Configuring LDAP
1. Overview
Syndeia Cloud can support both basic/native authentication and LDAP authentication.
In basic/native authentication, users are created by the admin in Syndeia Cloud and permissions are assigned to them. Usernames and passwords are stored on Syndeia Cloud and verified when a client connects to Syndeia Cloud.
In LDAP authentication, Syndeia Cloud connects to your organization’s LDAP server for authentication. Only the LDAP username is stored on Syndeia Cloud, and authentication is handled by your LDAP server for Syndeia Cloud. Once LDAP users are initialized in Syndeia Cloud, the Syndeia admin can assign them permissions.
Note that Syndeia Cloud 3.3 does not yet support LDAP Groups, we are working on adding this feature.
2. Pre-Requisites
Syndeia Cloud 3.3.0+: This is a newer LDAP build vs. the Syndeia Cloud 3.2 public release which originally did not support LDAP.
Syndeia Java Client (MD/RH plugin or Standalone) v3.3.0+: You can verify the version by examining the titlebar when the Dashboard is open or for MD via the version column in the plugin list.
3. Configuring Syndeia Cloud to use your LDAP server
Edit the Web-Gateway µ-service’s
/conf/silhouette.conf
file and scroll to the LDAP provider section, as shown below.# LDAP provider # The values for hostname, baseDN and adminUserDN are placeholder values. # Please provide actual values, and the value for adminPassword, before using an LDAP provider. ldap.hostname="ldapserver.mycompany.com" # ldap.port=389|636(TLS)|<custom> ldap.port=389 ldap.baseDN="dc=mycompany,dc=com" ldap.adminUserDN="cn=admin,dc=mycompany,dc=com" ldap.adminPassword="" ldap.userBindAttribute="uid" # [optional]: For SSL/TLS + certificate-based LDAPS # ldap.startTLS=false|true ldap.startTLS=false ldap.truststorePath="", ldap.truststorePassword="", ldap.trustStoreType = "", # ldap.trustAllCertificates=true|false ldap.trustAllCertificates=true
Specify values for L4-10 in the LDAP provider section, these are the minimum required parameters and includes the LDAP
hostname
,port
,baseDN
,adminUserDN
,adminPassword
(the last two fields are required for making the initial connection to the LDAP server before verifying the user. In some organizations where the LDAP server does not require any credentials to access it, these two fields may be left empty)Save the changes
Restart the web-gateway service.
At this point, if a user authenticates via LDAP with the Syndeia client, it should automatically create an account with default user read-level permissions, ie: you can open a project and read information but not create new connections, repositories, or projects.
If the user requires more permissions, use the User Management feature in the Web Admin Portal to change this.