In addition to user accounts created directly in Embotics® vCommander®, you can also integrate with Active Directory or Lightweight Directory Access Protocol (LDAP) servers so users may login with credentials they already know. It’s not uncommon for the vCommander administrator to be a different person than the LDAP administrator, so this article discusses the information you need in order to configure an LDAP integration successfully.
Unlike Active Directory, which has a known schema common to all implementations, LDAP is an open directory designed to be highly flexible so that administrators can design the schema. Administrators create rules and attribute types that define the information stored about users in the directory. Because the directory service schema is customized, the configuration wizard in vCommander helps you define the relevant fields in your directory.
The procedure below must be performed by a vCommander user with the Superuser role.
- Under the Configuration menu, choose System Configuration.
- Switch to the Authentication tab and click Add > LDAP under Directory Services to launch the LDAP Configuration wizard.
- On the Server Configuration page, provide details about which server or servers vCommander should query, whether the queries are done anonymously or under a specific account, and whether or not to connect securely using LDAPS.
The Name field is a label to identify the integration in vCommander, but also helps vCommander to choose a specific directory. This is necessary when the same username exists in more than one directory service you’ve integrated with vCommander, otherwise, any label you choose will suffice.The Primary Server and Secondary Server fields provide vCommander with the addresses of your LDAP servers. You can use DNS name or IP addresses in these fields.
Choose either the Anonymous Bind or Specify user/password radio buttons. If your server supports anonymous bind, you don’t have to provide a user account for vCommander to use when querying the server(s).
Bind DN accepts usernames in the format cn=user,dc=domain,dc=com where typically this is equal to firstname.lastname@example.org. Enter the Password for this account.
Base DN tells vCommander where to start searching the directory in the format dc=domain,dc=com where this is equal to domain.com.
Check LDAPS to enforce secure connections to the server. This may be required in your environment.
Check Enabled to turn on this directory service as usable for vCommander authentication. If you ever need to take it offline temporarily, simply uncheck this box and complete the wizard.
- Click Test to validate your choices before clicking Next.
- On the Identity page, you provide vCommander with definitions of what identifies a user or group in your directory, as well as filters to specify which users and groups should be included or excluded by the search. Sample values are provided on this page for your reference, but these will likely need to be replaced with values relevant for your schema.
User Filter is a required field which defines valid users for search results based on criteria you set. For example, (&(objectClass=inetOrgPerson)(!(ou:dn:=inactive))) says that the account must belong to the objectClass inetOrgPerson AND it cannot include an ou with the value inactive in its dn property.
User ID is a required field which, when combined with the User Filter, describes how to find users in the directory.
If Anonymous Search is checked, vCommander defers to the LDAP provider to look up the user and find its dn for authentication. Otherwise, a search occurs to locate and extract the user’s dn property to us that value for authentication.
The Group Filter field includes or excludes users from search results based on criteria you set. For example, (objectClass=groupOfUniqueNames) accepts all groups as identified by the groupOfUniqueNames, so no filtering of groups is occurring.
The Group ID field describes how to find groups in the directory.
The Group Membership field defines the attribute whose value references specific user records of group members.
The User Mapping field defines the user’s attribute that is used in the Group Membership field.
- Click Next.
- On the Optional Attributes page, you provide vCommander with additional definitions of attributes that provide more details about the user accounts. The most important of these, Email Address, is required so that the users will receive notifications sent by vCommander. Sample values are provided on this page for your reference, but these will likely need to be replaced with values relevant for your schema.
- Click Finish.
Using LDAP Browsers
LDAP browsers allow you to connect to a directory and examine its hierarchy and schema. Because vCommander administrators are not typically the LDAP Administrator, using an LDAP Browser can help you figure out how to configure the integration by looking for the information you need.
At Embotics, the engineering team favor the LDAP Browser included in the Apache Directory Studio, which you can download and install for free. When working with Embotics support on LDAP integration issues, having this installed will be helpful as we can better provide direction when you are using a tool we are able to reference.
The image above shows how the value to add in the Group Filter field was located using the browser. Selecting the cn node below the Groups organizational unit, we find that objectClass attribute value to use is objectClass=posixGroup.