn=microsoft, ou=schema
m-syntax: 1.3.6.1.4.1.1466.115.121.1.15
m-name: memberOf
m-oid: 1.2.840.113556.1.4.222
objectclass: metaAttributeType
objectclass: metaTop
objectclass: top
m-equality: caseIgnoreMatch
m-singlevalue: FALSE

dn: m-oid=1.2.840.113556.1.4.223, ou=attributetypes, cn=microsoft, ou=schema
m-syntax: 1.3.6.1.4.1.1466.115.121.1.15
m-name: objectCategory
m-oid: 1.2.840.113556.1.4.223
objectclass: metaAttributeType
objectclass: metaTop
objectclass: top
m-equality: caseIgnoreMatch
m-singlevalue: TRUE

dn: ou=objectclasses, cn=microsoft, ou=schema
ou: objectClasses
objectclass: organizationalUnit
objectclass: top

dn: m-oid=1.2.840.113556.1.5.6, ou=objectclasses, cn=microsoft, ou=schema
m-may: memberOf
m-must: sAMAccountName
m-must: objectCategory
m-name: simulatedMicrosoftSecurityPrincipal
m-supobjectclass: top
m-typeobjectclass: AUXILIARY
m-oid: 1.2.840.113556.1.5.6
objectclass: metaObjectClass
objectclass: metaTop
objectclass: top

Creating new partition for DN=dc=document,dc=one

dn: dc=document,dc=one
objectclass: top
objectclass: domain
dc: document

dn: ou=users,dc=document,dc=one
ou: users
objectclass: organizationalUnit
objectclass: top

dn: ou=roles,dc=document,dc=one
ou: roles
objectclass: top
objectclass: organizationalUnit

dn: cn=tf-admin,ou=roles,dc=document,dc=one
member: uid=ldap_cortex,ou=users,dc=document,dc=one
cn: tf-admin
objectclass: groupOfNames
objectclass: top

dn: cn=ldap_role,ou=roles,dc=document,dc=one
member: uid=ldap_user_role,ou=users,dc=document,dc=one
cn: ldap_role
objectclass: groupOfNames
objectclass: top

dn: uid=ldap_cortex,ou=users,dc=document,dc=one
uid: ldap_cortex
mail: ldap-cortex.dev@document.one
objectcategory: User
cn: LDAP cortex User
sn: ldap_cortex
memberof: cn=tf-admin,ou=roles,dc=document,dc=one
objectclass: top
objectclass: person
objectclass: inetOrgPerson
objectclass: simulatedMicrosoftSecurityPrincipal
objectclass: organizationalPerson
samaccountname: ldap_cortex
userpassword: cortex

dn: uid=ldap_user_role,ou=users,dc=document,dc=one
uid: ldap_user_role
mail: ldap-user-role.dev@document.one
objectcategory: User
cn: LDAP User in role
sn: ldap_user_role
memberof: cn=ldap_role,ou=roles,dc=document,dc=one
objectclass: top
objectclass: person
objectclass: inetOrgPerson
objectclass: simulatedMicrosoftSecurityPrincipal
objectclass: organizationalPerson
samaccountname: ldap_user_role
userpassword: cortex

dn: uid=ldap_user,ou=users,dc=document,dc=one
uid: ldap_user
mail: ldap-user.dev@document.one
objectcategory: User
cn: LDAP User
sn: ldap_user
objectclass: top
objectclass: person
objectclass: inetOrgPerson
objectclass: simulatedMicrosoftSecurityPrincipal
objectclass: organizationalPerson
samaccountname: ldap_user
userpassword: cortex

Example ADx LDAP configuration

ADX_AUTH_MODE=ldap

ADX_AUTH_LDAP_HOST=127.0.0.1
ADX_AUTH_LDAP_PORT=10389
ADX_AUTH_LDAP_CONN_USERNAME=uid=admin,ou=system
ADX_AUTH_LDAP_CONN_PASSWORD=${decrypt('q4l8iNb0YvyaSs9OhqIE0Np9kowFKtYBQPAedn3gR/sr5uSmdWiXJRbsSQQhS0be/kDTaw==')}

ADX_AUTH_LDAP_BASE_GROUPS=ou=roles,dc=document,dc=one
ADX_AUTH_LDAP_BASE_USERS=ou=users,dc=document,dc=one

ADX_AUTH_LDAP_GROUP_ID=distinguishedName
ADX_AUTH_LDAP_GROUP_MEMBER=member
ADX_AUTH_LDAP_GROUP_NAME=cn
ADX_AUTH_LDAP_GROUPS_ARE_ROLES=true
ADX_AUTH_LDAP_MEMBER_ATTRIBUTE=memberOf
ADX_AUTH_LDAP_GROUP_OBJECT_CLASSES=groupOfNames

ADX_AUTH_LDAP_ROLE_ID=distinguishedName
ADX_AUTH_LDAP_ROLE_NAME=cn

ADX_AUTH_LDAP_USER_ID=distinguishedName
ADX_AUTH_LDAP_USER_FIRSTNAME=givenName
ADX_AUTH_LDAP_USER_LASTNAME=sn
ADX_AUTH_LDAP_USER_NAME=sAMAccountName
ADX_AUTH_LDAP_USER_DESCRIPTION=displayName
ADX_AUTH_LDAP_USER_MAIL=mail
ADX_AUTH_LDAP_USER_FILTER=(sAMAccountName=%s)
ADX_AUTH_LDAP_USER_LASTLOGON=lastLogon
ADX_AUTH_LDAP_USER_MEMBER_OF=memberOf
ADX_AUTH_LDAP_USER_OBJECT_CLASSES=inetOrgPerson

ADX_AUTH_LDAP_SEARCH_PAGESIZE=20

ADX_AUTH_LDAP_REFERRAL_FOLLOW=false
ADX_AUTH_LDAP_CONNECT_TIMEOUT=30000
ADX_AUTH_LDAP_DNS_TIMEOUT_INITIAL=10000
ADX_AUTH_LDAP_DNS_TIMEOUT_RETRIES=3

ADX_AUTH_LDAP_BASE=ou=schema,dc=document
ADX_AUTH_LDAP_USE_EMPTY_ASPECTS=false
ADX_AUTH_LDAP_USE_TLS=false