Configuring LDAP
Configure LDAP (Lightweight Directory Access Protocol) for authorizing users to access OpsCenter.
Configure LDAP (Lightweight Directory Access Protocol) for users accessing OpsCenter.
LDAP configuration is extremely flexible with many configuration options possible
within OpsCenter. To peruse all of the available [ldap]
configuration options, see OpsCenter configuration
properties. This procedure provides a basic configuration example based
on searching for a user in both user and group categories to authenticate a
user.
passwd.db
The default location of the password database passwd.db for OpsCenter authentication depends on the type of installation:- Package installations: /etc/opscenter/passwd.db
- Tarball installations: install_location/passwd.db
opscenterd.conf
The location of the opscenterd.conf file depends on the type of installation:- Package installations: /etc/opscenter/opscenterd.conf
- Tarball installations: install_location/conf/opscenterd.conf
Prerequisites
- Microsoft Active Directory:
- Windows 2008
- Windows 2012
- OpenLDAP 2.4.x
- Oracle Directory Server Enterprise Edition 11.1.1.7.0
Additional requirements:
- If your organization started with standard OpsCenter authentication and subsequently switched to implementing LDAP, delete the old passwd.db file.
- Roles: If using LDAP groups, create and mirror in OpsCenter the user role names and permissions that are in LDAP. Role permissions are stored in OpsCenter, not LDAP. Users must have at least one role to be able to log in to OpsCenter when LDAP is enabled.
Procedure
- Open the opscenterd.conf file for editing.
-
Add an
[authentication]
section with the following options:Option Description passwd_db Contains the required OpsCenter user role information. enabled Set to True
to enable LDAP authentication.authentication_method Set to LDAP
, regardless if configuring Active Directory.[authentication] passwd_db = ./passwd.db enabled = True authentication_method = LDAP
-
Set the configuration for your LDAP server. Add an
[ldap]
section to opscenterd.conf with the following LDAP server options as appropriate for your LDAP implementation:Option Description server_host The host name of the LDAP server. server_port The port on which the LDAP server listens. For example, 389 or 636. For more information about ports, see OpsCenter ports. uri_scheme In LDAPv2 environments, TLS is normally started using the LDAP Secure URI scheme instead of the normal LDAP URI scheme. OpenLDAP command line tools allow either scheme to used with the -H flag and with the URI ldap.conf(5) option. Defaults to ldap
forldap_security
= None; defaults toldaps
forldap_security
= SSL or TLS.search_dn The username of the user that is used to search for other users on the LDAP server. When a user attempts to authenticate with LDAP, OpsCenter searches for the user in LDAP to discover whether the user exists and which roles the user is associated with. The only permission that the search user needs to have in the LDAP system is the ability to perform LDAP searches. Note: If thesearch_dn
andsearch_password
(that constitute the search user entry point for locating users in LDAP) are omitted from the configuration, LDAP attempts to make an anonymous bind to perform the user search.search_password The password of the search_dn
user.user_search_base The search base for your domain, used to look up users. Set the ou
anddc
elements for your LDAP domain. For example, this can be set toou=users,dc=domain,dc=top level domain
. More specifically:ou=users,dc=example,dc=com
.Active Directory uses a different user search base. For example:
CN=search,CN=Users,DC=Active Directory domain name,DC=internal
. More specifically:CN=search,CN=Users,DC=example-sales,DC=internal
.user_search_filter The LDAP search filter used to uniquely identify a user. The default setting is (uid={0})
, which looks for a user by unique user identifier. The value of the {0} variable is the username provided when logging in to OpsCenter.When using Active Directory, set the filter to
(sAMAccountName={0})
.Note: There is a known limitation in OpsCenter when using search filters for Active Directory. See troubleshooting LDAP.group_search_base The LDAP search base used to find a group. Example: ou=groups,dc=qaldap,dc=datastax,dc=lan
group_search_filter Deprecated. The LDAP search filter used to find a user's group. Example: (member=cn={0},ou=users,dc=nodomain)
. Within thegroup_search_base
, filter for members based oncn
. For existing Active Directory implementations that have this configuration option already set, thegroup_search_filter_with_dn
overwrites the returned value with the user's DN.group_search_filter_with_dn The LDAP search filter used to find a user's group. Uses the full user's DN from a user search. Overrides the deprecated group_search_filter. Example: (member={0}). group_name_attribute The LDAP field name used to identify a group's name. For example: cn. admin_group_name The name of the admin group or a comma-separated list of admin group names; for example: admin, superusers. OpsCenter automatically creates the roles with admin permissions for the roles provided in the admin_group_name
list. Escape any restricted LDAP characters. If your group name contains restricted LDAP characters such as "," a comma, you must escape them. For example, two admin groups "foo , bar" and "baz" should be entered as: foo \, bar, bazuser_memberof_attribute Set to the attribute on the user entry containing group membership information. Set this option when using a memberof_search
for thegroup_search_type
.OpsCenter allows for an alternate method of determining a user's role. When using
memberof_search
, rather than doing a directory search in LDAP for any roles that match the user, only the user is inspected. You can specify which attribute for a user is inspected. For example, you can define a user with a new attribute such asopscenter_role
and populate it with the user's role in OpsCenter. Specify the value of the new attribute so that OpsCenter can inspect the user attribute.group_search_type Defines how group membership is determined for a user. Available options: directory_search
: (default) Performs a subtree search ofgroup_search_base
usinggroup_search_filter
to filter the results.memberof_search
: gets groups from theuser_memberof_attribute
of a user. Using this option requires the directory server to have memberof support. When using thememberof_search
rather thandirectory_search
for group searches, you do not need to specify thegroup_search_base
orgroup_search_filter
options.
user_memberof_stores_dn Set to True
if thememberof
attribute's value is distinguished names of groups. This option must be set toTrue
when configuring Active Directory, OpenLDAP, or when any other LDAP implementation returns a DN for the memberOf attribute value.Note: If using an Oracle LDAP implementation, this option should be set toTrue
ifuser_memberof_attribute
is set toisMemberOf
.Default: False.
Set
user_memberof_stores_dn
toFalse
if the attribute specified byuser_memberof_attribute
denotes 0 or more group names that correspond to the roles in OpsCenter. For example, if theuser_memberof_attribute
is set toemployeeType
, set theuser_memberof_stores_dn
option toFalse
because theemployeeType
attribute value is not a distinguished name.Tip: If theuser_memberof_attribute_stores_dn
isFalse
and log in fails, and OpsCenter suspects the group name might be a DN, a warning is logged:[opscenterd] WARN: It looks like you might be using Active Directory for authentication. You may need to set the 'user_memberof_attribute_stores_dn' config value to True and set the group_name_attribute config value appropriately in opscenterd.conf.
ldap_security The type of security to use with LDAP: None, TLS, or SSL. When set to TLS, uses TLS start. Setting this option to TLS or SSL sets the uri_scheme
toLDAPS
. Setting this option to None sets theuri_scheme
toLDAP
.truststore Path to the truststore for SSL certificates. truststore_type Type of the truststore. Default: JKS (Java Keystore). truststore_pass The password to access the truststore. enforce_single_user_search_result Returns an error when multiple entries are returned from a user search after all applicable referrals are followed. Set to False
if theuser_search_base
is not confined to one Organizational Unit (OU). Default: True.connection_timeout The number of seconds to wait before concluding that the LDAP server is down. Default: 20 seconds. The following example configuration reflects a typical SSL LDAP (OpenLDAP or Oracle) implementation. Theserver_port
value of 636 is for an SSL configuration.If the
search_dn
andsearch_password
options shown in lines10
and11
are omitted, LDAP attempts to make an anonymous bind to perform the user search.This configuration example searches for a user in both user (
user_search_base
anduser_search_filter
) and group (group_search_base
andgroup_search_filter
) categories to authenticate a user. Thegroup_search_type
(line19
) isdirectory_search
.Note: The#user_search_base
and#user_search_filter
options are commented out in lines14
and15
because they are only applicable to Active Directory (AD) configuration.01 [authentication] 02 passwd_db = ./passwd.db 03 enabled = True 04 authentication_method = LDAP 05 06 [ldap] 07 server_host = ldap.myCompany.lan 08 server_port = 636 09 uri_scheme = ldaps 10 search_dn = cn=admin,dc=devldap,dc=datastax,dc=lan 11 search_password = **** 12 user_search_base = ou=users,dc=devldap,dc=datastax,dc=lan 13 user_search_filter = (uid={0}) 14 #user_search_base = CN=search,CN=Users,DC=datastax,DC=internal # AD base 15 #user_search_filter = (sAMAccountName={0}) # AD filter 16 group_search_base = ou=users,dc=devldap,dc=datastax,dc=lan 17 group_search_filter_with_dn = (member={0}) 18 group_name_attribute = cn 19 group_search_type = directory_search 20 admin_group_name = superusers,superusers2 21 ldap_security = SSL_TLS 22 truststore_type = JKS 23 truststore = ./truststore.jks 24 truststore_pass = secret
The following example reflects an Active Directory (AD) for Windows 2008 configuration. Unlike the previous LDAP example for OpenLDAP or Oracle, this AD configuration makes use ofuser_search_base
(line12
) anduser_search_filter
(line13
) for Active Directory configuration options. Also, the user search base for AD shown in line12
differs in format from the LDAP example.The
user_memberof_stores_dn
option in line18
is explicitly set toTrue
so that OpsCenter correctly handles the value of thememberof
attribute shown in line17
as a distinguished name (DN). Theuser_memberof_stores_dn
option is also applicable to an OpenLDAP configuration.01 [authentication] 02 passwd_db = ./passwd.db 03 enabled = True 04 authentication_method = LDAP 05 06 [ldap] 07 server_host = mywin2008.myCompany.lan 08 server_port = 636 09 uri_scheme = ldap 10 search_dn = CN=Administrator,CN=Users,DC=prodwin2008,DC=datastax,DC=lan 11 search_password = **** 12 user_search_base = CN=Users,DC=prodwin2008,DC=datastax,DC=lan # AD base 13 user_search_filter = (sAMAccountName={0}) # AD filter 14 admin_group_name = superusers 15 group_search_type = memberof_search 16 group_name_attribute = cn 17 user_memberof_attribute = memberof 18 user_memberof_stores_dn = True 19 ldap_security = SSL_TLS 20 truststore_type = JKS 21 truststore = /tmp/path_to_truststore_win2008 22 truststore_pass = secret
- Restart OpsCenter for the changes to take effect.