LDAP Configuration
If your cluster authentication is managed by LDAP (Light-weight Directory Access Protocol), then you can configureLumada Data Catalog to look up user authentication information in the directory service to verify the credentials of the user logging into the Data Catalog.
LDAP properties
Most of this relevant LDAP information is requested at the time of product installation during the Application-Server installation and is saved in <LDC_HOME>/app-server/conf/login.properties
as follows:
# #Mon Jun 22 20:22:38 UTC 2020 ldc.web.pam.property.attributeToExtract=distinguishedName ldc.web.pam.property.ldapGroupClass=(&(objectClass\=groupOfNames)) ldc.web.pam.property.searchBase=dc\=waterlinedata,dc\=com ldc.web.pam.property.searchPassword=<Encrypted Password> ldc.web.pam.property.referral=follow ldc.web.pam.property.providerUrl=ldaps\://ldap.jumpcloud.com\:636 ldc.web.pam.property.authMode=bind-only ldc.web.pam.fqcn=com.hitachivantara.datacatalog.web.jaas.LdapLoginModule ldc.web.pam.property.searchUser=cn\=administrator,cn\=Users,dc\=waterlinedata,dc\=com ldc.web.pam.property.doExtractAttribute=true ldc.web.pam.property.authIdentityPattern=uid\={USERNAME},ou\=Users,o\=5834bd20ba309ed9201c418a,dc\=jumpcloud,dc\=com ldc.web.pam.userDetailsRetrieverStrategy=com.hitachivantara.datacatalog.web.jaas.LdapUserDetailsRetrieverStrategy ldc.web.pam.property.searchFilterPattern=(&(sAMAccountName\={USERNAME})(memberOf\=CN\=EngineeringManagers,OU\=Engineering,dc\=waterlinedata,dc\=com)) ldc.web.pam.property.debug=true ldc.web.pam.property.operationalAttributesToFetch=
The following properties are available for use with LDAP authentication. All properties should be prefixed with ldc.web.pam.property
and should be added or edited in login.properties
.
providerUrl
The URL of your LDAP/Active Directory server. If you have an Active Directory Global Catalog, this URL should point to the port number of Data Catalog. If SSL is required, use the applicable port.
authIdentityPattern
The pattern for the principal of the end user that binds to the LDAP server. This property must contain the
{USERNAME}
token that is substituted with the actual username when passed in. This property is applicable in the bind-only and bind-search authentication modes and applicable in search-bind, unless thedoExtractAttribute
is set totrue
, in which case theattributeToExtract
is used as the principal instead.searchBase
The base of the directory where the search is performed. This property is applicable for bind-search and search-bind
authModes
only.searchFilterPattern
The search to perform. This property restricts the users who are logging on to specified groups. This property must contain the
{USERNAME}
token and must return exactly one entry. This property is applicable for bind-search and search-bindauthModes
only.searchUser
andsearchPassword
The credentials of the designated system user to bind and perform the initial search. This property is applicable for search-bind
authMode
only.doExtractAttribute
andattributeToExtract
These properties are applicable for search-bind
authMode
only. If thedoExtractAttribute
is set totrue
, the module uses theattributeToExtract
property (for example,distinguishedName
) to look up that attribute of the user returned in the search result. Then, the module uses that value as the principal to send to the LDAP server for the second bind operation.referral
The referral option for LDAP connection. The value should be either
follow
orignore
. This property is optional. When not specified, the value is determined by the provider.timeout
The value in milliseconds for server connection and request timeouts. This property is optional. The default value is 10000 (10 seconds).
debug
When set to
true
, displays additional information on the console. As a best practice, this property is set tofalse
.
timeout
property to provide the user with additional time to authenticate using the next factor. For example, if timeout
is set to 60 seconds, the system waits for a maximum of one minute until the user submits a code or a one-time password (OTP) before timing out.Use the sample configuration for LDAP located in the <LDC_HOME>/app-server/conf/login-ldap.properties
file as a reference guide.
For post-installation LDAP configuration changes to take effect, make these changes in the <LDC_HOME>/app-server/conf/login.properties
file, then restart the App-server.
LDAP search modes
In this section, the LDAP authentication modes are explained in detail. To set up the LDAP authentication, select the authentication mode of LDAP that best meets your needs.
bind-only
The bind-only mode uses the user-supplied credentials to substitute the
authIdentityPattern
property with the{USERNAME}
token, then binds to the LDAP server. If the bind is successful, authentication succeeds. View the following sample configurations:Using Distinguished Name
Required property for all LDAP configurations.
ldc.web.pam.fqcn=com.hitachivantara.datacatalog.web.jaas.LdapLoginModule ldc.web.pam.property.providerUrl=ldaps://ldap.jumpcloud.com:636 ldc.web.pam.property.authMode=bind-only ldc.web.pam.property.authIdentityPattern=uid={USERNAME},ou=Users,o=5834bd20ba309ed9201c418a,dc=jumpcloud,dc=com ldc.web.pam.property.referral=follow ldc.web.pam.property.debug=true
{USERNAME}@domain.com format
Works for Active Directory with a single domain only. Required property for all LDAP configurations.
ldc.web.pam.fqcn=com.hitachivantara.datacatalog.web.jaas.LdapLoginModule ldc.web.pam.property.providerUrl=ldaps://abc.com:636 ldc.web.pam.property.authMode=bind-only ldc.web.pam.property.authIdentityPattern={USERNAME}@domain.com ldc.web.pam.property.referral=follow ldc.web.pam.property.debug=true
bind-search
The bind-search mode works in two steps:
- The user-supplied credentials are used to substitute the
authIdentityPattern
property with the{USERNAME}
token and then binds to the LDAP server. - If the bind is successful, a search is performed using the filter specified by
searchFilterPattern
property. If the search returns exactly one result, the authentication succeeds.
ldc.web.pam.fqcn=com.hitachivantara.datacatalog.web.jaas.LdapLoginModule ldc.web.pam.property.providerUrl=ldaps://abc.com:636 ldc.web.pam.property.authMode=bind-search ldc.web.pam.property.authIdentityPattern={USERNAME}@domain.com ldc.web.pam.property.searchBase=OU=DataAnalytics,dc=waterlinedata,dc=com ldc.web.pam.property.searchFilterPattern=(&(sAMAccountName={USERNAME})(memberOf=CN=DataScientists,OU=DataAnalytics,dc=waterlinedata,dc=com)) ldc.web.pam.property.referral=follow ldc.web.pam.property.debug=true
- The user-supplied credentials are used to substitute the
search-bind
The search-bind mode works in four steps:
- The module binds to the server using system user credentials (
searchUser
andsearchPassword
). - A search is performed using the filter specified by the
searchFilterPattern
property. - The system validates that the search returns exactly one result. Otherwise, authentication fails.
- A second bind is performed using the password provided during login and either the substituted
authIdentityPattern
or another specified attribute (attributeToExtract
) to be extracted from the search result as the principal. If the bind is successful, authentication succeeds.
{USERNAME}@domain.com format
Required property for all LDAP configurations.
ldc.web.pam.fqcn=com.hitachivantara.datacatalog.web.jaas.LdapLoginModule ldc.web.pam.property.providerUrl=ldaps://abc.com:636 ldc.web.pam.property.authMode=search-bind ldc.web.pam.property.authIdentityPattern={USERNAME}@domain.com ldc.web.pam.property.searchBase=OU=DataAnalytics,dc=waterlinedata,dc=com ldc.web.pam.property.searchFilterPattern=(&(sAMAccountName={USERNAME})(memberOf=CN=DataScientists,OU=DataAnalytics,dc=waterlinedata,dc=com)) ldc.web.pam.property.searchUser=administrator@waterlinedata.com ldc.web.pam.property.searchPassword=enc(s3cr3t) ldc.web.pam.property.referral=follow ldc.web.pam.property.debug=true
DN format and DN extraction for end-user
Required property for all LDAP configurations.
ldc.web.pam.fqcn=com.hitachivantara.datacatalog.web.jaas.LdapLoginModule ldc.web.pam.property.providerUrl=ldaps://abc.com:636 ldc.web.pam.property.authMode=search-bind ldc.web.pam.property.searchBase=OU=DataAnalytics,dc=waterlinedata,dc=com ldc.web.pam.property.searchFilterPattern=(&(sAMAccountName={USERNAME})(memberOf=CN=DataScientists,OU=DataAnalytics,dc=waterlinedata,dc=com)) ldc.web.pam.property.searchUser=CN=administrator,OU=Users,DC=waterlinedata,DC=com ldc.web.pam.property.searchPassword=enc(s3cr3t) ldc.web.pam.property.doExtractAttribute=true ldc.web.pam.property.attributeToExtract=distinguishedName ldc.web.pam.property.referral=follow ldc.web.pam.property.debug=true
- The module binds to the server using system user credentials (
Mapping LDAP users to Data Catalog roles
In Lumada Data Catalog you can retrieve group information from a user's LDAP and dynamically assign the user roles based on group name to role name mapping.
There are mostly two kinds of LDAP systems:
- Microsoft Active Directory (AD): The most commonly used service provided by Microsoft.
- OpenLDAP (JumpCloud)
Data Catalog supports both directory services with LDAP and provides configuration properties to support both systems. However, the systems differ in their handling of user attributes and groups, which requires unique approaches to support each service.
Microsoft LDAP/AD:
A Microsoft AD-based LDAP system has the following structure for user attributes and group information. A user can belong to multiple groups, but one of these groups is marked as the primary group for the user in the AD tool. Microsoft AD's design mandates a two step process for retrieving groups information for a user.
- You can retrieve normal user groups from the attribute
memberOf,
which returns a list of group domain names (DN). The DN’s can be used to search for this group or entity within AD. The name of a group in AD is accessed through thesAMAccountName
property. - You can retrieve the primary user group from the attribute
primaryGroupId
. This attribute returns a unique number from which the linked group and its name should be retrieved. The name of the group can be accessed through thesAMAccountName
property. - Combining both normal groups and the primary group would lead to all of the groups that the user is linked to.
- You can retrieve normal user groups from the attribute
OpenLDAP:
With OpenLDAP, the access attributes are simple and straightforward.
- The user has an attribute called ‘memberOf’ which returns a list of group DN’s.
- Resolving these group DN’s to their actual group entities and then accessing the group name from an attribute like ‘ou’ provides the group name.
Retrieving group information from LDAP
Lumada Data Catalog contains two configuration files in the WLD Install Dir/app-server/conf directory that determine how Data Catalog retrieves group information from an LDAP system:
- group-to-role-map.json
- login.properties
Group to role names mapping file
This configuration file currently provides a method to configure and manage group-role mapping in the application, as shown in the following sample configuration for Microsoft AD:
{ "firstName": "givenName", "lastName": "sn", "email": "mail", "userGroupAttributes": [ {"attributeName": "memberOf", "subAttributeName": "sAMAccountName"}, {"attributeName": "primaryGroupId", "subAttributeName": "sAMAccountName"} ], "groupToRoleMap": { "QATESTGROUP": ["Administrator", "Guest", "Role1"], "AUTOMATIONQA": ["Guest"], "DUMMY_GROUPNAME": ["non-existing-role", "Role2"] } }
The configuration elements include:
firstName
First name of the LDAP user.
lastName
Last name of the LDAP user.
email
The email address of the user in LDAP.
userGroupAttributes
The list of attributes in LDAP that contain the user's group information.
attributeName
(second instance)The second
attributeName
is an optional property inuserGroupAttributes
commonly used with Windows AD/LDAP service.
groupToRoleMap
Contains the list of LDAP group names and the corresponding Lumada Data Catalog roles.
The following is a sample configuration for JumpCloud:
{ "firstName": "givenName", "lastName": "sn", "email": "mail", "userGroupAttributes": [ {"attributeName": "memberOf", "subAttributeName": "ou"} ], "groupToRoleMap": { "All Users - LDAP": ["Guest"], "DUMMY_GROUPNAME": ["non-existing-role", "Steward"] } }
The configuration elements include:
firstName
The user's first name. It corresponds to the LDAP attribute
givenName
as the default key in OpenLDAP systems.lastName
The user's last name. It maps to the LDAP attribute
sn
.email
The user's email address. It maps to the LDAP attribute
mail
.userGroupAttributes
List of attributes to access when retrieving the user's group information.
attributeName
Name of the attribute which retrieves the group information. For OpenLDAP, it is
memberOf
.subAttributeName
Name of the attribute required to retrieve the group name after groups are retrieved and fetched from LDAP. For OpenLDAP, it is
ou
. This attribute is optional. If this attribute is not provided, then the group names retrieved fromattributeName
need to be used ingroupToRoleMap
.
groupToRoleMap
Mapping of the group name from LDAP to the role names in Data Catalog. A user with a specific group will be assigned the configured roles.
NoteThe roles are dynamically assigned, which means they are not saved to Solr. They are fetched and given to a user upon login dynamically every time.All Users - LDAP
The name of one group in JumpCloud which is attached to the users.
NoteYou can also provide non-existing roles and non-existing group names. The application handles potential failures and invalid roles assigned to the user.
Login properties file
Below are possible entries for the directory services.
OpenLDAP/JumpCloud
ldc.web.pam.property.ldapGroupClass=(&(objectClass=groupOfNames))
Microsoft AD
ldc.web.pam.property.ldapGroupClass=(&(objectClass=group))
Lumada Data Catalog provides the sample mapping JSON files for JumpCloud and Microsoft AD. The login-ldap.properties contains the JumpCloud configuration by default and a sample entry for Microsoft AD.