Home

Enabling LDAP authentication for Unravel UI

You can configure lightweight directory access protocol (LDAP) by

  • Using UPN lookup and Group lookups using DN.

  • sAMAccount name to match users.

Figure 1. LDAP Processing Flow
LDAP Processing Flow


Important

You must restart the ngui module (/etc/init.d/ngui restart) after the LDAP configuration.

Enabling LDAP authentication
  1. Stop Unravel.

    <Installation_directory>/unravel/manager stop
  2. Use any one of the following methods to configure the LDAP authentication:

    • Method1: Unravel Configuration tool

      1. Run the following command:

        <Installation_directory>/unravel/manager config

        The main menu of the Unravel - Configuration tool is displayed.

      2. Go to LDAP Basic option and press ENTER.

      3. Set the following properties:

        Property

        Description

        Enabled

        Specify whether to enable LDAP authentication for Unravel users. Use [space] to toggle between true and false.

        URL

        Specify the fully qualified URL to connect to the LDAP server. Format: ldap://your.ldap.server or ldap://your.ldap.server:port

        Domain

        Specify the domain name of the users. For example: youcompany.com

        baseDN

        Specify the baseDN of your users. For example: DC=yourcompany, DC=com

        User groups

        Specify a comma-separated list of groups that can access Unravel.

        Admin groups

        Specify a comma-separated list of groups that can manage Unravel.

    • Method 2: Set individual properties

      1. Run the following command:

        <Unravel installation directory>/manager config properties set 
        com.unraveldata.login.mode=ldap
        com.unraveldata.ldap.url=ldap://ariel.unraveldata.com
        com.unraveldata.ldap.baseDN=DC=unraveldata,DC=com
        com.unraveldata.ldap.use_jndi=true
        com.unraveldata.ldap.verbose=true
        com.unraveldata.ldap.groupFilter=seth-test-group,seth-test-admingroup
        com.unraveldata.login.admins.ldap.groups=seth-test-admingroup
        
  3. Refresh files and start Unravel

    <Installation_directory>/unravel/manager refresh files start
Enabling LDAP Advanced authentication
  1. Stop Unravel.

    <Installation_directory>/unravel/manager stop
  2. Use any one of the following methods to configure the LDAP advanced authentication:

    • Unravel Configuration tool

      1. Run the following command:

        <Installation_directory>/unravel/manager config

        The main menu of the Unravel - Configuration tool is displayed.

      2. Go to LDAP Basic option and press ENTER.

      3. Set the following properties:

        Property

        Description

        Enabled

        Specify whether to enable LDAP authentication for Unravel users. Use [space] to toggle between true and false.

        URL

        Specify the fully qualified URL to connect to the LDAP server. Format: ldap://your.ldap.server or ldap://your.ldap.server:port

        Domain

        Specify the domain name of the users. For example: youcompany.com

        baseDN

        Specify the baseDN of your users. For example: DC=yourcompany, DC=com

        User groups

        Specify a comma-separated list of groups that can access Unravel.

        Admin groups

        Specify a comma-separated list of groups that can manage Unravel.

    • Set individual properties

      1. Run the following command:

        <Unravel installation directory>/manager config properties set 
        com.unraveldata.login.mode=ldap
        com.unraveldata.ldap.url=ldap://ariel.unraveldata.com
        com.unraveldata.ldap.baseDN=DC=unraveldata,DC=com
        com.unraveldata.ldap.use_jndi=true
        com.unraveldata.ldap.verbose=true
        com.unraveldata.ldap.groupFilter=seth-test-group,seth-test-admingroup
        com.unraveldata.login.admins.ldap.groups=seth-test-admingroup
        
  3. Refresh files and start Unravel

    <Installation_directory>/unravel/manager refresh files start
Simple configuration using UPN lookup and Group lookups using DN

This configuration example is for the newer implementation of Unravel with MS Active Directory and for objects located in separate OUs. In this method, the user lookup is on login ID appended with the configured domain defined in the properties to make UPN (User Principal Name) for the lookup.

Note

This configuration does not:

  • Work if objects in the directory do not have the expected UPN format.

  • Include bindDn and password, which older implementations used.

Important

You must substitute your local values for the parameters and values used in the following examples.

Contact your LDAP Admin if you don't know the following directory information.

  1. Check that the object can be found and the user is part of the expected groups.

    ldapsearch -v -h ariel.unraveldata.com -p 389 -D CN=sethbind,OU=seth,DC=unraveldata,DC=com -w unraveldata1! -b DC=unraveldata,DC=com -s sub "(userPrincipalName=commauser@unraveldata.com)"
     
  2. Set the following properties using the manager tool:

    #LDAP
    com.unraveldata.login.mode=ldap
    com.unraveldata.ldap.url=ldap://ariel.unraveldata.com
    com.unraveldata.ldap.baseDN=DC=unraveldata,DC=com
    com.unraveldata.ldap.use_jndi=true
    com.unraveldata.ldap.verbose=true
     
    #LDAP groups
    com.unraveldata.ldap.groupFilter=seth-test-group,seth-test-admingroup
    com.unraveldata.login.admins.ldap.groups=seth-test-admingroup
Advanced configuration where UPN cannot be used

This configuration uses the sAMAccount name to match users. Using the Manager tool, set the bindDN and password in the properties. It uses CN to match groups instead of DN, which was used in the example above. The configuration uses bind user to get groups, then matches it using CN to filter out groups located in com.unraveldata.ldap.groupFilter, and assign admin users specified in com.unraveldata.login.admins.ldap.groups.

Important

You must substitute your local values for the parameters and values used in the following example.

Please contact your LDAP Admin if you don't know the following directory information.

  1. Check that the object can be found and the user is part of the expected groups.

    ldapsearch -v -h ariel.unraveldata.com -p 389 -D 
    CN=sethbind,OU=seth,DC=unraveldata,DC=com -w unraveldata1! -b 
    DC=unraveldata,DC=com -s sub "(sAMAccountname=commauser)"
  2. Set the following properties using the manager tool.

    #LDAP
    com.unraveldata.login.mode=ldap
    com.unraveldata.ldap.url=ldap://ariel.unraveldata.com
    com.unraveldata.ldap.baseDN=DC=unraveldata,DC=com
    com.unraveldata.ldap.use_jndi=true
    com.unraveldata.ldap.verbose=true
    com.unraveldata.ldap.bind_dn=CN=sethbind,OU=seth,DC=unraveldata,DC=com
    com.unraveldata.ldap.bind_pw=unraveldata1!
    com.unraveldata.ldap.guidKey=sAMAccountName 
    
    #LDAP groups
    com.unraveldata.ldap.groupFilter=seth-test-group,seth-test-admingroup
    com.unraveldata.ldap.groupMembershipKey=member
    com.unraveldata.ldap.groupQueryFilter=(CN=seth*)
    com.unraveldata.login.admins.ldap.groups=seth-test-admingroup
What is the difference between the two group properties in LDAP configurations?
  • com.unraveldata.ldap.groupFilter: Lists the groups Unravel looks in for users who are allowed to log in.

  • com.unraveldata.login.admins.ldap.groups: Lists the groups Unravel looks in for users who are allowed to log in as admins.

Important

com.unraveldata.login.admins.ldap.groups is a subset of com.unraveldata.ldap.groupFilter, i.e., a group defined in com.unraveldata.login.admins.ldap.groups must also be defined in com.unraveldata.ldap.groupFilter.

For example,

com.unraveldata.ldap.groupFilter=secs-lab-admins,secs-lab-users
# the admins.ldap group is also defined in ldap.groupFilter
com.unraveldata.login.admins.ldap.groups=secs-lab-admins

If a user is:

  • Not listed in the groups defined in com.unraveldata.ldap.groupFilter, they cannot log in.

  • Listed in group defined in com.unraveldata.login.admins.ldap.groups, they are logged in as an admin.

  • Only listed in the groups defined in com.unraveldata.ldap.groupFilter, they are logged in as a non-admin user.