ODD Platform
  • Overview
  • Architecture
  • ODDRN
  • Features
  • Use cases
    • Data compliance for Data Scientists
    • Deprecation for Data Engineer \ Analyst
    • Visibility for Data Quality Engineer
    • Data preparation for Visualization Engineer
    • Service Provider and Pre-Sales
  • Configuration and Deployment
    • Try locally
    • Deploy to Amazon Elastic Kubernetes Service (EKS)
    • Configure ODD Platform
    • Enable security
      • Authentication
        • Disabled authentication
        • Login form
        • OAUTH2/OIDC
        • LDAP
      • Authorization
        • Policies
        • Permissions
        • Roles
        • Owners
        • User-owner association
  • Developer Guides
    • API Reference
    • How to contribute
    • GitHub organization overview
    • Build and run
      • Build and run ODD Platform
      • Build and run ODD Collectors
Powered by GitBook
On this page
Edit on GitHub
  1. Configuration and Deployment
  2. Enable security
  3. Authentication

LDAP

ODD Platform can be configured to use existing LDAP server for users authentication. There are several properties, that need to be set in order to enable this kind of security.

Define authentication type

auth:
    type: LDAP
AUTH_TYPE=LDAP

Connect to LDAP server

There are 3 properties, which are responsible for connecting to LDAP server

  • auth.ldap.url: LDAP server url (required)

  • auth.ldap.username: The username (principal) to use when authenticating with the LDAP server

  • auth.ldap.password: The password (credentials) to use when authenticating with the LDAP server

Username and password are not required. If they are not set, operations will be performed by using an anonymous (unauthenticated) context

auth:
    ldap:
        url: "ldap://localhost:389"
        username: admin
        password: password
AUTH_LDAP_URL=ldap://localhost:389
AUTH_LDAP_USERNAME=admin
AUTH_LDAP_PASSWORD=password

Perform users search

There are 2 ways of how to retrieve users in LDAP server.

  1. Define DN pattern of user names. This is great, when all users are stored under a single node in a directory.

  2. Setup LDAP search filter.

DN pattern

This is an example of how user DN pattern can be defined. In this case DN for the user will be built by substituting login in the supplied pattern instead of 0.

auth:
    ldap:
        dn-pattern: "uid={0},ou=people,dc=mycompany,dc=com"

Search filter

This is an example of using search filter instead of DN pattern. If a user search base isn’t supplied, the search will be performed from the root.

auth:
    ldap:
        user-filter:
            search-base: "ou=people,dc=mycompany,dc=com"
            filter: "(uid={0})"

DN pattern

This is an example of how user DN pattern can be defined. In this case DN for the user will be built by substituting login in the supplied pattern

AUTH_LDAP_DN_PATTERN="uid={0},ou=people"

Search filter

This is an example of using search filter instead of DN pattern. If a user search base isn’t supplied, the search will be performed from the root.

AUTH_LDAP_USER_FILTER_SEARCH_BASE="ou=people"
AUTH_LDAP_USER_FILTER_FILTER="uid={0}"

It is required to set up one of those search methods, otherwise application start will fail

Define admin groups

ODD platform can get LDAP groups, which user is belongs to. Thus it is possible to define, which groups will grant admin priviligies. There are several properties, that need to be set in order to allow ODD platform to do this:

  • auth.ldap.groups.search-base: The base DN from which the search for group membership should be performed. By default it will be performed from the root.

  • auth.ldap.groups.filter: The pattern to be used for the user search. Default value is

    (member={0}), where user DN will be placed instead of 0.

  • auth.ldap.groups.admin-groups: List of groups, which members will be granted admin permissions.

auth:
    ldap:
        groups:
            search-base: "dc=mycompany,dc=com"
            filter: "(member={0})"
            admin-groups: admin
AUTH_LDAP_GROUPS_SEARCH_BASE="dc=mycompany,dc=com"
AUTH_LDAP_GROUPS_FILTER="(member={0})"
AUTH_LDAP_GROUPS_ADMIN_GROUPS=admin

Active directory

If you are using Active Directory as LDAP server there are additional properties, that need to be set

  • auth.ldap.active-directory.enabled : Must be set to true

  • auth.ldap.active-directory.domain: Domain name

auth:
    ldap:
        active-directory:
            enabled: true
            domain: "example.com"
AUTH_LDAP_ACTIVE_DIRECTORY_ENABLED=true
AUTH_LDAP_ACTIVE_DIRECTORY_DOMAIN="example.com"

Final configuration example

auth:
    type: LDAP
    ldap:
        url: "ldap://localhost:389"
        username: admin
        password: password
        dn-pattern: "uid={0},ou=people,dc=mycompany,dc=com"
        groups:
            search-base: "dc=mycompany,dc=com"
            filter: "(member={0})"
            admin-groups: admin
AUTH_TYPE=LDAP
AUTH_LDAP_URL=ldap://localhost:389
AUTH_LDAP_USERNAME=admin
AUTH_LDAP_PASSWORD=password
AUTH_LDAP_DN_PATTERN="uid={0},ou=people"
AUTH_LDAP_GROUPS_SEARCH_BASE="dc=mycompany,dc=com"
AUTH_LDAP_GROUPS_FILTER="(member={0})"
AUTH_LDAP_GROUPS_ADMIN_GROUPS=admin
PreviousOAUTH2/OIDCNextAuthorization

Last updated 2 years ago