Enabling LDAP authentication for Unravel UI
You can configure lightweight directory access protocol (LDAP) by
Using UPN lookup and Group lookups using DN.
sAMAccount name to match users.
Simple configuration using UPN lookup and Group lookups using DN
This configuration example is for the newer implementation of Unravel with MS Active Directory and for objects located in separate OUs. In this method, the user lookup is on login ID appended with the configured domain defined in the properties to make UPN (User Principal Name) for the lookup.
Note
This configuration does not:
Work if objects in the directory do not have the expected UPN format.
Include bindDn and password, which older implementations used.
Important
You must substitute your local values for the parameters and values used in the following examples.
Contact your LDAP Admin if you do not know the following directory information.
Stop Unravel.
<Unravel installation directory>/unravel/manager stop
Check that the object can be found and the user is part of the expected groups.
ldapsearch -v -h ariel.unraveldata.com -p 389 -D CN=sethbind,OU=seth,DC=unraveldata,DC=com -w unraveldata1! -b DC=unraveldata,DC=com -s sub "(userPrincipalName=commauser@unraveldata.com)"
Set the properties for LDAP authentication as follows:
<Unravel installation directory>/unravel/manager config properties set <property> <value>
For example:
##LDAP <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.mode ldap <Unravel installation directory>/unravel/manager config properties set com.unraveldata.ldap.url ldap://ariel.unraveldata.com <Unravel installation directory>/unravel/manager config properties set com.unraveldata.ldap.baseDN DC=unraveldata,DC=com <Unravel installation directory>/unravel/manager config properties set com.unraveldata.ldap.use_jndi true <Unravel installation directory>/unravel/manager config properties set com.unraveldata.ldap.verbose true ##LDAP groups <Unravel installation directory>/unravel/manager config properties set com.unraveldata.ldap.groupFilter seth-test-group,seth-test-admingroup <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.admins.ldap.groups seth-test-admingroup
Refer to LDAP properties for the complete list.
Apply the changes.
<Unravel installation directory>/unravel/manager config apply
Start Unravel
<Unravel installation directory>/unravel/manager start
Advanced configuration where UPN cannot be used
This configuration uses the sAMAccount name to match users. Using the Manager tool, set the bindDN and password in the properties. It uses CN to match groups instead of DN, which was used in the example above. The configuration uses bind user to get groups, then matches it using CN to filter out groups located in com.unraveldata.ldap.groupFilter, and assign admin users specified in com.unraveldata.login.admins.ldap.groups.
Important
You must substitute your local values for the parameters and values used in the following example.
Please contact your LDAP Admin if you don't know the following directory information.
Stop Unravel.
<Unravel installation directory>/unravel/manager stop
Check that the object can be found and the user is part of the expected groups.
ldapsearch -v -h ariel.unraveldata.com -p 389 -D CN=sethbind,OU=seth,DC=unraveldata,DC=com -w unraveldata1! -b DC=unraveldata,DC=com -s sub "(sAMAccountname=commauser)"
Set the properties for LDAP authentication as follows:
<Unravel installation directory>/unravel/manager config properties set <property> <value>
For example:
#LDAP <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.mode ldap <Unravel installation directory>/unravel/manager config properties set com.unraveldata.ldap.url ldap://ariel.unraveldata.com <Unravel installation directory>/unravel/manager config properties set com.unraveldata.ldap.baseDN DC=unraveldata,DC=com <Unravel installation directory>/unravel/manager config properties set com.unraveldata.ldap.use_jndi true <Unravel installation directory>/unravel/manager config properties set com.unraveldata.ldap.verbose true <Unravel installation directory>/unravel/manager config properties set com.unraveldata.ldap.bind_dn CN=sethbind,OU=seth,DC=unraveldata,DC=com <Unravel installation directory>/unravel/manager config properties set com.unraveldata.ldap.bind_pw unraveldata1! <Unravel installation directory>/unravel/manager config properties set com.unraveldata.ldap.guidKey sAMAccountName #LDAP groups <Unravel installation directory>/unravel/manager config properties set com.unraveldata.ldap.groupFilter seth-test-group,seth-test-admingroup <Unravel installation directory>/unravel/manager config properties set com.unraveldata.ldap.groupMembershipKey member <Unravel installation directory>/unravel/manager config properties set com.unraveldata.ldap.groupQueryFilter (CN=seth*) <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.admins.ldap.groups seth-test-admingroup
Refer to LDAP properties for the complete list.
Apply the changes.
<Unravel installation directory>/unravel/manager config apply
Start Unravel
<Unravel installation directory>/unravel/manager start
Note
To use LDAP with RBAC see Configure LDAP or SAML RBAC Properties.
What is the difference between the two group properties in LDAP configurations?
com.unraveldata.ldap.groupFilter: Lists the groups Unravel looks in for users who are allowed to log in.
com.unraveldata.login.admins.ldap.groups: Lists the groups Unravel looks in for users who are allowed to log in as admins.
Important
com.unraveldata.login.admins.ldap.groups is a subset of com.unraveldata.ldap.groupFilter, i.e., a group defined in com.unraveldata.login.admins.ldap.groups must also be defined in com.unraveldata.ldap.groupFilter.
For example,
com.unraveldata.ldap.groupFilter=secs-lab-admins,secs-lab-users # the admins.ldap group is also defined in ldap.groupFilter com.unraveldata.login.admins.ldap.groups=secs-lab-admins
If a user is:
Not listed in the groups defined in com.unraveldata.ldap.groupFilter, they cannot log in.
Listed in group defined in com.unraveldata.login.admins.ldap.groups, they are logged in as an admin.
Only listed in the groups defined in com.unraveldata.ldap.groupFilter, they are logged in as a non-admin user.