Enabling LDAP authentication for Unravel UI
You can configure lightweight directory access protocol (LDAP) by
Using UPN lookup and Group lookups using DN.
sAMAccount name to match users.
 |
Important
You must restart the ngui module (/etc/init.d/ngui restart) after the LDAP configuration.
Enabling LDAP authentication
Stop Unravel.
<Installation_directory>/unravel/manager stop
Use any one of the following methods to configure the LDAP authentication:
Method1: Unravel Configuration tool
Run the following command:
<Installation_directory>/unravel/manager config
The main menu of the Unravel - Configuration tool is displayed.
Go to LDAP Basic option and press ENTER.
Set the following properties:
Property
Description
Enabled
Specify whether to enable LDAP authentication for Unravel users. Use [space] to toggle between true and false.
URL
Specify the fully qualified URL to connect to the LDAP server. Format: ldap://your.ldap.server or ldap://your.ldap.server:port
Domain
Specify the domain name of the users. For example: youcompany.com
baseDN
Specify the baseDN of your users. For example: DC=yourcompany, DC=com
User groups
Specify a comma-separated list of groups that can access Unravel.
Admin groups
Specify a comma-separated list of groups that can manage Unravel.
Method 2: Set individual properties
Run the following command:
<Unravel installation directory>/manager config properties set com.unraveldata.login.mode=ldap com.unraveldata.ldap.url=ldap://ariel.unraveldata.com com.unraveldata.ldap.baseDN=DC=unraveldata,DC=com com.unraveldata.ldap.use_jndi=true com.unraveldata.ldap.verbose=true com.unraveldata.ldap.groupFilter=seth-test-group,seth-test-admingroup com.unraveldata.login.admins.ldap.groups=seth-test-admingroup
Refresh files and start Unravel
<Installation_directory>/unravel/manager refresh files start
Enabling LDAP Advanced authentication
Stop Unravel.
<Installation_directory>/unravel/manager stop
Use any one of the following methods to configure the LDAP advanced authentication:
Unravel Configuration tool
Run the following command:
<Installation_directory>/unravel/manager config
The main menu of the Unravel - Configuration tool is displayed.
Go to LDAP Basic option and press ENTER.
Set the following properties:
Property
Description
Enabled
Specify whether to enable LDAP authentication for Unravel users. Use [space] to toggle between true and false.
URL
Specify the fully qualified URL to connect to the LDAP server. Format: ldap://your.ldap.server or ldap://your.ldap.server:port
Domain
Specify the domain name of the users. For example: youcompany.com
baseDN
Specify the baseDN of your users. For example: DC=yourcompany, DC=com
User groups
Specify a comma-separated list of groups that can access Unravel.
Admin groups
Specify a comma-separated list of groups that can manage Unravel.
Set individual properties
Run the following command:
<Unravel installation directory>/manager config properties set com.unraveldata.login.mode=ldap com.unraveldata.ldap.url=ldap://ariel.unraveldata.com com.unraveldata.ldap.baseDN=DC=unraveldata,DC=com com.unraveldata.ldap.use_jndi=true com.unraveldata.ldap.verbose=true com.unraveldata.ldap.groupFilter=seth-test-group,seth-test-admingroup com.unraveldata.login.admins.ldap.groups=seth-test-admingroup
Refresh files and start Unravel
<Installation_directory>/unravel/manager refresh files start
Simple configuration using UPN lookup and Group lookups using DN
This configuration example is for the newer implementation of Unravel with MS Active Directory and for objects located in separate OUs. In this method, the user lookup is on login ID appended with the configured domain defined in the properties to make UPN (User Principal Name) for the lookup.
Note
This configuration does not:
Work if objects in the directory do not have the expected UPN format.
Include bindDn and password, which older implementations used.
Important
You must substitute your local values for the parameters and values used in the following examples.
Contact your LDAP Admin if you don't know the following directory information.
Check that the object can be found and the user is part of the expected groups.
ldapsearch -v -h ariel.unraveldata.com -p 389 -D CN=sethbind,OU=seth,DC=unraveldata,DC=com -w unraveldata1! -b DC=unraveldata,DC=com -s sub "(userPrincipalName=commauser@unraveldata.com)"
Set the following properties using the manager tool:
#LDAP com.unraveldata.login.mode=ldap com.unraveldata.ldap.url=ldap://ariel.unraveldata.com com.unraveldata.ldap.baseDN=DC=unraveldata,DC=com com.unraveldata.ldap.use_jndi=true com.unraveldata.ldap.verbose=true #LDAP groups com.unraveldata.ldap.groupFilter=seth-test-group,seth-test-admingroup com.unraveldata.login.admins.ldap.groups=seth-test-admingroup
Advanced configuration where UPN cannot be used
This configuration uses the sAMAccount name to match users. Using the Manager tool, set the bindDN and password in the properties. It uses CN to match groups instead of DN, which was used in the example above. The configuration uses bind user to get groups, then matches it using CN to filter out groups located in com.unraveldata.ldap.groupFilter, and assign admin users specified in com.unraveldata.login.admins.ldap.groups.
Important
You must substitute your local values for the parameters and values used in the following example.
Please contact your LDAP Admin if you don't know the following directory information.
Check that the object can be found and the user is part of the expected groups.
ldapsearch -v -h ariel.unraveldata.com -p 389 -D CN=sethbind,OU=seth,DC=unraveldata,DC=com -w unraveldata1! -b DC=unraveldata,DC=com -s sub "(sAMAccountname=commauser)"
Set the following properties using the manager tool.
#LDAP com.unraveldata.login.mode=ldap com.unraveldata.ldap.url=ldap://ariel.unraveldata.com com.unraveldata.ldap.baseDN=DC=unraveldata,DC=com com.unraveldata.ldap.use_jndi=true com.unraveldata.ldap.verbose=true com.unraveldata.ldap.bind_dn=CN=sethbind,OU=seth,DC=unraveldata,DC=com com.unraveldata.ldap.bind_pw=unraveldata1! com.unraveldata.ldap.guidKey=sAMAccountName #LDAP groups com.unraveldata.ldap.groupFilter=seth-test-group,seth-test-admingroup com.unraveldata.ldap.groupMembershipKey=member com.unraveldata.ldap.groupQueryFilter=(CN=seth*) com.unraveldata.login.admins.ldap.groups=seth-test-admingroup
What is the difference between the two group properties in LDAP configurations?
com.unraveldata.ldap.groupFilter: Lists the groups Unravel looks in for users who are allowed to log in.
com.unraveldata.login.admins.ldap.groups: Lists the groups Unravel looks in for users who are allowed to log in as admins.
Important
com.unraveldata.login.admins.ldap.groups is a subset of com.unraveldata.ldap.groupFilter, i.e., a group defined in com.unraveldata.login.admins.ldap.groups must also be defined in com.unraveldata.ldap.groupFilter.
For example,
com.unraveldata.ldap.groupFilter=secs-lab-admins,secs-lab-users # the admins.ldap group is also defined in ldap.groupFilter com.unraveldata.login.admins.ldap.groups=secs-lab-admins
If a user is:
Not listed in the groups defined in com.unraveldata.ldap.groupFilter, they cannot log in.
Listed in group defined in com.unraveldata.login.admins.ldap.groups, they are logged in as an admin.
Only listed in the groups defined in com.unraveldata.ldap.groupFilter, they are logged in as a non-admin user.