Set up LDAP and AD authentication

Configure LDAP sign-in to work with Microsoft Active Directory (AD) to delegate Intelligence Center user authentication to an external authentication mechanism in a Windows environment.

Configure LDAP to work with AD

You can set up LDAP authentication to work with AD (Active Directory).

  • As with LDAP, ensure you represent Intelligence Center roles and groups as AD groups.

  • AD role and group names, that is, the values of the LDAP_ROLE_NAME_ATTR and LDAP_GROUP_NAME_ATTR attributes, should exactly match the corresponding role and group name values in the Intelligence Center.

EclecticIQ Intelligence Center provides a generic AD implementation.

You can use it as a template to fine-tune attributes and parameters to suit the specific AD setup in your environment.

The following table sums up the main differences between a vanilla LDAP configuration, and an LDAP setup that enables interoperability with AD.

LDAP

AD

-

memberOf:1.2.840.113556.1.4.1941

objectClass=posixGroup

objectClass=group

memberUid={username}

member={user_dn}

cn

cn, sAMAccountName, givenName

  • memberOf:1.2.840.113556.1.4.1941: this string enables recursive filtering and match search.

    The magic number is an OID that identifies the LDAP_MATCHING_RULE_IN_CHAIN matching rule.

    Include this string to enable recursive pattern search inside a hierarchical data structure.

  • objectClass=group: the group name that identifies AD groups, as opposed to objectClass=posixGroup, which represents Unix groups.

  • member={user_dn}: {user_dn} takes the returned user object value.

    This is the full user DN that is filled after the first user-search operation.

  • cn, sAMAccountName, givenName: naming attributes that can vary, depending on the specific AD setup in your environment.

Examples

  • Append the parameters in the following examples to /etc/eclecticiq/platform_settings.py

  • Restart systemd services, so that systemd can reload all configurations, and it can apply any changes to make them effective.

    To restart systemd-managed Intelligence Center services through the command line:

    systemctl restart eclecticiq-platform-backend-services

Example LDAP/AD configuration enabling sign-in to users with their designated user name

LDAP_AUTH_ENABLED = True
LDAP_URI = 'ldap://10.0.12.154'
 
LDAP_BIND_DN = "[email protected]"
LDAP_BIND_PASSWORD = "imironman"
 
LDAP_USERS_FILTER = (
"cn=Users,dc=eclecticiq,dc=com",
"sAMAccountName={username}")
 
LDAP_GROUPS_FILTER = (
"cn=Users,dc=eclecticiq,dc=com",
"(&(memberOf:1.2.840.113556.1.4.1941:=cn=EclecticIQGroups,cn=Users,dc=eclecticiq,dc=com)"
"(objectClass=group)"
"(member={user_dn}))")
 
LDAP_ROLES_FILTER = (
"cn=Users,dc=eiq,dc=local",
"(&(memberOf:1.2.840.113556.1.4.1941:=cn=EclecticIQRoles,cn=Users,dc=eclecticiq,dc=com)"
"(objectClass=group)"
"(member={user_dn}))")
 
LDAP_USER_FIRSTNAME_ATTR = 'givenName'
LDAP_USER_LASTNAME_ATTR = 'sn'
LDAP_USER_EMAIL_ATTR = 'mail'
LDAP_ROLE_NAME_ATTR = 'sAMAccountName'
LDAP_GROUP_NAME_ATTR = 'sAMAccountName'

Example LDAP/AD configuration enabling sign-in to groups and users within a specified organizational unit (ou)

# Configure Active Directory
 
LDAP_AUTH_ENABLED = True
LDAP_URI = 'ldap://10.0.12.154'
 
LDAP_BIND_DN = "[email protected]"
LDAP_BIND_PASSWORD = "imironman"
 
# 'sAMAccountName' provides support for Windows NT 4.0, Windows 95, Windows 98, LAN Manager.
# The logon name needs to be shorter than 20 characters and it needs to be unique.
# 'userPrincipalName' replaces it in Windows 2000 and later versions.
 
LDAP_USERS_FILTER = (
"ou=eiq,dc=eclecticiq,dc=com",
"sAMAccountName={username}")
 
LDAP_GROUPS_FILTER = (
"ou=eiq,dc=eclecticiq,dc=com",
"(&(memberOf=cn=EclecticIQGroups,ou=eiq,dc=eclecticiq,dc=com)"
"(objectClass=group)"
"(member={user_dn}))")
 
LDAP_ROLES_FILTER = (
"ou=eiq,dc=eclecticiq,dc=com",
"(&(memberOf=cn=EclecticIQRoles,ou=eiq,dc=eclecticiq,dc=com)"
"(objectClass=group)"
"(member={user_dn}))")
 
LDAP_USER_FIRSTNAME_ATTR = 'givenName'
LDAP_USER_LASTNAME_ATTR = 'sn'
LDAP_USER_EMAIL_ATTR = 'mail'
LDAP_ROLE_NAME_ATTR = 'sAMAccountName'
LDAP_GROUP_NAME_ATTR = 'sAMAccountName'

Example LDAP/AD configuration enabling sign-in to groups and users within a specified nested organizational unit (ou)

# Configure Active Directory
 
LDAP_AUTH_ENABLED = True
LDAP_URI = 'ldap://10.0.12.154'
 
LDAP_BIND_DN = "[email protected]"
LDAP_BIND_PASSWORD = "imironman"
 
# 'sAMAccountName' provides support for Windows NT 4.0, Windows 95, Windows 98, LAN Manager.
# The logon name needs to be shorter than 20 characters and it needs to be unique.
# 'userPrincipalName' replaces it in Windows 2000 and later versions.
 
LDAP_USERS_FILTER = (
"ou=eiq,ou=employee,dc=eclecticiq,dc=com",
"sAMAccountName={username}")
 
LDAP_GROUPS_FILTER = (
"ou=eiq,ou=employee,dc=eclecticiq,dc=com",
"(&(memberOf=cn=EclecticIQGroups,ou=eiq,ou=employee,dc=eclecticiq,dc=com)"
"(objectClass=group)"
"(member={user_dn}))")
 
LDAP_ROLES_FILTER = (
"ou=eiq,ou=employee,dc=eclecticiq,dc=com",
"(&(memberOf=cn=EclecticIQRoles,ou=eiq,ou=employee,dc=eclecticiq,dc=com)"
"(objectClass=group)"
"(member={user_dn}))")
 
LDAP_USER_FIRSTNAME_ATTR = 'givenName'
LDAP_USER_LASTNAME_ATTR = 'sn'
LDAP_USER_EMAIL_ATTR = 'mail'
LDAP_ROLE_NAME_ATTR = 'sAMAccountName'
LDAP_GROUP_NAME_ATTR = 'sAMAccountName'

Example LDAP/AD configuration enabling sign-in to groups and users within a specified nested organizational unit (ou) and Active Directory (AD) users

# Configure Active Directory
 
LDAP_AUTH_ENABLED = True
LDAP_URI = 'ldap://10.0.12.154'
 
LDAP_BIND_DN = "[email protected]"
LDAP_BIND_PASSWORD = "imironman"
 
# 'sAMAccountName' provides support for Windows NT 4.0, Windows 95, Windows 98, LAN Manager.
# The logon name needs to be shorter than 20 characters and it needs to be unique.
# 'userPrincipalName' replaces it in Windows 2000 and later versions.
 
LDAP_USERS_FILTER = (
"cn=Users,dc=eclecticiq,dc=com",
"sAMAccountName={username}")
 
LDAP_GROUPS_FILTER = (
"ou=eiq,ou=employee,dc=eclecticiq,dc=com",
"(&(memberOf=cn=EclecticIQGroups,ou=eiq,ou=employee,dc=eclecticiq,dc=com)"
"(objectClass=group)"
"(member={user_dn}))")
 
LDAP_ROLES_FILTER = (
"ou=eiq,ou=employee,dc=eclecticiq,dc=com",
"(&(memberOf=cn=EclecticIQRoles,ou=eiq,ou=employee,dc=eclecticiq,dc=com)"
"(objectClass=group)"
"(member={user_dn}))")
 
LDAP_USER_FIRSTNAME_ATTR = 'givenName'
LDAP_USER_LASTNAME_ATTR = 'sn'
LDAP_USER_EMAIL_ATTR = 'mail'
LDAP_ROLE_NAME_ATTR = 'sAMAccountName'
LDAP_GROUP_NAME_ATTR = 'sAMAccountName'

Example ldapsearch query to retrieve directory entries in an LDAP/AD configuration

# You can use a similar ldapsearch query to test the LDAP/AD entries you configured
ldapsearch -h 10.0.12.154 -D "[email protected]" -w "imironman" -b "OU=eiq,OU=employee,dc=eclecticiq,dc=com" "(&(memberOf=cn=EclecticIQGroups,OU=eiq,OU=employee,dc=eclecticiq,dc=com))"