LDAP Configuration

Modified on Wed, 26 Jul 2023 at 10:36 AM

Introduction

IAM offers a built-in option for connecting with User federation providers, such as LDAP and Active Directory.

In this article, we cover how to connect with an LDAP server through IAM Admin Panel.

How-To

Replicated Panel

Being logged in in the Replicated admin panel, navigate to Identity & Access Management Configuration, in the section named Login Mode for IAM.

Here, select LDAP, save the config, and re-deploy the application.

IAM Admin Panel

After having re-deployed the application, navigate to the IAM admin panel and log in with the administrator user.

Having the labforward realm selected, click on the menu “User federation”, then “Add new provider”, and then “LDAP”.

The fields not mentioned in this documentation should be kept with their default or empty values.

General Options

The field UI Display name isn’t displayed on the log-in screen; it is the identifier for the LDAP configuration.

In the field Vendor, select “Other”.

Connection and authentication settings

Add the Connection URL of your LDAP server, and set Connection pooling as active:

Press the Test connection button to ensure the connection URL is correct.

Bind type - simple

Bind DN - DN of LDAP admin, which will be used by Keycloak to access the LDAP server.

Bind Credential - Password of LDAP server.

Press the Test authentication button to ensure the credentials are correct.

LDAP searching and updating

Edit mode - UNSYNCED (we don’t import data back to the LDAP server).

Users DN - Full DN of LDAP tree where your users are. This DN is the parent of LDAP users.

Username LDAP attribute - mail

UUID LDAP attribute - mail

User object classes - inetOrgPerson, organizationalPerson

User LDAP Filter - Additional LDAP filter for filtering searched users. Leave this empty if you don’t need an additional filter. Make sure that it starts with ( and ends with ) (default empty).

Search scope - Subtree

Pagination Enabled - true

Synchronization settings

Import users - true

Sync Registrations - false

Batch size - 1000

Periodic full sync - false

Periodic changed users sync - false

Kerberos integration

Keep default options.

Cache settings

Keep default options.

Advanced settings

Enable the LDAPv3 password modify extended operation - false

Validate password policy - false

Trust email - true

Having this basic configuration finished, press the Save button.

Mappers

After saving the LDAP configuration, the tab Mappers is now visible on top of the page

In case there are no standard mappers created, the following should be added:

Creation Date

Name	creation date
Mapper type	`user-attribute-ldap-mapper`
User Model Attribute	`createTimestamp`
LDAP Attribute	`createTimestamp`
Read Only	`true`
Always Read Value From LDAP	`false`
Is Mandatory In LDAP	`false`
Attribute default value	(empty)
Force a default value	`false`
Is Binary Attribute	`false`

Email

Name	email
Mapper type	If your LDAP server allows multiple emails for users: `multivalue-attribute-ldap-mapper` In case every user contains only one email: `user-attribute-ldap-mapper`
User Model Multi Attribute	`potentialEmailList`
User Model Property	`email`
LDAP Attribute	`mail`

First name

Name	first name
Mapper type	`user-attribute-ldap-mapper`
User Model Attribute	`firstName`
LDAP Attribute	`givenName`
Read Only	`true`
Always Read Value From LDAP	`false`
Is Mandatory In LDAP	`true`
Attribute default value	(empty)
Force a default value	`false`
Is Binary Attribute	`false`

Last name

Name	last name
Mapper type	`user-attribute-ldap-mapper`
User Model Attribute	`lastName`
LDAP Attribute	`sn`
Read Only	`true`
Always Read Value From LDAP	`false`
Is Mandatory In LDAP	`true`
Attribute default value	(empty)
Force a default value	`false`
Is Binary Attribute	`false`

Modify date

Name	modify date
Mapper type	`user-attribute-ldap-mapper`
User Model Attribute	`modifyTimestamp`
LDAP Attribute	`modifyTimestamp`
Read Only	`true`
Always Read Value From LDAP	`false`
Is Mandatory In LDAP	`false`
Attribute default value	(empty)
Force a default value	`false`
Is Binary Attribute	`false`

Username

Name	username
Mapper type	`user-attribute-ldap-mapper`
User Model Attribute	`username`
LDAP Attribute	`mail` depends on what field the LDAP server to identify user’s email, mail is the default one.
Read Only	`true`
Always Read Value From LDAP	`false`
Is Mandatory In LDAP	`true`
Attribute default value	(empty)
Force a default value	`false`
Is Binary Attribute	`false`

Testing

After finishing the configuration, save it and navigate to the login screen.

Now IAM should be able to connect to the LDAP server and import the users.

Migrating from a configured Labfolder instance

In case there is already an existing Labfolder configuration with an LDAP server, the file server.cnf should already be fulfilled in the following fields:

1 # LDAP Authentication
2 #FEATURE_LDAP_AUTHENTICATION=
3 #LDAP_URL=
4 #LDAP_BASE=
5 #LDAP_SEARCH_USER_DN=
6 #LDAP_SEARCH_USER_PASSWORD=
7 #LDAP_ANONYMOUS_READ_ONLY=
8 #LDAP_USER_DN_PATTERNS=
9 #LDAP_IS_TLS_ENABLED=
10 #LDAP_IS_ATTRIBUTE_SEARCH_ENABLED=
11 #LDAP_ATTRIBUTE_SEARCH_NAME=
12 #LDAP_ATTRIBUTE_SEARCH_EXTRA_FILTERS=

With the new installation, some fields translate to the Replicated Admin Panel as follows:

Existing LF configs	Replicated configs
FEATURE_LDAP_AUTHENTICATION	Login Mode = LDAP
LDAP_URL	Connection URL
LDAP_BASE	Users DN
LDAP_SEARCH_USER_DN	Bind DN
LDAP_SEARCH_USER_PASSWORD	Bind Credentials
LDAP_ATTRIBUTE_SEARCH_NAME	UUID LDAP attribute
LDAP_IS_TLS_ENABLED	Enable StartTLS
LDAP_ATTRIBUTE_SEARCH_EXTRA_FILTERS	User LDAP filter