LDAP Connection Configuration

From iDENprotect Knowledge Base
Jump to: navigation, search

If you have not made any configuration changes yet, please see How to make configuration changes

Introduction

idenprotect Core Platform can be used with or without LDAP integration. After the initial installation, LDAP integration is disabled. If LDAP is enabled, idenprotect Core Platform connects idenprotect users' identities to an LDAP directory, such as Microsoft Active Directory.

This article will help you configure your connection to the LDAP directory.

If you already have the connection configured and you would like to configure the users being synchronized. See LDAP Admin Sync Configuration or LDAP User Sync Configuration

If you would like to configure the LDAP synchronization job to store additional details about a user, see LDAP Extra Parameters or LDAP Group Definitions


Configuring the LDAP Connection

Standard Connection

If you wish to connect to LDAP using TLS but have not yet enabled LDAP over TLS, see LDAP TLS Configuration

This configuration can be found in: -

  • LDAP Connection Configuration under the LDAP section in the idenprotect Core Platform Admin Console Config Tab
  • Server file system in /etc/idenprotect/ldap.properties
Parameters for LDAP
Parameter in Config Tab Parameter in Properties File Description
LDAP Enabled ldap.enabled Set to true to enable LDAP integration
Admin Sync Enabled? ldap.admin.sync Set to true for admin users to be synchronised with AD
User Sync Enabled? ldap.user.sync Set to true for users to be synchronised with AD
Connection Type ldap.type fake for testing purposes. real if idenprotect Core Platform will connect directly or websocket if you are using the webocket client to connect to Active Directory
LDAP Protocol ldap.protocol LDAP protocol. The format is ldap:// (or ldaps:// if using LDAP over TLS)
Default Host ldap.loadBalance.defaultHost LDAP server URL (or IP address) without protocol or port to be used except if Load Balance is enabled.
LDAP Port ldap.port LDAP access port. The format is <server-port>. Default is 389 (636 if using LDAP over TLS)
LDAPS Trust All Certificates? policy.ldaps.trust.all.certs If true, idenprotect Core Platform will trust ANY certificate when contacting LDAPS
Authentication Method ldap.auth.method LDAP connection authentication method. Available options are simple, sasl and anonymous. If unsure of the right option, set to simple
Authentication User ldap.auth.user LDAP service account username (if using simple or SASL authentication). Ignored if using anonymous authentication
Authentication Password ldap.auth.password LDAP service account password (if using simple or SASL authentication)

The service account referred to in authUser and authPassword requires read access to the LDAP directory to be able to make queries. It may also require write access if you wish to take advantage of some of the server's other features. We recommend creating a dedicated LDAP account for idenprotect Core Platform.

Load Balanced Connection

idenprotect Core Platform can be configured to access LDAP through one single LDAP server or load-balanced over multiple servers in multiple regions. The server uses DNS lookup to find the available hosts in each region and will cycle through them to see if it can connect to a host within a set response time.

Hosts that fail to connect are logged to INFO and if all hosts in a given region fail to connect this will be logged to ERROR. A periodic health check can also be configured with the same logs as well as DEBUG for successfully connecting hosts.

When load balancing is disabled, a default host must be provided as described in the general configuration at the top of this page.

This configuration can be found in: -

  • LDAP Connection Configuration under the LDAP section in the idenprotect Core Platform Admin Console Config Tab
  • Server file system in /etc/idenprotect/ldap.properties

Note that all other Load Balance properties will be hidden until the "Load Balance Required" setting has been set to true and saved.

Parameters for LDAP
Parameter in Config Tab Parameter in Properties File Description
Load Balance Required? ldap.loadBalance.required Set to true to enable LDAP load balancing.
Load Balance Region 1 ldap.loadBalance.region1 DNS for region 1 (at least 1 region must be supplied if load balancing is enabled). This may look something like _ldap._tcp.dc._msdcs.<DnsDomainName>
Load Balance Region 2 ldap.loadBalance.region2 Optional. Can be left blank if no second region available. The format is the same as region 1.
Load Balance Region 3 ldap.loadBalance.region3 Optional. Can be left blank if no third region available. The format is the same as region 1.
Load Balance Max Response Time ldap.loadBalance.maxResponseTime Time (in ms) allowed for a host to respond before the connection is considered to have failed and the load balancer moves on to the next host.

Websocket Connection

Another model for synchronizing idenprotect with Active Directory is to configure idenprotect as a WebSocket server that can listen for updates from idenprotect Active Directory Agents.

To use this approach, please Start Here - idenprotect Active Directory Agent. This will take you through the LDAP, Websocket Server, and Sync Client configuration.

Note that all additional WebSocket properties will be hidden until the "Connection Type" setting has been set to websocket and saved.

This configuration can be found in: -

  • LDAP Connection Configuration under the LDAP section in the idenprotect Core Platform Admin Console Config Tab
  • Server file system in /etc/idenprotect/ldap.properties
Parameters for LDAP
Parameter in Config Tab Parameter in Properties File Description
LDAP WebSocket Hosts ldap.websocket.hosts Comma separated list of hosts that can send sync data in the format <node>:<hostname> eg node1:dc.domain.com,node2:dc2.domain.com