Lightweight Directory Access Protocol (LDAP)

SD Elements can be configured to rely on an LDAP user store for validating access to the application.

Configure LDAP for Single Sign-on

Follow the steps below to configure LDAP for Single Sign-on.

Prerequisites:

  • SSH credentials for sde_admin

  • The application user is a Super User.

  • Network access to the LDAP server.

  • LDAP Information

    • Server URI: The URI of the LDAP server

    • Bind DN: The distinguished name to use when binding to the LDAP server

    • Bind Password: The password to use with the bind DN

    • Start TLS: Indication if connection should use Start TLS for security

    • Base DN: The DN within which to search for the user.

    • Scope: The scope of the search

    • User filter: How to match LDAP users

Steps:

  1. Login to the SD Elements web application

  2. From the gear icon settings menu, select Authentication.

  3. Select option "LDAP" for SSO Type

  4. Update the fields using the LDAP Information.

  5. Click Save

The server is now setup to authenticate users using LDAP. You can test the configuration using the Test User Authentication section on the page.

Custom configurations:

  1. Open /docs/sde/local_settings and add the following,

    AUTH_LDAP_CONNECTION_OPTIONS = {
    ldap.OPT_REFERRALS: 0,
}

  2. Update the configuration according to the needs of the LDAP server. Example:

    • ldap.OPT_X_TLS_CACERTFILE

    • ldap.OPT_PROTOCOL_VERSION

    • ldap.OPT_REFERRALS

  3. Restart Apache

    sde apache restart
 Refer here for a full list of options: https://www.python-ldap.org/en/latest/reference/ldap.html#options

Troubleshooting

On the LDAP SSO configuration form, click on Verify Bind Connection to verify credentials and settings. For more advanced debugging, refer to the methods below.

Enabling verbose logging

Most LDAP logs are outputted to /docs/sde/log/ldap.log. Debug logs from the system LDAP library are outputted to /docs/sde/log/apache_error_main_docs_sde_<version>.log.

Follow the steps below to enable verbose logging for LDAP.

Prerequisites:

  • SSH credentials for sde_admin or sudo access.

Steps:

  1. Open /docs/sde/local_settings and add or update the following entry,

    AUTH_LDAP_CONNECTION_OPTIONS = {
    ldap.OPT_REFERRALS: 0,
    ldap.OPT_DEBUG_LEVEL: 4095  # Add this line
}

  2. Open /docs/sde/live/code/sigma/osd_settings.py and update the following entry,

    LOGGING = {
    ...
    'handlers': {
        ...
        'ldap': {
            'level': 'DEBUG',    # Change this value to DEBUG
            'class': 'logging.handlers.TimedRotatingFileHandler',
            'filename': os.path.join(ROOT_SDE_PATH, 'log/ldap.log'),
            'when': 'W0',
            'formatter': 'file',
        }
    },
    'loggers': {
        ...
        'python_ldap': {
            'handlers': ['ldap'],
            'level': 'DEBUG',   # Change this value to DEBUG
            'propagate': False
        },
        'django_auth_ldap': {
            'handlers': ['ldap'],
            'level': 'DEBUG',   # Change this value to DEBUG
            'propagate': False
        },
        ...
    }
}

  3. Restart Apache

    sde apache restart
 The logs may contain sensitive information. Remember to disable verbose logging when it is no longer needed.

Testing with ldapsearch

The ldapsearch command is available for manually testing LDAP connection bindings on the SDE instance.

Prerequisites:

  • SSH credentials for sde_admin or sudo access.

Steps:

  1. Execute the following command from a shell on the SDE instance:

    ldapsearch -H ldap://ldap.server.com -D "<bind dn>" -W -x -v -d 4095 -Z

results matching ""

    No results matching ""