Configuring LDAP

Configure LDAP (Lightweight Directory Access Protocol) for authorizing users to access OpsCenter.

Configure LDAP (Lightweight Directory Access Protocol) for users accessing OpsCenter.

LDAP configuration is extremely flexible with many configuration options possible within OpsCenter. To peruse all of the available [ldap] configuration options, see OpsCenter configuration properties. This procedure provides a basic configuration example based on searching for a user in both user and group categories to authenticate a user.

passwd.db

The default location of the password database passwd.db for OpsCenter authentication depends on the type of installation:

Package installations: /etc/opscenter/passwd.db
Tarball installations: install_location/passwd.db

opscenterd.conf

The location of the opscenterd.conf file depends on the type of installation:

Package installations: /etc/opscenter/opscenterd.conf
Tarball installations: install_location/conf/opscenterd.conf

Prerequisites

There must be a properly configured LDAP v3 server running. The supported LDAP servers are:

Microsoft Active Directory:
- Windows 2008
- Windows 2012
OpenLDAP 2.4.x
Oracle Directory Server Enterprise Edition 11.1.1.7.0

Additional requirements:

If your organization started with standard OpsCenter authentication and subsequently switched to implementing LDAP, delete the old passwd.db file.
Roles: If using LDAP groups, create and mirror in OpsCenter the user role names and permissions that are in LDAP. Role permissions are stored in OpsCenter, not LDAP. Users must have at least one role to be able to log in to OpsCenter when LDAP is enabled.

Procedure

Open the opscenterd.conf file for editing.

Add an [authentication] section with the following options:

Option	Description
passwd_db	Contains the required OpsCenter user role information.
enabled	Set to `True` to enable LDAP authentication.
authentication_method	Set to `LDAP`, regardless if configuring Active Directory.

[authentication] 
passwd_db = ./passwd.db
enabled = True
authentication_method = LDAP

Set the configuration for your LDAP server. Add an [ldap] section to opscenterd.conf with the following LDAP server options as appropriate for your LDAP implementation:

Option	Description
server_host	The host name of the LDAP server.
server_port	The port on which the LDAP server listens. For example, 389 or 636. 389 is the default port for non-SSL LDAP and AD. 636 is the default port for SSL LDAP and AD. For more information about ports, see OpsCenter ports.
uri_scheme	In LDAPv2 environments, TLS is normally started using the LDAP Secure URI scheme instead of the normal LDAP URI scheme. OpenLDAP command line tools allow either scheme to used with the -H flag and with the URI ldap.conf(5) option. Defaults to `ldap` for `ldap_security` = None; defaults to `ldaps` for `ldap_security` = SSL or TLS.
search_dn	The username of the user that is used to search for other users on the LDAP server. When a user attempts to authenticate with LDAP, OpsCenter searches for the user in LDAP to discover whether the user exists and which roles the user is associated with. The only permission that the search user needs to have in the LDAP system is the ability to perform LDAP searches. Note: If the `search_dn` and `search_password` (that constitute the search user entry point for locating users in LDAP) are omitted from the configuration, LDAP attempts to make an anonymous bind to perform the user search.
search_password	The password of the `search_dn` user.
user_search_base	The search base for your domain, used to look up users. Set the `ou` and `dc` elements for your LDAP domain. For example, this can be set to `ou=users,dc=domain,dc=top level domain`. More specifically:`ou=users,dc=example,dc=com`. Active Directory uses a different user search base. For example: `CN=search,CN=Users,DC=Active Directory domain name,DC=internal`. More specifically:`CN=search,CN=Users,DC=example-sales,DC=internal`.
user_search_filter	The LDAP search filter used to uniquely identify a user. The default setting is `(uid={0})`, which looks for a user by unique user identifier. The value of the {0} variable is the username provided when logging in to OpsCenter. When using Active Directory, set the filter to `(sAMAccountName={0})`. Note: There is a known limitation in OpsCenter when using search filters for Active Directory. See troubleshooting LDAP.
group_search_base	The LDAP search base used to find a group. Example: `ou=groups,dc=qaldap,dc=datastax,dc=lan`
group_search_filter	Deprecated. The LDAP search filter used to find a user's group. Example: `(member=cn={0},ou=users,dc=nodomain)`. Within the `group_search_base`, filter for members based on `cn`. For existing Active Directory implementations that have this configuration option already set, the `group_search_filter_with_dn` overwrites the returned value with the user's DN.
group_search_filter_with_dn	The LDAP search filter used to find a user's group. Uses the full user's DN from a user search. Overrides the deprecated group_search_filter. Example: (member={0}).
group_name_attribute	The LDAP field name used to identify a group's name. For example: cn.
admin_group_name	The name of the admin group or a comma-separated list of admin group names; for example: admin, superusers. OpsCenter automatically creates the roles with admin permissions for the roles provided in the `admin_group_name` list. Escape any restricted LDAP characters. If your group name contains restricted LDAP characters such as "," a comma, you must escape them. For example, two admin groups "foo , bar" and "baz" should be entered as: `foo \, bar, baz`
user_memberof_attribute	Set to the attribute on the user entry containing group membership information. Set this option when using a `memberof_search` for the `group_search_type`. OpsCenter allows for an alternate method of determining a user's role. When using `memberof_search`, rather than doing a directory search in LDAP for any roles that match the user, only the user is inspected. You can specify which attribute for a user is inspected. For example, you can define a user with a new attribute such as `opscenter_role` and populate it with the user's role in OpsCenter. Specify the value of the new attribute so that OpsCenter can inspect the user attribute.
group_search_type	Defines how group membership is determined for a user. Available options: `directory_search`: (default) Performs a subtree search of `group_search_base` using `group_search_filter` to filter the results. `memberof_search`: gets groups from the `user_memberof_attribute` of a user. Using this option requires the directory server to have memberof support. When using the `memberof_search` rather than `directory_search` for group searches, you do not need to specify the `group_search_base` or `group_search_filter` options.
user_memberof_stores_dn	Set to `True` if the `memberof` attribute's value is distinguished names of groups. This option must be set to `True` when configuring Active Directory, OpenLDAP, or when any other LDAP implementation returns a DN for the memberOf attribute value. Note: If using an Oracle LDAP implementation, this option should be set to `True` if `user_memberof_attribute` is set to `isMemberOf`. Default: False. Set `user_memberof_stores_dn` to `False` if the attribute specified by `user_memberof_attribute` denotes 0 or more group names that correspond to the roles in OpsCenter. For example, if the `user_memberof_attribute` is set to `employeeType`, set the `user_memberof_stores_dn` option to `False` because the `employeeType` attribute value is not a distinguished name. Tip: If the `user_memberof_attribute_stores_dn` is `False` and log in fails, and OpsCenter suspects the group name might be a DN, a warning is logged: `[opscenterd] WARN: It looks like you might be using Active Directory for authentication. You may need to set the 'user_memberof_attribute_stores_dn' config value to True and set the group_name_attribute config value appropriately in opscenterd.conf.`
ldap_security	The type of security to use with LDAP: None, TLS, or SSL. When set to TLS, uses TLS start. Setting this option to TLS or SSL sets the `uri_scheme` to `LDAPS`. Setting this option to None sets the `uri_scheme` to `LDAP`.
truststore	Path to the truststore for SSL certificates.
truststore_type	Type of the truststore. Default: JKS (Java Keystore).
truststore_pass	The password to access the truststore.
enforce_single_user_search_result	Returns an error when multiple entries are returned from a user search after all applicable referrals are followed. Set to `False` if the `user_search_base` is not confined to one Organizational Unit (OU). Default: True.
connection_timeout	The number of seconds to wait before concluding that the LDAP server is down. Default: 20 seconds.

The following example configuration reflects a typical SSL LDAP (OpenLDAP or Oracle) implementation. The server_port value of 636 is for an SSL configuration.

If the search_dn and search_password options shown in lines 10 and 11 are omitted, LDAP attempts to make an anonymous bind to perform the user search.

This configuration example searches for a user in both user (user_search_base and user_search_filter) and group (group_search_base and group_search_filter) categories to authenticate a user. The group_search_type (line 19) is directory_search.

Note: The #user_search_base and #user_search_filter options are commented out in lines 14 and 15 because they are only applicable to Active Directory (AD) configuration.


01  [authentication] 
02   passwd_db = ./passwd.db
03   enabled = True
04   authentication_method = LDAP
05
06   [ldap] 
07   server_host = ldap.myCompany.lan
08   server_port = 636
09   uri_scheme = ldaps
10   search_dn = cn=admin,dc=devldap,dc=datastax,dc=lan 
11   search_password = ****
12   user_search_base = ou=users,dc=devldap,dc=datastax,dc=lan
13   user_search_filter = (uid={0})
14   #user_search_base = CN=search,CN=Users,DC=datastax,DC=internal # AD base
15   #user_search_filter = (sAMAccountName={0}) # AD filter
16   group_search_base = ou=users,dc=devldap,dc=datastax,dc=lan
17   group_search_filter_with_dn = (member={0})
18   group_name_attribute = cn
19   group_search_type = directory_search 
20   admin_group_name = superusers,superusers2
21   ldap_security = SSL_TLS
22   truststore_type = JKS
23   truststore = ./truststore.jks 
24   truststore_pass = secret

The following example reflects an Active Directory (AD) for Windows 2008 configuration. Unlike the previous LDAP example for OpenLDAP or Oracle, this AD configuration makes use of user_search_base (line 12) and user_search_filter (line 13) for Active Directory configuration options. Also, the user search base for AD shown in line 12 differs in format from the LDAP example.

The user_memberof_stores_dn option in line 18 is explicitly set to True so that OpsCenter correctly handles the value of the memberof attribute shown in line 17 as a distinguished name (DN). The user_memberof_stores_dn option is also applicable to an OpenLDAP configuration.


01  [authentication] 
02   passwd_db = ./passwd.db
03   enabled = True
04   authentication_method = LDAP
05
06  [ldap]
07  server_host = mywin2008.myCompany.lan
08  server_port = 636
09  uri_scheme = ldap
10  search_dn = CN=Administrator,CN=Users,DC=prodwin2008,DC=datastax,DC=lan
11  search_password = ****
12  user_search_base = CN=Users,DC=prodwin2008,DC=datastax,DC=lan # AD base
13  user_search_filter = (sAMAccountName={0}) # AD filter
14  admin_group_name = superusers
15  group_search_type = memberof_search
16  group_name_attribute = cn
17  user_memberof_attribute = memberof
18  user_memberof_stores_dn = True
19  ldap_security = SSL_TLS
20  truststore_type = JKS
21  truststore = /tmp/path_to_truststore_win2008
22  truststore_pass = secret

Restart OpsCenter for the changes to take effect.