LDAP Configuration
Syndeia Cloud offers delegated authentication to industry-standard and commercial LDAP Providers
In LDAP authentication, the Syndeia Cloud application (generically referred to here as “Service Provider (SP)”) connects to your organization’s LDAP server (aka “Directory [Store|Server] (DS)”) for authentication. Only the LDAP username is stored on Syndeia Cloud, and authentication is handled by your LDAP server for Syndeia Cloud.
Preparation Tasks
Deploy Syndeia Cloud according to Intercax Documentation.
Read as much of Learn About LDAP as you need to be fluent in LDAP terms and administration.
Assure that the browsers on the user workstations which are going to interact with Syndeia Web Dashboard and with the chosen DS can connect to both the SP and the DS and that there are no SSL certificate denials.
Assure that there are no traffic shapers on the corporate network that alter HTTP Request and HTTP Response Headers - especially those headers involved in LDAP protocols.
Assure that there are no network routers or proxies on the corporate network that alter HTTP URLs or HTTP Headers.
Obtain the Fully-qualified Network Domain (FQDN) scheme, host, and port of the Syndeia Cloud SP.
Obtain the FQDN scheme, host, and port of the chosen LDAP DS.
Test your assumptions about your organization’s LDAP DS with either
curl
orldapsearch
- Syndeia uses a third-party library for LDAP queries and if external, simple LDAP queries do not work, your configuration of Syndeia based on incorrect assumptions is not going to be successful.
Configure the Directory Store/Server (DS)
Browse to and authenticate into your organization’s choice of DS’s administration website (or LDAP Directory desktop utility such as Azure AD or Apache Directory Studio)
In Syndeia Silhouette, this is the
ldap.hostname
andldap.port
setting
Enter the integrations management portion of this administration website
Find or Create a new LDAP service for the DS’s users
Browse the DS’s LDAP “tree” to discover all of the following
The administrator credentials necessary to bind to the LDAP query URL to search the entire tree for groups and users
the DS might grant query rights to anonymous users but often a client user or script has to provide administrator credentials to query the DS (via LDAP) for the existence of other user identities
This is the “Bind Distinguished Name” (Bind DN) and its password
In Syndeia Silhouette, this is the
ldap.adminUserDN
and theldap.adminPassword
The topmost node in the LDAP tree where user identities are stored.
This is the “Base Distinguished Name” (Base DN)
In Syndeia Silhouette, this is the
ldap.baseDN
The topmost node in the LDAP tree where groups are defined
If you are setting up an LDAP service for the organization, you will need to configure the LDAP tree before attempting to integrate Syndeia with the LDAP service.
Configure your Organization
With LDAP, all management of user identities and of permissible passwords are all the responsibility and choice of the organization.
Assure the LDAP DS has a directory of user identities
Know which users or groups should be permitted access to the Syndeia Service Provider
Users in the organization will not be able to access Syndeia Cloud through LDAP until the organization grants them, through the administration in the LDAP DS, an LDAP user identifier that has a password and an email address.
Configure silhouette.conf
ssh log into the Syndeia Cloud server with a user that can perform “passwordless sudo” operations. Root access is not necessary if sudo access has been established.
cd to
/opt/icx/syndeia-cloud-current/web-gateway-
<SC_version>-impl/conf
copy all of the following into
silhouette.conf
, adding or replacing any existingldap.
settings.Replace all EXAMPLE values – like
MYCOMPANY.MYCOM:LDAPPORT
– with the values for your organization.
The above illustrates how little configuration is mandatory - if the organization has an OpenLDAP service.
The above illustrates how little configuration is mandatory - if the organization has a Microsoft AD service.
Curious about the purpose of each and every setting? Expand this:
Operation
Restart the web-gateway service
sudo systemctl restart sc-web-gateway
Open a modern web browser (Chrome, Edge, Safari) and visit
http:SYNDEIA.MYCOMPANY.MYCOM:MYSYNDEIAPORT/login
orhttps:SYNDEIA.MYCOMPANY.MYCOM:MYSECURESYNDEIAPORT/login
In the Login Form dialog, enter the LDAP user credentials for an existing LDAP user that is within the
ldap.baseDN
tree or within theldap.groupSettings.name
LDAP Group (if group-limited LDAP access was configured)Choose LDAP from the Account chooser
If an LDAP user in the proper LDAP scope cannot authenticate into Syndeia, re-confirm with an LDAP search utility that the configuration of Syndeia is correct. Verify this yourself. Usually, either the user is using the wrong user name or wrong password or the LDAP repository has a different tree structure than is assumed.
When a user authenticates via LDAP into Syndeia, Syndeia will create Just In Time an account with rudimentary user read-level permissions - if the account is not already present.
When a user requires more permissions, use the User Management feature in the Web Admin Portal to change this.