English (US) Deutsch (Deutschland) Español (Latinoamérica) Français (France) 한국어(대한민국) Português do Brasil

Articles in this section

[SPN9] Authentication - LDAP settings

  • Updated

Introduction

This KB describe:

1) LDAP Settings available in SPN9

2) How to activate LDAP

3) How to retrieve LDAP informations

 

1) LDAP Settings available in SPN9

LDAP settings are available from administration > Authentication settings > LDAP settings

You will find there general settings:

Setting Description Examples
LDAP URL* Base URL to connect to your LDAP server

ldap://server:389

ldaps://server:636
LDAP search base* Base object of your search ou=people,dc=example,dc=com
LDAP search filter* Criteria to use to select account. Token {{username}} will be replace by login.

(uid={{username}})

(sAMAccountName={{username}})

(userPrincipalName={{username}})

(&(mail={{username}}))
Search attributes* List of all attributes retrieved

mail, givenName, sn, uid

userPrincipalName, givenName, familyName, email
adminDN Service account used to connect to LDAP uid=systran-ldap-acccount,dc=example,dc=com
Password for adminDN Password  
TLS Options for LDAP server Additional TLS options  

 

LDAP Mapping settings:

Setting Description Examples
Mapping of identifier* Attribute used as identifier. In most cases, this is login

uid

userPrincipalName
Mapping of email* Email attribute mail
Mapping of given name* First name attribute givenName
Mapping of family name* Last name attribute

familyName

sn
Mapping of groups Multi value attribute containing the list of groups attached to user memberOf

Note that all mapped attributes should be present in the "Search attributes" list.

 

Groups filter

Setting Description Examples
Groups blacklist Regular expression matching groups to exclude  
Groups whitelist Regular expression matching groups to keep and create

SYSTRAN

 

* Mandatory fields

 

More details about LDAP Group Mapping can be found here.

 

Note: if custom CA is required, you will have to update: /lib/systemd/system/systran-ses-console.service

Environment="NODE_EXTRA_CA_CERTS=[your CA certificate file path]"

And reload systemd deamons.

 

2) How to activate LDAP

To activate LDAP, add it in the "Enabled authentication modes" list. LDAP logon screen will be available from https://server/auth/ldap

To set LDAP default authentication mechanism (when you connect to https://server), set "Default Authentication mode" to LDAP.

 

To activate or update setttings, restart console service.

 

 

3) How to retrieve LDAP informations

To connect or identify LDAP settings, it could be useful:

3.1) For Windows server, to use dsquery command line tool

To find users:

dsquery user -name "John"

This will list all users who's name is John

To find details of a user and identify attributes names:

dsquery * "OU=John_Doe,DC=your,DC=domain,DC=com" -attr *

 

3.2) For Linux servers (including the SPNS 9 server) to install and use ldapsearch

Install ldapsearch

yum install openldap-clients

Then you can search:

ldapsearch -H ldap://server:389 -x -W -D "uid=systran-ldap-acccount,dc=example,dc=com" \
-b "ou=people,dc=example,dc=com" "(uid=John)"