DCImanager Administrator

Synchronization with the LDAP directory

ISPSystem

LDAP (Lightweight Directory Access Protocol) is an application layer protocol for directory service access. The directory service (LDAP directories) is a hierarchically structured system for storing key-value data. Usually directory services are used to store information about an organization, its assets and users. There are different implementations of LDAP directories. For example, OpenLDAP and FreeIPA for Linux, Microsoft Active Directory for Windows etc.

You can set up synchronization of DCImanager with the LDAP directory. Then user accounts from the directory will be automatically created in the platform.

Work logic


DCImanager starts synchronization with the LDAP directory at intervals specified in the settings. During synchronization, the platform connects with specified parameters to the LDAP directory and receives a list of users. Information about users in the LDAP directory has a higher priority than the information in the platform.

General synchronization rules:

  1. If a user from the LDAP directory is not present in the platform, the platform will create an account with LDAP data.
  2. If a user from the LDAP directory has already been created in the platform, the platform will replace the password to the user account with the LDAP data.
    Example: An account with the name admin@example.com and the password secret1 has been created in the platform. In LDAP, there is an account with the name admin@example.com and the password secret2 . After synchronization, the user admin@example.com will only be able to log in to the platform with the password secret2 .
  3. If the LDAP directory user has already been created in the platform, the platform will change the account level to LDAP data.
    Example: An account with the name admin@example.com with the "Administrator” level has been created in the platform. In LDAP, there is an account with the name admin@example.com in the “Users” group. After synchronization, the account level will change to "User". If the user is the owner of the servers, operations with these servers will remain available to him.
  4. If the administrator deletes from the platform the user created during synchronization with LDAP, the platform will create this user during the next synchronization.
  5. If a user is deleted from the LDAP directory, the platform will delete his account during the next synchronization.
  6. If a user is blocked in the LDAP directory, the platform will set his status to "Blocked in LDAP". Such a user will not be able to log in to the platform.

Synchronization setup


Note

If you need to use an SSL connection to connect to LDAP and the server has a self-signed SSL certificate installed, follow the steps in the article If the LDAP server has a self-signed SSL certificate.

To configure synchronization, enter  → Synchronization with LDAP :

  1. Select the LDAP directory implementation:
    1. LDAP — a standard directory service implementation;
    2. Active Directory;
    3. FreeIPA.
  2. Specify the connection settings:
    1. Base DN — the directory object from which the search begins. For example, for the example.com directory, specify "dc=example,dc=com".
    2. If necessary, enable the Use SSL to connect option.
    3. Main server address.
    4. Connection Port.
    5. Bind DN — unique name for authentication. You can specify the name in the format name@example.com or "cn=name,ou=group,dc=example,dc=com".
    6. Password.
    7. For a standard LDAP implementation, specify the following:
      1. Users DN — parameter for searching and downloading users. For example, "ou=users".
      2. Groups DN — parameter for searching and downloading user groups. For example, "ou=groups".
      3. Groupname attribute — attribute for loading the group name. For example, CN or memberof.
      4. E-mail attribute — attribute for downloading the user's email address. For example, mail.
  3. Press Next . DCImanager will check the connection to the LDAP directory with the specified parameters.
  4. Select the DN group for the roles. Read more about user roles in DCImanager in Accounts :
    1. Administrator.
    2. User.
  5. For the platform to perform synchronization on a schedule:
    1. Enable the Synchronize users automatically option.
    2. Select the schedule parameters:
      • Hourly;
      • Daily → select the time;
      • Weekly → select the day → select the time;
      • arbitrary time in the cron format → specify the Cron command. For example, 15 10 * * * 0 — synchronize on Sundays at 10:15 or 00 12 1,16 * * * — synchronize on the 1st and 16th of the month at 12:00.
  6. You can Downl oad a full list of users to synchronization . The list contains the names of users, their roles and information about the presence of similar users in the platform.
  7. Press Start synchronization . DCImanager will start the synchronization process. Synchronization can take several minutes.

Example of configuration


You can change the saved settings under  Synchronization with LDAP .

To synchronize manually, enter Synchronization with LDAPSynchronize now or UsersSynchronize with LDAPStart synchronization.

Synchronization via API


To configure synchronization, use API of the LDAP service.

Connection settings example

  1. Check the connection and get a list of groups: 

    curl -ks -X 'POST' \
      'https://domain.com/api/ldap/v4/connect' \
      -H 'Cookie: ses6=<auth_token>' \
      -H 'x-xsrf-token: <auth_token>' \
      -H 'accept: application/json' \
      -H 'Content-Type: application/json' \
      -d '{
      "type": "ldap",
      "base_dn": "dc=example,dc=com",
      "address": "192.168.0.5",
      "port": 389,
      "is_ssl": false,
      "bind_dn": "cn=admin,dc=example,dc=com",
      "password": "secret",
      "users_dn": "cn=users",
      "groups_dn": "cn=groups",
      "groupname_attr": "memberOf",
      "email_attr": "mail"
    }'

    domain.com — IP address or domain name of the server with the platform

    <auth_token> — authorization token

    type — LDAP directory implementation

    base_dn — directory object from which the search begins

    address — IP address of the main server

    port — connection port

    is_ssl — "Use SSL to connect" option

    bind_dn — unique name for authentication

    password — LDAP administrator's password

    users_dn — parameter for searching and downloading users

    groups_dn — parameter for searching and downloading user groups

    groupname_attr — attribute for loading the group name

    email_attr — attribute for downloading the user's email address

  2. Finish creating the connection: 

    curl -ks -X 'POST' \
      'https://domain.com/ldap/v4/setting' \
      -H 'Cookie: ses6=<auth_token>' \
      -H 'x-xsrf-token: <auth_token>' \
      -H 'accept: application/json' \
      -H 'Content-Type: application/json' \
      -d '{
      "type": "ldap",
      "base_dn": "dc=example,dc=com",
      "address": "192.168.0.5",
      "port": 389,
      "is_ssl": false,
      "bind_dn": "cn=admin,dc=example,dc=com",
      "password": "secret",
      "groups_bind": {
          "@admin": [
            "cn=admins,cn=groups,cn=accounts,dc=example,dc=com",
            "cn=devops,cn=groups,cn=accounts,dc=example,dc=com"
          ],
          "@user": [
                "cn=support,cn=groups,cn=accounts,dc=example,dc=com",
                "cn=developer,cn=groups,cn=accounts,dc=example,dc=com"
          ]
      },
      "auto_sync": "0 * * * *"
    }'

    domain.com — IP address or domain name of the server with the platform

    <auth_token> — authorization token

    type — LDAP directory implementation

    base_dn — directory object from which the search begins

    address — IP address of the main server

    port — connection port

    is_ssl — "Use SSL to connect" option

    bind_dn — unique name for authentication

    password — LDAP administrator's password

    groups_bind — DN-groups for each user role in the platform

    auto_sync — time in cron format for synchronization with the directory

Thank you for your feedback!
Was the article useful?
Tell us why not:

it does not match the title

it was hard to understand

I didn't find the answer

recommendations from the article did not help

other

Tell us what you didn't like in the article: