Setting up LDAP authentication

Setting up LDAP authentication

In this article we will be seeing how to setup LDAP authetnication in NetYCE.  We will be using below sample LDAP server details for the setup.

LDAP Test server details

LDAP Server Information: 

Server: ldap.test.com  
Port: 389

Bind DN: cn=read-only-admin,dc=example,dc=com
Bind Password: secret

Group information:

ou=chemists,dc=example,dc=com

List of users
uid=curie,dc=example,dc=com
uid=boyle,dc=example,dc=com
uid=nobel,dc=example,dc=com
uid=pasteur,dc=example,dc=com

Configuring YCE_Setup to setup LDAP Auth

The Ldap/AD configuration for NetYCE is defined in the 'Yce_setup' table.  We will be modifying the Yce_setup table values to setup the LDAP.

Accessing YCE_Setup

(1) Admin -> Custom data -> (2) YCE_Setup 


Selecting the profile

Filter the Parameter column with "profile" .  We see that the default profile value is netyce.org
Subsequent configurations to be linked to this profile name.  Though this can be changed, in this example we will be continuing with netyce.org profile name.


Each profile consists of 4 sections
  1. Login_policy - The login process and the methods used is controlled using these settings.
  2. Ldap_admin - Defines how NetYCE must identify and authenticate itself with the Ldap server.
  3. Ldap_server - Defines which Ldap servers to consult and how failover behaves
  4. Ldap_schema - Defines the Ldap sources, attributes and relations.  The local LDAP admin should be consulted before first attempts, as these are specific to the local implementations.

Updating the login_policy

(1) Apply the filter login_policy
(2) default_group and enable_ldap are important values to modify and other parameters are for further customization.

      

Type
Parameter
String
Description
login_policy
default_group
Local or Ldap users are assigned to this user-group when the configured
login_policy
enable_ldap
yes
Enable LDAP login

Updating Ldap_admin

(1) Apply the ldap_admin filter to the Type column
(2) ldap_admin_dn and ldap_admin_pass values to configure.  use_anonymous set to no if we are not using anonymous login.
      

Type
Parameter
Str_value
Description
ldap_admin
ldap_admin_dn
cn=read-only-admin,dc=example,dc=com
The admin DN of Ldap to consult user-admin
ldap_admin
ldap_admin_pass
secret
 Enter the password in cleartext
ldap_admin
use_anonymous
no
Is anonymous admin allowed or not?

Updating Ldap_server

(1) Apply the filter ldap_server to the Type column
(2) ldap_server_pri , ldap_port_pri, ldap_secure_pri are the Parameters to fill in. 
Updating other Parameters is necessary if secondary LDAP server is available
            

Type
Parameter
Str_value
Description
ldap_server
ldap_server_pri
ldap.test.com
The fqdn or ip of the primary Ldap server
ldap_server
ldap_port_pri
389
The port of the primary Ldap server
ldap_server
ldap_secure_pri
no
To use secure-ldap 'ldap over SSL'. Well-known ports overrule
ldap_server
enable_secondary
no
Is a fallback Ldap server available?


Updating Ldap_schema

(1) Apply ldap_schema filter to the Type column
(2) Update grp_search_base and (3) usr_search_base values.
      

Type
Parameter
Str_value
Description
ldap_schema
usr_search_base
dc=example,dc=com
used to locate the username in the ldap
ldap_schema
usr_uid_attr
uid
used to locate the username in the ldap
ldap_schema
usr_map_attr
gidNumber
Value extracted to identify the group
ldap_schema
grp_search_base
ou=chemists,dc=example,dc=com
used to locate the group record
ldap_schema
grp_name_attr
cn
Used to retrieve the group name
ldap_schema
grp_map_attr
gidNumber
Attribute used to match the value extracted.

The process involves locating a user record in LDAP based on their username attribute, and extracting a value from an attribute specified in usr_map_attr that identifies the user's group record.
Then, the group record is located in LDAP using grp_search_base and checking for a matching attribute in grp_map_attr. Once the group record is found, the group name is retrieved using grp_name_attr and compared against existing group names in NetYCE. If the group name does not exist in NetYCE, a default group name is used.
This is one of the LDAP Schema.  Refer to article LDAP\AD setup  for other type of implementations

Verifying LDAP Access

Login and test


Reviewing logs

(1) Admin -> User Logs
                                                 

Validating LDAP-type users created

(1) Admin -> Users & Groups -> Users 
We can see that ldap type user is created post login.  It is part of the NetYCE group which was defined as default_group under login_policy earlier..
      





    • Related Articles

    • Setting up High Availability

      In this article we would be setting up two instances of NetYCE that would act as Master-master relationship. Pre conditions It is assumed we already have cloned the primary server or set up a new one. If you have installed a new system (VM), make ...

    • Enabling Job Approvals

      Knowing different User Roles Below is the table that defines users levels and their group names. User-level name remark 0 disabled cannot login 1 browser cannot submit jobs 2 operator 3 engineer 4 modeler aka designer 5 manager 6 system same as ...