2.6.2 LDAP Authentication

Owned by Yuriy Ostrovskiy (Deactivated)
Last updated: Jan 02, 2024
6 min read

 

 

Hello. In this video you will learn how to configure LDAP authentication in ACDI.
By default, after installation, you can log into ACDI using the local accounts you’ve defined during installation. Information about a user can be found in the User Profile in the top right corner.

 

To configure LDAP authentication, you need to do the following: Go to Administration, then “Core Engine,” and in “LDAP Connections,”

 

you select the LDAP connection you will use for authentication and enable authentication here using the switcher.

 

The next step will be to go to ‘LDAP authentication settings.”

 

On this page, you must define all attributes and scopes for the authentication operation. First of all, search the scope of the user you will use to authenticate.

 

Then base containers where you’ll search users. Multiple options mean you will search inside either the user’s ACDI or the user’s data.

 

The search scope is set to subcontainer. To define user roles and permissions you need to use the default group membership option.

 

Any other linkage attribute between the user and the object that will have entitlements can be defined. In this case, you will use groupMembership.

 

“Wright mapping attribute”: by default, in eDirectory, the only wrightable attribute for groups is “description”. “Description” is set as default. You always can create an auxiliary class, add a custom attribute to a group object, and set entitlements for ACDI inside your custom attribute.

 

“Filter group names with regular expressions”: this defines which groups you will need to search to define entitlements.

 

Here you also see the “Additional LDAP filter”. It can help you if you would like to use custom attribute for role assignments. The “Authentication timeout” is set in seconds.  

 

These are the attributes that will be used to search users: the default settings are “cn” and “mail.”

 

Additional information will be received from LDAP and saved in session.

 

When you modify this page, you will need to save the settings and create a new user or use a new one.

 

Now groups that will be used for entitlements configuration must be created.

 

Here is a new group, let’s add users you will use for LDAP authentication. In this case, the user will be “bobt”.

An important thing: you need at least one value in the description. Now add an empty JSON string “{}” as the description. Apply changes.

 

Okay, now you can proceed to ACDI.

 

By default, ACDI contains three roles: admins, readonlys, and managers.

 

Admins have access and permissions to create, and edit all dashboards as well as reports. They can also access the “Time Machine,” “Manage” submenus, and work with “Administration.”

 

Managers have access to all dashboards and reports and can edit and create them. They also have access to “Manage” but not to “Administration.”

 

Readonlys can only read dashboards and reports and run them. Editing is not allowed for readonlys users.

 

Now let's assign entitlements and access to a group you created.

In the top right corner, click the “Manage user accounts” symbol, enter a username, and click “Get User Data.”

 

Here you see the user’s attributes and you see your group.

 

Let's edit entitlements.

 

Let's give this a manager role.

 

Set access only to “Users” reports.

 

 

When you change the report filter at the bottom of this window, you can see a list of reports and dashboards to which this user will have access. Okay, let's check everything, save the settings, and close the window.

 

Now let's try to log in using the LDAP account you’ve just finished configuring.

 

Ok, so you are logged in with your LDAP account. You can see some information about the user here.

 

 

This user has the role “managers,” and, as you can see, has access to all menus except “Administration.” This user—Bob T.—can create and edit the dashboards and reports he has access to. “Time Machine” is also available for him.

 

Let’s change the role for this user to “readonlys.” It was made in the backstage. Let's log out and log in again.

 

This is to see that the role is changed to “readonlys,” and only dashboards and reports submenus are available for this user to access. “Time Machine” is gone from the menu and is unavailable because it contains data from snapshots which can be security sensitive. Also “Administration” submenu is unavailable.

 

All ACDI components to which this user has no access became disabled and this user also won't have access to using direct endpoints.

 

That’s it—the LDAP authentication configuration in ACDI.  Thank you for your attention and take care.

 

Should you have any questions or require any assistance, please do not hesitate to contact us at any time swsupport.skypro@skypro.ch