LDAP Configuration

Modified on Wed, 26 Jul, 2023 at 10:36 AM

Introduction


IAM offers a built-in option for connecting with User federation providers, such as LDAP and Active Directory.


In this article, we cover how to connect with an LDAP server through IAM Admin Panel.


How-To

Replicated Panel


Being logged in in the Replicated admin panel, navigate to Identity & Access Management Configuration, in the section named Login Mode for IAM.



Here, select LDAP, save the config, and re-deploy the application.


IAM Admin Panel


After having re-deployed the application, navigate to the IAM admin panel and log in with the administrator user.

Having the labforward realm selected, click on the menu “User federation”, then “Add new provider”, and then “LDAP”.


The fields not mentioned in this documentation should be kept with their default or empty values.

 

General Options

The field UI Display name isn’t displayed on the log-in screen; it is the identifier for the LDAP configuration.


In the field Vendor, select “Other”.


Connection and authentication settings

Add the Connection URL of your LDAP server, and set Connection pooling as active:



Press the Test connection button to ensure the connection URL is correct.


Bind type - simple


Bind DN - DN of LDAP admin, which will be used by Keycloak to access the LDAP server. 


Bind Credential - Password of LDAP server.


Press the Test authentication button to ensure the credentials are correct.


LDAP searching and updating

Edit mode - UNSYNCED (we don’t import data back to the LDAP server).


Users DN - Full DN of LDAP tree where your users are. This DN is the parent of LDAP users.


Username LDAP attribute - mail


UUID LDAP attribute - mail


User object classes - inetOrgPerson, organizationalPerson


User LDAP Filter - Additional LDAP filter for filtering searched users. Leave this empty if you don’t need an additional filter. Make sure that it starts with ( and ends with ) (default empty).


Search scope - Subtree


Pagination Enabled -  true


Synchronization settings


Import users - true

Sync Registrations - false

Batch size - 1000

Periodic full sync  - false

Periodic changed users sync - false


Kerberos integration

Keep default options.


Cache settings

Keep default options.


Advanced settings

Enable the LDAPv3 password modify extended operation - false

Validate password policy - false

Trust emailtrue

Having this basic configuration finished, press the Save button.

Mappers

After saving the LDAP configuration, the tab Mappers is now visible on top of the page

In case there are no standard mappers created, the following should be added:


Creation Date


Name

creation date

Mapper type

user-attribute-ldap-mapper

User Model Attribute

createTimestamp

LDAP Attribute

createTimestamp

Read Only

true

Always Read Value From LDAP

false

Is Mandatory In LDAP

false

Attribute default value

(empty)

Force a default value

false

Is Binary Attribute

false


Email

Name

email

Mapper type

If your LDAP server allows multiple emails for users:

multivalue-attribute-ldap-mapper

In case every user contains only one email:

user-attribute-ldap-mapper

User Model Multi Attribute

potentialEmailList

User Model Property

email

LDAP Attribute

mail


First name

Name

first name

Mapper type

user-attribute-ldap-mapper

User Model Attribute

firstName

LDAP Attribute

givenName

Read Only

true

Always Read Value From LDAP

false

Is Mandatory In LDAP

true

Attribute default value

(empty)

Force a default value

false

Is Binary Attribute

false


Last name

Name

last name

Mapper type

user-attribute-ldap-mapper

User Model Attribute

lastName

LDAP Attribute

sn

Read Only

true

Always Read Value From LDAP

false

Is Mandatory In LDAP

true

Attribute default value

(empty)

Force a default value

false

Is Binary Attribute

false


Modify date

Name

modify date

Mapper type

user-attribute-ldap-mapper

User Model Attribute

modifyTimestamp

LDAP Attribute

modifyTimestamp

Read Only

true

Always Read Value From LDAP

false

Is Mandatory In LDAP

false

Attribute default value

(empty)

Force a default value

false

Is Binary Attribute

false

Username

Name

username

Mapper type

user-attribute-ldap-mapper

User Model Attribute

username

LDAP Attribute

mail depends on what field the LDAP server to identify user’s email, mail is the default one.

Read Only

true

Always Read Value From LDAP

false

Is Mandatory In LDAP

true

Attribute default value

(empty)

Force a default value

false

Is Binary Attribute

false


Testing

After finishing the configuration, save it and navigate to the login screen.


Now IAM should be able to connect to the LDAP server and import the users.


Migrating from a configured Labfolder instance

In case there is already an existing Labfolder configuration with an LDAP server, the file server.cnf  should already be fulfilled in the following fields:

1 # LDAP Authentication
2 #FEATURE_LDAP_AUTHENTICATION=
3 #LDAP_URL=
4 #LDAP_BASE=
5 #LDAP_SEARCH_USER_DN=
6 #LDAP_SEARCH_USER_PASSWORD=
7 #LDAP_ANONYMOUS_READ_ONLY=
8 #LDAP_USER_DN_PATTERNS=
9 #LDAP_IS_TLS_ENABLED=
10 #LDAP_IS_ATTRIBUTE_SEARCH_ENABLED=
11 #LDAP_ATTRIBUTE_SEARCH_NAME=
12 #LDAP_ATTRIBUTE_SEARCH_EXTRA_FILTERS=

With the new installation, some fields translate to the Replicated Admin Panel as follows:

Existing LF configs

Replicated configs

FEATURE_LDAP_AUTHENTICATION

Login Mode = LDAP

LDAP_URL

Connection URL

LDAP_BASE

Users DN 

LDAP_SEARCH_USER_DN

Bind DN

LDAP_SEARCH_USER_PASSWORD

Bind Credentials

LDAP_ATTRIBUTE_SEARCH_NAME

UUID LDAP attribute

LDAP_IS_TLS_ENABLED

Enable StartTLS

LDAP_ATTRIBUTE_SEARCH_EXTRA_FILTERS

User LDAP filter

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article