Skip to main content

Configure LDAP as SSO

You can find the list of LDAP properties here.

TL;DR

Here is an example snippet to put in your configuration file, that contains server, users and groups attributes.

platform-config.yaml
sso:
ldap:
- name: "LDAP" # Custom name for LDAP connection
server: "ldap://openldap:1389" # LDAP server URI with port
managerDn: "cn=admin,dc=example,dc=org" # Bind DN
managerPassword: "adminpassword" # Bind password
search-subtree: true # Search subtree (default: true)
search-base: "ou=users,dc=example,dc=org" # Base DN to search for users
search-filter: "(uid={0})" # Search filter (default: "(uid={0})")
groups-enabled: true # Enable group membership (default: false)
groups-base: "ou=groups,dc=example,dc=org" # Base DN to search for groups
groups-filter: "(member={0})" # Filter on groups (default: "uniquemember={0}")
groups-attribute: "cn" # Group name entry (default: "cn")
tip

If your LDAP server is Active Directory and you get "invalid user" error when trying to log-in, try setting your search-filter to '(sAMAccountName={0})'.

Users information

Here is the mapping between LDAP users information and Conduktor Console:

LDAPConduktor Console
uidUser ID, used to log in
mail or emailUser email (The only mandatory field)
cnUser name
snUser family name
givenNameUser first name
displayNameUser display name

Groups

To retrieve the groups each user belongs to, you have to set groups-enabled to true, and populate the attributes groups-base and groups-filter. You can find an example of snippet in the TL;DR.

caution

Be aware that depending on your LDAP objectClass, the attribute used to filter groups might be changed.

For example:

LDAP objectClassConduktor groups-filter
groupOfNames"member={0}"
groupOfUniqueNames"uniqueMember={0}"

External Groups Mapping

Now that your configuration is finished, you can setup a mapping between your LDAP groups and your Console groups. That way, when a user will log in, they will be automatically added to the corresponding Console groups, based on their LDAP groups.

To create this mapping, you have to create a group from Console, and mention the ID of the group on your LDAP (you should find it in the attribute you mentioned as groups-base).

After the user logged in, we can see they've been added to the group, without any action:

Stack example

If you need more examples, you can go to this stack with LDAP configuration, and you will be able to start Conduktor Console using a local LDAP, with two users and a group. You can find the credentials in the README.md.