LDAP Authentication
User synchronization or import capabilities are not supported at this time.
LDAP works in an on-demand state – users are added to IP Fabric after they log in for the first time and user group permissions are checked with every login attempt.
Supported LDAP Servers Are:
- Microsoft Active Directory
- OpenLDAP
Enable LDAP Authentication
- Log in to IP Fabric as a user with admin rights.
- Go to Settings → User Management → LDAP menu.
- Select +Add Domain.
- Choose LDAP server type in the Type drop-down menu. Only Microsoft Active Directory or Open LDAP servers are supported.
- Enter all the aliases/suffixes for this domain in the Account
suffixes field. Each suffix must begin with @. If the same user
can log in with other suffixes, for example,
joe@europe.domain.com
andjoe@domain.com
then fill in@europe.domain.com
and@domain.com
. - Add servers for the domain:
1. as an explicit list of addresses
1. Choose Use pre-configured LDAP servers in Servers
dropdown
2. Specify FQDN or IP address of the LDAP server including the
protocol prefix (such as
ldap://your.domain.com
orldaps://your.domain.com
) 3. Specify the port (default LDAP port is 389 and default LDAPS port is 636) 4. For LDAP over SSL, also upload a CA certificate used for the LDAP certificate signature 5. Click on +Add Server if you want to add backup servers 2. using DNS service records 1. Choose Use DNS to find LDAP servers in Servers dropdown 2. Choose/upload a certificate (recommended in the production environment) 3. Define the DNS address 4. Define Service location name (common names areldap
andldaps
). This is the network service that constructs the final name of the record. The construction is done as follows:\_{{service location name}}.\_tcp.{{dns address}}
- Specify service account with LDAP read permissions in the Bind
DN field. This field must be an escaped LDAP-style
distinguished name. (for example
CN=Doe\, Joe,OU=europe,DC=your,DC=domain,DC=com
orCN=User,OU=europe,DC=your,DC=domain,DC=com
) - Enter the bind user's password (defined in step 7) in the Bind credentials field.
- Enter a whole domain or specific organization unit (container) in
Search base to specify where users and groups can be found in
the LDAP tree. (for example
OU=NetworkAdmins,DC=your,DC=domain,DC=com
) - Enter an attribute where email is stored in the LDAP user object into Search email attribute.
- Only for Microsoft Active Directory: Tick Allow nested groups for nested group permission lookup. This uses Extensible Match Rule (LDAP_MATCHING_RULE_IN_CHAIN) which might be slow in your local setup.
- Click Confirm.
Note
If the LDAP server is not reachable or credentials to the service account are not correct, LDAP authentication cannot be set.
Two or more LDAP servers
When two or more LDAP server configurations are present, an email suffix needs to be added to the username when logging in.
Username alone works only in a situation when one LDAP server configuration is present.
LDAP Group Permissions
After the LDAP server is added, Group Permissions can be set. All
authenticated users will get assigned role configured for Authenticated user
— by leaving this role empty it's possible to ensure that users logged via LDAP
will get API_INSUFFICIENT_RIGHTS
error upon login / access to API.
It is recommended to create new LDAP groups (such as IP_FABRIC_ADMINISTRATORS
,
IP_FABRIC_USERS
, ...) and assign to them users to which you want to
grand access.
Primary user groups are not supported
It is recommended to create new
LDAP groups (such as IP_FABRIC_ADMINISTRATORS
, IP_FABRIC_USERS
, ...) and
assign them permissions.
Disable LDAP Authentication
Remove all LDAP configuration domains in Settings → User Management → LDAP Settings to disable LDAP authentication.
Local vs LDAP Authentication
By default, local authentication (or in other words information stored in the local database) is the preferred authentication method, where LDAP is used as a backup authentication method.
If a user is not found in the local database and LDAP authentication is defined, IP Fabric will redirect the authentication attempt to an LDAP server.
If a user is successfully authenticated through LDAP, basic information about this user is then passed from LDAP and stored in the local database.
Troubleshooting
Before contacting our support, please make sure that inputs entered into
IP Fabric user interface are correct. This can be done using
ldapsearch
command utility:
ldapsearch
is present in IP Fabric image (access it via ssh) or it can
be installed locally as part of ldap-utils
Linux package. It is
recommended to always test LDAP configuration from the IP Fabric image
CLI Example
The following example doesn’t verify SSL certificate if LDAPS is used
LDAPTLS_REQCERT=ALLOW ldapsearch \
-W -H "ldaps://your-ldap-server:636" \
-D "$LDAP_BIND_DN" \
-b "$LDAP_SEARCH_BASE" \
-s sub
Your fields are correctly set when exit-code of your command is zero.
The use of nested groups can also be tested by adding the following line to the CLI example:
(member:1.2.840.113556.1.4.1941:=$USER.DN)
The CLI example can be followed by a query. Useful LDAP queries to find a user follow:
(uid=$LOGIN_INPUT)
(|(sAMAccountName=$LOGIN_INPUT)(userPrincipalName=$LOGIN_INPUT))
Error Codes
All LDAP errors regarding server connection and user binding are returned as LDAP as provided is not reachable due to security concerns.
Please check your Search base and Search login attribute when LDAP Search Failed error is shown.