Set up LDAP and AD authentication
Configure LDAP sign-in to work with Microsoft Active Directory (AD) to delegate Intelligence Center user authentication to an external authentication mechanism in a Windows environment.
Contents
Configure LDAP to work with AD
You can set up LDAP authentication to work with AD (Active Directory).
As with LDAP, ensure you represent Intelligence Center roles and groups as AD groups.
AD role and group names, that is, the values of the LDAP_ROLE_NAME_ATTR and LDAP_GROUP_NAME_ATTR attributes, should exactly match the corresponding role and group name values in the Intelligence Center.
EclecticIQ Intelligence Center provides a generic AD implementation.
You can use it as a template to fine-tune attributes and parameters to suit the specific AD setup in your environment.
The following table sums up the main differences between a vanilla LDAP configuration, and an LDAP setup that enables interoperability with AD.
|
LDAP |
AD |
|
- |
memberOf:1.2.840.113556.1.4.1941 |
|
objectClass=posixGroup |
objectClass=group |
|
memberUid={username} |
member={user_dn} |
|
cn |
cn, sAMAccountName, givenName |
memberOf:1.2.840.113556.1.4.1941: this string enables recursive filtering and match search.
The magic number is an OID that identifies the LDAP_MATCHING_RULE_IN_CHAIN matching rule.
Include this string to enable recursive pattern search inside a hierarchical data structure.
objectClass=group: the group name that identifies AD groups, as opposed to objectClass=posixGroup, which represents Unix groups.
member={user_dn}: {user_dn} takes the returned user object value.
This is the full user DN that is filled after the first user-search operation.
cn, sAMAccountName, givenName: naming attributes that can vary, depending on the specific AD setup in your environment.
Examples
Append the parameters in the following examples to /etc/eclecticiq/platform_settings.py
Restart systemd services, so that systemd can reload all configurations, and it can apply any changes to make them effective.
To restart systemd-managed Intelligence Center services through the command line:
systemctl restart eclecticiq-platform-backend-services
Example LDAP/AD configuration enabling sign-in to users with their designated user name
LDAP_AUTH_ENABLED = TrueLDAP_URI = 'ldap://10.0.12.154'LDAP_BIND_PASSWORD = "imironman"LDAP_USERS_FILTER = ( "cn=Users,dc=eclecticiq,dc=com", "sAMAccountName={username}")LDAP_GROUPS_FILTER = ( "cn=Users,dc=eclecticiq,dc=com", "(&(memberOf:1.2.840.113556.1.4.1941:=cn=EclecticIQGroups,cn=Users,dc=eclecticiq,dc=com)" "(objectClass=group)" "(member={user_dn}))")LDAP_ROLES_FILTER = ( "cn=Users,dc=eiq,dc=local", "(&(memberOf:1.2.840.113556.1.4.1941:=cn=EclecticIQRoles,cn=Users,dc=eclecticiq,dc=com)" "(objectClass=group)" "(member={user_dn}))")LDAP_USER_FIRSTNAME_ATTR = 'givenName'LDAP_USER_LASTNAME_ATTR = 'sn'LDAP_USER_EMAIL_ATTR = 'mail'LDAP_ROLE_NAME_ATTR = 'sAMAccountName'LDAP_GROUP_NAME_ATTR = 'sAMAccountName'Example LDAP/AD configuration enabling sign-in to groups and users within a specified organizational unit (ou)
# Configure Active DirectoryLDAP_AUTH_ENABLED = TrueLDAP_URI = 'ldap://10.0.12.154'LDAP_BIND_PASSWORD = "imironman"# 'sAMAccountName' provides support for Windows NT 4.0, Windows 95, Windows 98, LAN Manager.# The logon name needs to be shorter than 20 characters and it needs to be unique.# 'userPrincipalName' replaces it in Windows 2000 and later versions.LDAP_USERS_FILTER = ( "ou=eiq,dc=eclecticiq,dc=com", "sAMAccountName={username}")LDAP_GROUPS_FILTER = ( "ou=eiq,dc=eclecticiq,dc=com", "(&(memberOf=cn=EclecticIQGroups,ou=eiq,dc=eclecticiq,dc=com)" "(objectClass=group)" "(member={user_dn}))")LDAP_ROLES_FILTER = ( "ou=eiq,dc=eclecticiq,dc=com", "(&(memberOf=cn=EclecticIQRoles,ou=eiq,dc=eclecticiq,dc=com)" "(objectClass=group)" "(member={user_dn}))")LDAP_USER_FIRSTNAME_ATTR = 'givenName'LDAP_USER_LASTNAME_ATTR = 'sn'LDAP_USER_EMAIL_ATTR = 'mail'LDAP_ROLE_NAME_ATTR = 'sAMAccountName'LDAP_GROUP_NAME_ATTR = 'sAMAccountName'Example LDAP/AD configuration enabling sign-in to groups and users within a specified nested organizational unit (ou)
# Configure Active DirectoryLDAP_AUTH_ENABLED = TrueLDAP_URI = 'ldap://10.0.12.154'LDAP_BIND_PASSWORD = "imironman"# 'sAMAccountName' provides support for Windows NT 4.0, Windows 95, Windows 98, LAN Manager.# The logon name needs to be shorter than 20 characters and it needs to be unique.# 'userPrincipalName' replaces it in Windows 2000 and later versions.LDAP_USERS_FILTER = ( "ou=eiq,ou=employee,dc=eclecticiq,dc=com", "sAMAccountName={username}")LDAP_GROUPS_FILTER = ( "ou=eiq,ou=employee,dc=eclecticiq,dc=com", "(&(memberOf=cn=EclecticIQGroups,ou=eiq,ou=employee,dc=eclecticiq,dc=com)" "(objectClass=group)" "(member={user_dn}))")LDAP_ROLES_FILTER = ( "ou=eiq,ou=employee,dc=eclecticiq,dc=com", "(&(memberOf=cn=EclecticIQRoles,ou=eiq,ou=employee,dc=eclecticiq,dc=com)" "(objectClass=group)" "(member={user_dn}))")LDAP_USER_FIRSTNAME_ATTR = 'givenName'LDAP_USER_LASTNAME_ATTR = 'sn'LDAP_USER_EMAIL_ATTR = 'mail'LDAP_ROLE_NAME_ATTR = 'sAMAccountName'LDAP_GROUP_NAME_ATTR = 'sAMAccountName'Example LDAP/AD configuration enabling sign-in to groups and users within a specified nested organizational unit (ou) and Active Directory (AD) users
# Configure Active DirectoryLDAP_AUTH_ENABLED = TrueLDAP_URI = 'ldap://10.0.12.154'LDAP_BIND_PASSWORD = "imironman"# 'sAMAccountName' provides support for Windows NT 4.0, Windows 95, Windows 98, LAN Manager.# The logon name needs to be shorter than 20 characters and it needs to be unique.# 'userPrincipalName' replaces it in Windows 2000 and later versions.LDAP_USERS_FILTER = ( "cn=Users,dc=eclecticiq,dc=com", "sAMAccountName={username}")LDAP_GROUPS_FILTER = ( "ou=eiq,ou=employee,dc=eclecticiq,dc=com", "(&(memberOf=cn=EclecticIQGroups,ou=eiq,ou=employee,dc=eclecticiq,dc=com)" "(objectClass=group)" "(member={user_dn}))")LDAP_ROLES_FILTER = ( "ou=eiq,ou=employee,dc=eclecticiq,dc=com", "(&(memberOf=cn=EclecticIQRoles,ou=eiq,ou=employee,dc=eclecticiq,dc=com)" "(objectClass=group)" "(member={user_dn}))")LDAP_USER_FIRSTNAME_ATTR = 'givenName'LDAP_USER_LASTNAME_ATTR = 'sn'LDAP_USER_EMAIL_ATTR = 'mail'LDAP_ROLE_NAME_ATTR = 'sAMAccountName'LDAP_GROUP_NAME_ATTR = 'sAMAccountName'Example ldapsearch query to retrieve directory entries in an LDAP/AD configuration
# You can use a similar ldapsearch query to test the LDAP/AD entries you configuredldapsearch -h 10.0.12.154 -D "[email protected]" -w "imironman" -b "OU=eiq,OU=employee,dc=eclecticiq,dc=com" "(&(memberOf=cn=EclecticIQGroups,OU=eiq,OU=employee,dc=eclecticiq,dc=com))"