Skip to content

How to connect to LDAP server

LDAP server or Active Directory can be used to enable users to log in to TeskaLabs LogMan.io seamlessly.

Specify LDAP connection by configuration of TeskaLabs SeaCat Auth (authorization server within TeskaLabs LogMan.io) in the model.

Find seacat-auth service in the model and follow this example.

Important

Before you apply changes in the model, upload the secret (in this case LDAP_USER_PASSWORD) securely to the Vault. Only then, the secret is available when changes are being applied to the SeaCat Auth configuration.

/Site/model.yaml
define:
  type: rc/model

services:
  ...
  seacat-auth:
    instances:
      - node1  #(1)
    asab:
      config:
        "seacatauth:credentials:ldap:external":
          uri: ldap://ad.company.cz  #(2)
          username: "CN=user,OU=Users_System,DC=company,DC=cz"  #(3)
          attrusername: sAMAccountName
          password: "{{LDAP_USER_PASSWORD}}"
          base: DC=company,DC=cz
          filter: "(&(objectClass=user)(|(sAMAccountName=novakjan)(sAMAccountName=novotnypavel)))"
          attributes: "mail mobile"

secrets:
  LDAP_USER_PASSWORD: {}
  1. List of nodes with seacat-auth instance.
  2. URI to your LDAP server.
  3. Full user name in the Active Directory.

To save the secret to the Vault, use this command on the LogMan.io host server. Make sure you replace the key and the password value according to your needs.

curl -X PUT localhost:8891/vault/LDAP_USER_PASSWORD  --data 'supersecret'

Hit Apply button accessible in the /Site folder of the Library or use command-line option.

On the host server, in the /opt/site directory, use the command:

./gov.sh up

Secure LDAP connection (LDAPS)

To enable secure connection, simply specify the LDAP uri with ldaps:// scheme.

Supplying certificate and key files

Depending on your policy, you may want to specify the server CA file and/or the client certificate and key files.

First, make sure you have the files you need ready on the server. Then proceed to securely uploading them to the Vault:

cd /opt/site
./gov.sh curl -X PUT $NODE_ID:8891/vault/ldap_tls_cafile --data-binary '@/absolute/path/to/cafile.crt'
./gov.sh curl -X PUT $NODE_ID:8891/vault/ldap_tls_certfile --data-binary '@/absolute/path/to/certfile.crt'
./gov.sh curl -X PUT $NODE_ID:8891/vault/ldap_tls_keyfile --data-binary '@/absolute/path/to/keyfile.pem'

Be sure to replace $NODE_ID with the server name.

Now update the /Site/model.yaml file in the Library:

/Site/model.yaml
services:
  ...
  seacat-auth:
    ...
    asab:
      config:
        "seacatauth:credentials:ldap:external":
          ...
          tls_cafile: /conf/tls_cafile.crt  #(3)
          tls_certfile: /conf/tls_certfile.crt
          tls_keyfile: /conf/tls_keyfile.pem
          tls_require_cert: allow  #(4)
    files:  #(2)
      - "/conf/tls_cafile.crt": "{{LDAP_TLS_CAFILE}}"
      - "/conf/tls_certfile.crt": "{{LDAP_TLS_CERTFILE}}"
      - "/conf/tls_keyfile.pem": "{{LDAP_TLS_KEYFILE}}"

secrets:  #(1)
  ...
  LDAP_TLS_CAFILE: {}
  LDAP_TLS_CERTFILE: {}
  LDAP_TLS_KEYFILE: {}
  1. Expose the certs/keys from the Vault in the secrets section.
  2. Convert the secrets to files available to SeaCat Auth service.
  3. Link the cert/key files in SeaCat Auth LDAP configuration.
  4. Server TLS certificate policy. Possible options: never, allow, demand, hard

Finally, Save the changes and apply them using the Apply button in the Library UI or by running the /opt/site/gov.sh up command on the server.