Lightweight Directory Access Protocol (LDAP)

SD Elements can be configured to rely on an LDAP user store for validating access to the application.

Configure LDAP for Single Sign-on

Follow the steps below to configure LDAP for Single Sign-on.

Prerequisites:
  • SSH credentials for sde_admin

  • The application user is a Super User.

  • Network access to the LDAP server.

  • LDAP Information

    • Server URI: The URI of the LDAP server

    • Bind DN: The distinguished name to use when binding to the LDAP server

    • Bind Password: The password to use with the bind DN

    • Start TLS: Indication if connection should use Start TLS for security

    • Base DN: The DN within which to search for the user.

    • Scope: The scope of the search

    • User filter: How to match LDAP users

Steps:
  1. Login to the SD Elements web application

  2. From the gear icon [settings] menu, select Authentication.

  3. Select option "LDAP" for SSO Type

  4. Update the fields using the LDAP Information.

  5. Click Save

The server is now setup to authenticate users using LDAP. You can test the configuration using the Test User Authentication section on the page.

Custom configurations:

  1. Open /docs/sde/local_settings and add the following,

    try:
      import ldap
      AUTH_LDAP_CONNECTION_OPTIONS = {
          ldap.OPT_REFERRALS: 0,
      }
    except ImportError:
      pass
  2. Update the configuration according to the needs of the LDAP server. Example:

    • ldap.OPT_X_TLS_CACERTFILE

    • ldap.OPT_PROTOCOL_VERSION

    • ldap.OPT_REFERRALS

  3. Restart Apache

    sde apache restart
Tip
Refer here for a full list of options: https://www.python-ldap.org/en/latest/reference/ldap.html#options

Use a custom certificate

To use a custom certificate for LDAP SSO, first install the custom certificate on the system, then follow the instructions below:

  1. Open /docs/sde/local_settings and add the following:

    try:
      import ldap
      AUTH_LDAP_CONNECTION_OPTIONS = {
        ldap.OPT_REFERRALS: 0,
        ldap.OPT_X_TLS_CACERTFILE: '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
        ldap.OPT_X_TLS_NEWCTX: 0,
      }
    except ImportError:
      pass
  2. Restart Apache

    sde apache restart

The custom certificate is now available for LDAP SSO.

Caution
The path to the certificate bundle varies depending on the operating system. Make sure that you double check this path before proceeding. The table below can be used as a quick reference.
Operating System Certificate Bundle

Debian/Ubuntu/Gentoo etc.

/etc/ssl/certs/ca-certificates.crt

Fedora

/etc/pki/tls/certs/ca-bundle.crt

OpenSUSE

/etc/ssl/ca-bundle.pem

OpenELEC

/etc/pki/tls/cacert.pem

CentOS/RHEL 7

/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

Disable auto user provisioning

By default, users who authenticate using LDAP are automatically provisioned a user account in SD Elements when they attempt to log in. Follow the steps below to restrict access only to users who are manually provisioned.

Prerequisites:
  • SSH credentials for sde_admin.

Steps:
  1. Access the SD Elements server SSH console as sde_admin.

  2. Update file /docs/sde/local_settings set:

    AUTH_LDAP_NO_NEW_USERS = True
  3. Save the file and run:

    sde apache restart

Users who authenticate using LDAP will be unable to log in to SD Elements unless they already have a user account.

Troubleshooting

On the LDAP SSO configuration form, click on Verify Bind Connection to verify credentials and settings. For more advanced debugging, refer to the methods below.

Enabling verbose logging

Most LDAP logs are outputted to /docs/sde/log/ldap.log. Debug logs from the system LDAP library are outputted to /docs/sde/log/apache_error_main_docs_sde_<version>.log.

Follow the steps below to enable verbose logging for LDAP.

Prerequisites:
  • SSH credentials for sde_admin or sudo access.

Steps:
  1. Open /docs/sde/local_settings and add or update the following entry,

    import ldap
    AUTH_LDAP_CONNECTION_OPTIONS = {
        ldap.OPT_REFERRALS: 0,
        ldap.OPT_DEBUG_LEVEL: 4095  # Add this line
    }
  2. Open /docs/sde/live/code/sigma/osd_settings.py and update the following entry,

    LOGGING = {
        ...
        'handlers': {
            ...
            'ldap': {
                'level': 'DEBUG',    # Change this value to DEBUG
                'class': 'logging.handlers.TimedRotatingFileHandler',
                'filename': os.path.join(ROOT_SDE_PATH, 'log/ldap.log'),
                'when': 'W0',
                'formatter': 'file',
            }
        },
        'loggers': {
            ...
            'python_ldap': {
                'handlers': ['ldap'],
                'level': 'DEBUG',   # Change this value to DEBUG
                'propagate': False
            },
            'django_auth_ldap': {
                'handlers': ['ldap'],
                'level': 'DEBUG',   # Change this value to DEBUG
                'propagate': False
            },
            ...
        }
    }
  3. Restart Apache

    sde apache restart
Warning
The logs may contain sensitive information. Remember to disable verbose logging when it is no longer needed.

Test with the CLI

Verify bind connection details

The ldapwhoami command can be used to manually test an LDAP connection bind.

Prerequisites:
  • SSH credentials for sde_admin or sudo access

  • LDAP instance URI

  • LDAP bind user credentials

Steps:
  1. Execute the following command from a shell on the SDE instance:

    ldapwhoami -H ldap://ldap.server.com -D "<bind user DN>" -W -x -v
  2. When prompted, enter the bind user’s password.

If a TLS connection is required, append -Z to the previous command. If more verbose logging is required, append -d 4095 to the previous command.

If successful, the username of the bind user will be returned.

Verify user lookup

The ldapsearch command can be used to manually test a user lookup. Only users found using the search filters will be allowed to authenticate to SD Elements.

Prerequisites:
  • SSH credentials for sde_admin or sudo access

  • LDAP instance URI

  • LDAP bind user credentials

  • LDAP search base DN

  • LDAP search filter

Steps:
  1. Execute the following command from a shell on the SDE instance:

    ldapsearch -H ldap://ldap.server.com -D "<bind user DN>" -W -x -v -b "<base DN>" "<search filter>"
  2. When prompted, enter the bind user’s password

If a TLS connection is required, append -Z to the previous command. If more verbose logging is required, append -d 4095 to the previous command.

If successful, the LDAP user attributes for the user will be returned.

results matching ""

    No results matching ""