1. Xeotek
  2. Setup & Configuration
  3. Authentication

LDAP

Follow

KaDeck Web Enterprise has the option for an additional LDAP module.

Ldap Module license required

Make sure that your team has a Ldap Module license. Configuration of the module can take place without a license, but authentication of users is not possible.

Active Directory (AD) and OpenLDAP are supported. The group assignment is done via "memberOf" attributes. The group name is read via a Regular Expression from the Distinguished Name (DN) specification of the memberOf attributes.

LDAP is configured via the configuration parameters with the prefix xeotek_kadeck_authentication_ldap. To enable LDAP, xeotek_kadeck_authentication_method must be set from "internal" (no LDAP) to "ldap".

The UID of the user entity of the LDAP server is used as the user id in KaDeck. Additionally, an attribute for the full username can be specified using the xeotek_kadeck_authentication_ldap_user_fullname_attribute configuration parameter. The password of the user entity of the LDAP server is used.

Group assignment

Group assignments can optionally also be made via the LDAP server. The internal assignment of users to groups is then no longer possible and will be overwritten. In KaDeck, roles can also be assigned directly (without groups) to users. This function remains untouched when using the assignment of groups via LDAP. So roles can still be assigned directly to users in KaDeck.

Group assignment via LDAP is controlled via the configuration parameter xeotek_kadeck_authentication_ldap_group_management (boolean; false by default) and must be set to true.

The group assignment is done via "memberOf" attributes. The group name is read via a Regular Expression from the Distinguished Name (DN) specification of the memberOf attributes. The roles assigned directly to a user are only managed internally by KaDeck.

KaDeck does not automatically create the groups from the memberOf attributes. KaDeck will check if a group with the same name that is extracted using the regular expression is present in KaDeck. If this is the case, KaDeck will assign the user to that group. 

Login process & synchronization

When KaDeck is started, users are retrieved via the configured KaDeck system user (xeotek_kadeck_authentication_ldap_user, xeotek_kadeck_authentication_ldap_password) and created in KaDeck's database. Also, the mapping to the respective groups is generated if xeotek_kadeck_authentication_ldap_group_management is set to true.

KaDeck ignores group names that do not exist in KaDeck. Therefore, the groups should first be created in KaDeck when used for the first time and then KaDeck should be restarted with the LDAP configuration if the group assignment is to be done via LDAP.

As soon as a user wants to log in, the username and password are passed on to the configured LDAP server and the user information is retrieved with this user from the configured KaDeck base path xeotek_kadeck_authentication_ldap_base . If this is successful, it will be checked if the user already exists in KaDeck and created if not. Group assignments are not updated on login.

The user and group mappings are updated continuously. The synchronization interval can be set by configuring the xeotek_kadeck_authentication_ldap_sync_interval_mins parameter. The default setting is 60 (= 1 hour).

Newly added group assignments or removed group assignments will thus only become visible after the configured interval has elapsed or after a restart of KaDeck.

If there are not enough licenses for all users, the first n users will be activated in KaDeck in the order in which the users were created. Where n stands for the number of existing user licenses.

Debugging

To find errors in the configuration, the debug mode can be activated for the LdapAuthProvider. This will provide additional INFO log level information when retrieving users and creating users and group assignments.

To enable the debug mode set the xeotek_kadeck_authentication_ldap_debug parameter to true.

 

Users in nested groups

Issue: An Active Directory (AD) user object filter that retrieves users from a specified group does not recursively search for groups nested under the specified group, even if recursion is enabled. A filter like the following is used:

(&(objectClass=person)(memberOf=cn=TestGroup,ou=Groups,ou=CompanyUsers,dc=test,dc=corp))

By default, all searches with memberOf check only direct attributes, so AD returns only information to Kadeck based on direct attribute checks.

To get a recursive search, or to have AD check relations, extra properties need to be included to the filter. In this case, the string 1.2.840.113556.1.4.1941 will need to be added. Learn more here. 

Modify the above filter to include the extended match operator:

(&(objectClass=person)(memberOf:1.2.840.113556.1.4.1941:=CN=all_user_group,OU=test-ou,OU=test-ou2,OU=Groups,OU=Common,DC=my,DC=company,DC=com))

Note: the group names in the above filter cannot be wildcards. If you need to specify multiple groups, you can configure them as follows:

(&
(objectClass=person)
    (|
        (memberOf:1.2.840.113556.1.4.1941:=cn=UserGroup1,ou=Groups,ou=CompanyUsers,dc=test,dc=corp)
        (memberOf:1.2.840.113556.1.4.1941:=cn=UserGroup2,ou=Groups,ou=CompanyUsers,dc=test,dc=corp)
        ....
    )
)

 

 

The full configuration list

Parameter

Description

Default value

xeotek_kadeck_authentication_method

Set to ldap to enable the LDAP module or use the internal authentication provider.

internal

xeotek_kadeck_authentication_ldap_url

The url of the LDAP server starting with ldap:// or ldaps://

 

xeotek_kadeck_authentication_ldap_user

The distinguished name (DN) of the KaDeck service user. Used to list users and their groups.

 

xeotek_kadeck_authentication_ldap_password

The password for the KaDeck service user.

 

xeotek_kadeck_authentication_ldap_debug

Output additional information for debugging purposes on log level INFO.

false

xeotek_kadeck_authentication_ldap_sync_interval_mins

The time interval at which KaDeck updates the users and their group memberships. The first update takes place immediately after the start of KaDeck.

60

xeotek_kadeck_authentication_ldap_base

The path to the KaDeck user accounts.

 

xeotek_kadeck_authentication_ldap_filter

The query filter for querying the user accounts found under the base path. KaDeck retrieves all users that match this filter.

(objectClass=person)

xeotek_kadeck_authentication_ldap_user_id_attribute

The attribute used for the userid in KaDeck (must be unique). This is the id that the user must enter when logging in.

cn

xeotek_kadeck_authentication_ldap_user_fullname_attribute

The attribute is used for the username in KaDeck. This is the displayed name of the user in KaDeck (when editing views for example). Uses the value of the user_id_attribute by default.

the configured user_id_attribute

xeotek_kadeck_authentication_ldap_group_attribute

The attribute is used to retrieve the user’s groups.

memberOf

xeotek_kadeck_authentication_ldap_group_regex

A regular expression used to extract the group name from the DNs/names listed under the group_attribute. Only the first matching group of the regular expression is used to match the KaDeck groups.

 (?i)cn=(\w+),ou=Groups.*

xeotek_kadeck_authentication_ldap_group_management

Enables automatic group assignment of groups in KaDeck via the configured group_attribute. If not enabled, the groups have to be assigned to the users manually in KaDeck.

false

 

Default ports

Make sure that the ports are enabled for KaDeck Web.

389

TCP/ UDP

LDAP

636

TCP

LDAP over SSL

 

Was this article helpful?
2 out of 2 found this helpful

Comments

0 comments

Please sign in to leave a comment.