Secure LDAP Configuration

Syndeia Cloud offers delegated authentication to industry-standard and commercial Secure LDAP Identity Providers

In Secure LDAP authentication, Syndeia Cloud connects to your organization’s LDAP server using SSL and LDAP for authentication. Only the LDAP username is stored on Syndeia Cloud, and authentication is handled by your LDAP server for Syndeia Cloud.

Preparation Tasks

  1. Review the Preparation Tasks at LDAP Configuration

Configure the IdP

Configure your Organization

With LDAP, all management of user identities and of permissible passwords are all the responsibility and choice of the organization.

  • Assure the LDAP IdP has a directory of user identities

  • Know which users or groups should be permitted access to the Syndeia Service Provider

  • Assure that the organization’s network is configured for SSL to the LDAP IdP

Users in the organization will not be able to access Syndeia Cloud through LDAP until the organization grants them, through the administration in the LDAP IdP, an LDAP user identifier that has a password and an email address.

Configure silhouette.conf

  • ssh log into the Syndeia Cloud server with a user that can perform “passwordless sudo” operations. Root access is not necessary, if sudo access has been established.

  • cd to /opt/icx/syndeia-cloud-current/web-gateway-3.6/conf

  • copy all of the following into silhouette.conf, adding or replacing any existing ldap. settings.

  • Replace all EXAMPLE values – like MYCOMPANY.MYCOM:LDAPPORT– with the values for your organization.

ldap.hostname="MYLDAPSERVICE.MYCOMPANY.MYCOM" ldap.port=636 ldap.baseDN="dc=MYCOMPANY,dc=MYCOM" ldap.startTLS=true

The above illustrates how little configuration is mandatory - if the organization has an OpenLDAP service running SLAPD.

ldap.hostname="MYLDAPSERVICE.MYCOMPANY.MYCOM" ldap.port=636 ldap.baseDN="dc=MYCOMPANY,dc=MYCOM" ldap.userBindAttribute="sAMAccountName" ldap.mailAttribute="userPrincipalName" ldap.startTLS=true

The above illustrates how little configuration is mandatory - if the organization has an Microsoft AD service running SLAPD.

# LDAP provider # The values for hostname, baseDN and adminUserDN are placeholder values. # Please provide actual values, and the value for adminPassword, before using an LDAP provider. # # the hostname where the LDAP service is served # Default if absent is no LDAP service #ldap.hostname="MYLDAPSERVICE.MYCOMPANY.MYCOM" # the port on the host for the LDAP service # Default if absent is 389 (for insecure LDAP) #ldap.port=636 # Topmost DN where Syndeia looks for users to authenticate for Syndeia Cloud # Default if absent is no LDAP service #ldap.baseDN="dc=MYCOMPANY,dc=MYCOM" # DN of an LDAP Administrator # Default if absent is unauthenticated LDAP searches #ldap.adminUserDN="cn=admin,dc=MYCOMPANY,dc=MYCOM" # Password for the LDAP Administrator in plain text # Default if absent is unauthenticated LDAP searches #ldap.adminPassword # the LDAP Attribute that indicates a user identity # Default if absent is "uid" (MS AD uses sAMAccountName) #ldap.userBindAttribute="sAMAccountName" # the LDAP Attribute that indicates each user's email emailAddress # Default if absent is "mail" #ldap.mailAttribute="userPrincipalName" # should Transport Layer Security be used for the LDAP searches # Default if absent is false (must be true for LDAPS) #ldap.startTLS=true # the SSL Protocol to use for TLS # Default if absent is negotiation by client and server #ldap.sslProtocol="TLSv1.2" # the Cipher to use for TLS # Default if absent is negotiation by client and server #ldap.sslCipher="TLS_RSA_WITH_AES_256_CBC_SHA256" # the path to an SSL certificates trust trustStore # Default if absent is all certificates from the LDAP servers are trusted #ldap.truststorePath="/some/path/jssecacerts" # type of the Trust Store # Default if absent is jks for a Java Key Store #ldap.trustStoreType # -------------------------------------------------- # If you want to limit Syndeia access to the members of # LDAP groups, then supply at least one and any more appropriate values # for the group settings below # Syndeia will search through nested groups of any depth but all Group DNs must be within the DN of ldap.groupSettings.dn # -------------------------------------------------- # # Topmost DN where Syndeia looks for <memberAttribute> to identify groups and/or users to authenticate for Syndeia Cloud # Default if absent would be the ldap.baseDN for where Users are searched # ldap.groupSettings.dn="ou=MYGROUPS,dc=MYCOMPANY,dc=MYCOM" # # Simple name of the group used to restrict access to Syndeia Cloud # Default if absent would be the ldap.baseDN for where Users are searched # ldap.groupSettings.name="SyndeiaGroup" # # Attribute used to indicate group instances # Default if absent would be "cn" # for example, given a DN: "cn=SyndeiaGroup,ou=MYGROUPS,dc=MYCOMPANY,dc=MYCOM", then use "cn" next # ldap.groupSettings.bindAttribute="cn"

Curious about the purpose of each and every setting? See LDAP Configuration

Operation

  1. See Operation at LDAP Configuration

If an LDAP user in the proper Secure LDAP scope cannot authenticate into Syndeia, re-confirm with an LDAP search utility that the configuration of Syndeia is correct. Verify this yourself. Usually, with SLDAP, there are configuration issues with the SSL certificates, trust stores, SSL protocol, and SSL cipher.

When a user authenticates via LDAP into Syndeia, Syndeia will create Just In Time an account with rudimentary user read-level permissions - if the account is not already present.

When a user requires more permissions, use the User Management feature in the Web Admin Portal to change this.