try:
import ldap
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_REFERRALS: 0,
}
except ImportError:
pass
Lightweight Directory Access Protocol (LDAP)
Table of Contents
SD Elements can be configured to rely on an LDAP user store for validating access to the application.
Configure LDAP for Single Sign-on
Follow the steps below to configure LDAP for Single Sign-on.
Prerequisites:
-
SSH credentials for sde_admin
-
The application user is a Super User.
-
Network access to the LDAP server.
-
LDAP Information
-
Server URI: The URI of the LDAP server
-
Bind DN: The distinguished name to use when binding to the LDAP server
-
Bind Password: The password to use with the bind DN
-
Start TLS: Indication if connection should use Start TLS for security
-
Base DN: The DN within which to search for the user.
-
Scope: The scope of the search
-
User filter: How to match LDAP users
-
Steps:
-
Login to the SD Elements web application
-
From the gear icon menu, select Authentication.
-
Select option "LDAP" for SSO Type
-
Update the fields using the LDAP Information.
-
Click Save
The server is now setup to authenticate users using LDAP. You can test the configuration using the Test User Authentication section on the page.
Custom configurations:
-
Open
/docs/sde/local_settingsand add the following, -
Update the configuration according to the needs of the LDAP server. Example:
-
ldap.OPT_X_TLS_CACERTFILE
-
ldap.OPT_PROTOCOL_VERSION
-
ldap.OPT_REFERRALS
-
-
Restart Apache
sde apache restart
| Refer here for a full list of options: https://www.python-ldap.org/en/latest/reference/ldap.html#options |
Use a custom certificate
To use a custom certificate for LDAP SSO, first install the custom certificate on the system, then follow the instructions below:
-
Open
/docs/sde/local_settingsand add the following:try: import ldap AUTH_LDAP_CONNECTION_OPTIONS = { ldap.OPT_REFERRALS: 0, ldap.OPT_X_TLS_CACERTFILE: '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem', ldap.OPT_X_TLS_NEWCTX: 0, } except ImportError: pass -
Restart Apache
sde apache restart
The custom certificate is now available for LDAP SSO.
| The path to the certificate bundle varies depending on the operating system. Make sure that you double check this path before proceeding. The table below can be used as a quick reference. |
| Operating System | Certificate Bundle |
|---|---|
Debian/Ubuntu/Gentoo etc. |
/etc/ssl/certs/ca-certificates.crt |
Fedora |
/etc/pki/tls/certs/ca-bundle.crt |
OpenSUSE |
/etc/ssl/ca-bundle.pem |
OpenELEC |
/etc/pki/tls/cacert.pem |
CentOS/RHEL 7 |
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem |
Disable auto user provisioning
By default, users who authenticate using LDAP are automatically provisioned a user account in SD Elements when they attempt to log in. Follow the steps below to restrict access only to users who are manually provisioned.
Prerequisites:
-
SSH credentials for sde_admin.
Steps:
-
Access the SD Elements server SSH console as sde_admin.
-
Update file
/docs/sde/local_settingsset:AUTH_LDAP_NO_NEW_USERS = True
-
Save the file and run:
sde apache restart
Users who authenticate using LDAP will be unable to log in to SD Elements unless they already have a user account.
Troubleshooting
On the LDAP SSO configuration form, click on Verify Bind Connection to verify credentials and settings. For more advanced debugging, refer to the methods below.
Enabling verbose logging
Most LDAP logs are outputted to /docs/sde/log/ldap.log. Debug logs from the system LDAP library are outputted
to /docs/sde/log/apache_error_main_docs_sde_<version>.log.
Follow the steps below to enable verbose logging for LDAP.
Prerequisites:
-
SSH credentials for sde_admin or sudo access.
Steps:
-
Open
/docs/sde/local_settingsand add or update the following entry,import ldap AUTH_LDAP_CONNECTION_OPTIONS = { ldap.OPT_REFERRALS: 0, ldap.OPT_DEBUG_LEVEL: 4095 # Add this line } -
Open
/docs/sde/live/code/sigma/osd_settings.pyand update the following entry,LOGGING = { ... 'handlers': { ... 'ldap': { 'level': 'DEBUG', # Change this value to DEBUG 'class': 'logging.handlers.TimedRotatingFileHandler', 'filename': os.path.join(ROOT_SDE_PATH, 'log/ldap.log'), 'when': 'W0', 'formatter': 'file', } }, 'loggers': { ... 'python_ldap': { 'handlers': ['ldap'], 'level': 'DEBUG', # Change this value to DEBUG 'propagate': False }, 'django_auth_ldap': { 'handlers': ['ldap'], 'level': 'DEBUG', # Change this value to DEBUG 'propagate': False }, ... } } -
Restart Apache
sde apache restart
| The logs may contain sensitive information. Remember to disable verbose logging when it is no longer needed. |
Test with the CLI
Verify bind connection details
The ldapwhoami command can be used to manually test an LDAP connection bind.
Prerequisites:
-
SSH credentials for sde_admin or sudo access
-
LDAP instance URI
-
LDAP bind user credentials
Steps:
-
Execute the following command from a shell on the SD Elements instance:
ldapwhoami -H ldap://ldap.server.com -D "<bind user DN>" -W -x -v
-
When prompted, enter the bind user’s password.
If a TLS connection is required, append -Z to the previous command.
If more verbose logging is required, append -d 4095 to the previous command.
If successful, the username of the bind user will be returned.
Verify user lookup
The ldapsearch command can be used to manually test a user lookup. Only users found using the search filters will be allowed to authenticate to SD Elements.
Prerequisites:
-
SSH credentials for sde_admin or sudo access
-
LDAP instance URI
-
LDAP bind user credentials
-
LDAP search base DN
-
LDAP search filter
Steps:
-
Execute the following command from a shell on the SD Elements instance:
ldapsearch -H ldap://ldap.server.com -D "<bind user DN>" -W -x -v -b "<base DN>" "<search filter>"
-
When prompted, enter the bind user’s password
If a TLS connection is required, append -Z to the previous command.
If more verbose logging is required, append -d 4095 to the previous command.
If successful, the LDAP user attributes for the user will be returned.