LDAP Configuration
If your cluster authentication is managed by LDAP (Light-weight Directory Access Protocol), then you can configureLumada Data Catalog to look up user authentication information in the directory service to verify the credentials of the user logging into the Data Catalog.
LDAP properties
Most of this relevant LDAP information is requested at the time of product installation during the Application-Server installation and is saved in <LDC_HOME>/app-server/conf/login.properties as follows:
#
#Mon Jun 22 20:22:38 UTC 2020
ldc.web.pam.property.attributeToExtract=distinguishedName
ldc.web.pam.property.ldapGroupClass=(&(objectClass\=groupOfNames))
ldc.web.pam.property.searchBase=dc\=waterlinedata,dc\=com
ldc.web.pam.property.searchPassword=<Encrypted Password>
ldc.web.pam.property.referral=follow
ldc.web.pam.property.providerUrl=ldaps\://ldap.jumpcloud.com\:636
ldc.web.pam.property.authMode=bind-only
ldc.web.pam.fqcn=com.hitachivantara.datacatalog.web.jaas.LdapLoginModule
ldc.web.pam.property.searchUser=cn\=administrator,cn\=Users,dc\=waterlinedata,dc\=com
ldc.web.pam.property.doExtractAttribute=true
ldc.web.pam.property.authIdentityPattern=uid\={USERNAME},ou\=Users,o\=5834bd20ba309ed9201c418a,dc\=jumpcloud,dc\=com
ldc.web.pam.userDetailsRetrieverStrategy=com.hitachivantara.datacatalog.web.jaas.LdapUserDetailsRetrieverStrategy
ldc.web.pam.property.searchFilterPattern=(&(sAMAccountName\={USERNAME})(memberOf\=CN\=EngineeringManagers,OU\=Engineering,dc\=waterlinedata,dc\=com))
ldc.web.pam.property.debug=true
ldc.web.pam.property.operationalAttributesToFetch=
The following properties are available for use with LDAP authentication. All properties should be prefixed with ldc.web.pam.property and should be added or edited in login.properties.
providerUrlThe URL of your LDAP/Active Directory server. If you have an Active Directory Global Catalog, this URL should point to the port number of Data Catalog. If SSL is required, use the applicable port.
authIdentityPatternThe pattern for the principal of the end user that binds to the LDAP server. This property must contain the
{USERNAME}token that is substituted with the actual username when passed in. This property is applicable in the bind-only and bind-search authentication modes and applicable in search-bind, unless thedoExtractAttributeis set totrue, in which case theattributeToExtractis used as the principal instead.searchBaseThe base of the directory where the search is performed. This property is applicable for bind-search and search-bind
authModesonly.searchFilterPatternThe search to perform. This property restricts the users who are logging on to specified groups. This property must contain the
{USERNAME}token and must return exactly one entry. This property is applicable for bind-search and search-bindauthModesonly.searchUserandsearchPasswordThe credentials of the designated system user to bind and perform the initial search. This property is applicable for search-bind
authModeonly.doExtractAttributeandattributeToExtractThese properties are applicable for search-bind
authModeonly. If thedoExtractAttributeis set totrue, the module uses theattributeToExtractproperty (for example,distinguishedName) to look up that attribute of the user returned in the search result. Then, the module uses that value as the principal to send to the LDAP server for the second bind operation.referralThe referral option for LDAP connection. The value should be either
followorignore. This property is optional. When not specified, the value is determined by the provider.timeoutThe value in milliseconds for server connection and request timeouts. This property is optional. The default value is 10000 (10 seconds).
debugWhen set to
true, displays additional information on the console. As a best practice, this property is set tofalse.
timeout property to provide the user with additional time to authenticate using the next factor. For example, if timeout is set to 60 seconds, the system waits for a maximum of one minute until the user submits a code or a one-time password (OTP) before timing out.Use the sample configuration for LDAP located in the <LDC_HOME>/app-server/conf/login-ldap.properties file as a reference guide.
For post-installation LDAP configuration changes to take effect, make these changes in the <LDC_HOME>/app-server/conf/login.properties file, then restart the App-server.
LDAP search modes
In this section, the LDAP authentication modes are explained in detail. To set up the LDAP authentication, select the authentication mode of LDAP that best meets your needs.
bind-only
The bind-only mode uses the user-supplied credentials to substitute the
authIdentityPatternproperty with the{USERNAME}token, then binds to the LDAP server. If the bind is successful, authentication succeeds. View the following sample configurations:Using Distinguished Name
Required property for all LDAP configurations.
ldc.web.pam.fqcn=com.hitachivantara.datacatalog.web.jaas.LdapLoginModule ldc.web.pam.property.providerUrl=ldaps://ldap.jumpcloud.com:636 ldc.web.pam.property.authMode=bind-only ldc.web.pam.property.authIdentityPattern=uid={USERNAME},ou=Users,o=5834bd20ba309ed9201c418a,dc=jumpcloud,dc=com ldc.web.pam.property.referral=follow ldc.web.pam.property.debug=true{USERNAME}@domain.com format
Works for Active Directory with a single domain only. Required property for all LDAP configurations.
ldc.web.pam.fqcn=com.hitachivantara.datacatalog.web.jaas.LdapLoginModule ldc.web.pam.property.providerUrl=ldaps://abc.com:636 ldc.web.pam.property.authMode=bind-only ldc.web.pam.property.authIdentityPattern={USERNAME}@domain.com ldc.web.pam.property.referral=follow ldc.web.pam.property.debug=true
bind-search
The bind-search mode works in two steps:
- The user-supplied credentials are used to substitute the
authIdentityPatternproperty with the{USERNAME}token and then binds to the LDAP server. - If the bind is successful, a search is performed using the filter specified by
searchFilterPatternproperty. If the search returns exactly one result, the authentication succeeds.
ldc.web.pam.fqcn=com.hitachivantara.datacatalog.web.jaas.LdapLoginModule ldc.web.pam.property.providerUrl=ldaps://abc.com:636 ldc.web.pam.property.authMode=bind-search ldc.web.pam.property.authIdentityPattern={USERNAME}@domain.com ldc.web.pam.property.searchBase=OU=DataAnalytics,dc=waterlinedata,dc=com ldc.web.pam.property.searchFilterPattern=(&(sAMAccountName={USERNAME})(memberOf=CN=DataScientists,OU=DataAnalytics,dc=waterlinedata,dc=com)) ldc.web.pam.property.referral=follow ldc.web.pam.property.debug=true- The user-supplied credentials are used to substitute the
search-bind
The search-bind mode works in four steps:
- The module binds to the server using system user credentials (
searchUserandsearchPassword). - A search is performed using the filter specified by the
searchFilterPatternproperty. - The system validates that the search returns exactly one result. Otherwise, authentication fails.
- A second bind is performed using the password provided during login and either the substituted
authIdentityPatternor another specified attribute (attributeToExtract) to be extracted from the search result as the principal. If the bind is successful, authentication succeeds.
{USERNAME}@domain.com format
Required property for all LDAP configurations.
ldc.web.pam.fqcn=com.hitachivantara.datacatalog.web.jaas.LdapLoginModule ldc.web.pam.property.providerUrl=ldaps://abc.com:636 ldc.web.pam.property.authMode=search-bind ldc.web.pam.property.authIdentityPattern={USERNAME}@domain.com ldc.web.pam.property.searchBase=OU=DataAnalytics,dc=waterlinedata,dc=com ldc.web.pam.property.searchFilterPattern=(&(sAMAccountName={USERNAME})(memberOf=CN=DataScientists,OU=DataAnalytics,dc=waterlinedata,dc=com)) ldc.web.pam.property.searchUser=administrator@waterlinedata.com ldc.web.pam.property.searchPassword=enc(s3cr3t) ldc.web.pam.property.referral=follow ldc.web.pam.property.debug=trueDN format and DN extraction for end-user
Required property for all LDAP configurations.
ldc.web.pam.fqcn=com.hitachivantara.datacatalog.web.jaas.LdapLoginModule ldc.web.pam.property.providerUrl=ldaps://abc.com:636 ldc.web.pam.property.authMode=search-bind ldc.web.pam.property.searchBase=OU=DataAnalytics,dc=waterlinedata,dc=com ldc.web.pam.property.searchFilterPattern=(&(sAMAccountName={USERNAME})(memberOf=CN=DataScientists,OU=DataAnalytics,dc=waterlinedata,dc=com)) ldc.web.pam.property.searchUser=CN=administrator,OU=Users,DC=waterlinedata,DC=com ldc.web.pam.property.searchPassword=enc(s3cr3t) ldc.web.pam.property.doExtractAttribute=true ldc.web.pam.property.attributeToExtract=distinguishedName ldc.web.pam.property.referral=follow ldc.web.pam.property.debug=true
- The module binds to the server using system user credentials (
Mapping LDAP users to Data Catalog roles
In Lumada Data Catalog you can retrieve group information from a user's LDAP and dynamically assign the user roles based on group name to role name mapping.
There are mostly two kinds of LDAP systems:
- Microsoft Active Directory (AD): The most commonly used service provided by Microsoft.
- OpenLDAP (JumpCloud)
Data Catalog supports both directory services with LDAP and provides configuration properties to support both systems. However, the systems differ in their handling of user attributes and groups, which requires unique approaches to support each service.
Microsoft LDAP/AD:
A Microsoft AD-based LDAP system has the following structure for user attributes and group information. A user can belong to multiple groups, but one of these groups is marked as the primary group for the user in the AD tool. Microsoft AD's design mandates a two step process for retrieving groups information for a user.
- You can retrieve normal user groups from the attribute
memberOf,which returns a list of group domain names (DN). The DN’s can be used to search for this group or entity within AD. The name of a group in AD is accessed through thesAMAccountNameproperty. - You can retrieve the primary user group from the attribute
primaryGroupId. This attribute returns a unique number from which the linked group and its name should be retrieved. The name of the group can be accessed through thesAMAccountNameproperty. - Combining both normal groups and the primary group would lead to all of the groups that the user is linked to.
- You can retrieve normal user groups from the attribute
OpenLDAP:
With OpenLDAP, the access attributes are simple and straightforward.
- The user has an attribute called ‘memberOf’ which returns a list of group DN’s.
- Resolving these group DN’s to their actual group entities and then accessing the group name from an attribute like ‘ou’ provides the group name.
Retrieving group information from LDAP
Lumada Data Catalog contains two configuration files in the WLD Install Dir/app-server/conf directory that determine how Data Catalog retrieves group information from an LDAP system:
- group-to-role-map.json
- login.properties
Group to role names mapping file
This configuration file currently provides a method to configure and manage group-role mapping in the application, as shown in the following sample configuration for Microsoft AD:
{
"firstName": "givenName",
"lastName": "sn",
"email": "mail",
"userGroupAttributes": [
{"attributeName": "memberOf", "subAttributeName": "sAMAccountName"},
{"attributeName": "primaryGroupId", "subAttributeName": "sAMAccountName"}
],
"groupToRoleMap": {
"QATESTGROUP": ["Administrator", "Guest", "Role1"],
"AUTOMATIONQA": ["Guest"],
"DUMMY_GROUPNAME": ["non-existing-role", "Role2"]
}
}
The configuration elements include:
firstName
First name of the LDAP user.
lastName
Last name of the LDAP user.
email
The email address of the user in LDAP.
userGroupAttributesThe list of attributes in LDAP that contain the user's group information.
attributeName(second instance)The second
attributeNameis an optional property inuserGroupAttributescommonly used with Windows AD/LDAP service.
groupToRoleMapContains the list of LDAP group names and the corresponding Lumada Data Catalog roles.
The following is a sample configuration for JumpCloud:
{
"firstName": "givenName",
"lastName": "sn",
"email": "mail",
"userGroupAttributes": [
{"attributeName": "memberOf", "subAttributeName": "ou"}
],
"groupToRoleMap": {
"All Users - LDAP": ["Guest"],
"DUMMY_GROUPNAME": ["non-existing-role", "Steward"]
}
}
The configuration elements include:
firstName
The user's first name. It corresponds to the LDAP attribute
givenNameas the default key in OpenLDAP systems.lastName
The user's last name. It maps to the LDAP attribute
sn.email
The user's email address. It maps to the LDAP attribute
mail.userGroupAttributesList of attributes to access when retrieving the user's group information.
attributeNameName of the attribute which retrieves the group information. For OpenLDAP, it is
memberOf.subAttributeNameName of the attribute required to retrieve the group name after groups are retrieved and fetched from LDAP. For OpenLDAP, it is
ou. This attribute is optional. If this attribute is not provided, then the group names retrieved fromattributeNameneed to be used ingroupToRoleMap.
groupToRoleMapMapping of the group name from LDAP to the role names in Data Catalog. A user with a specific group will be assigned the configured roles.
NoteThe roles are dynamically assigned, which means they are not saved to Solr. They are fetched and given to a user upon login dynamically every time.All Users - LDAPThe name of one group in JumpCloud which is attached to the users.
NoteYou can also provide non-existing roles and non-existing group names. The application handles potential failures and invalid roles assigned to the user.
Login properties file
Below are possible entries for the directory services.
OpenLDAP/JumpCloud
ldc.web.pam.property.ldapGroupClass=(&(objectClass=groupOfNames))Microsoft AD
ldc.web.pam.property.ldapGroupClass=(&(objectClass=group))
Lumada Data Catalog provides the sample mapping JSON files for JumpCloud and Microsoft AD. The login-ldap.properties contains the JumpCloud configuration by default and a sample entry for Microsoft AD.