LDAP
This is an older version of the document. To view the most recent version of the document, click here.
- Groups from an LDAP directory, one can use a manager’s username/password to bind and search a user’s group.
- While searching for a user’s groups, can use 'userDnPattern' to construct the user’s full distinguished name (DN). In the case below, the user would have a full DN of 'uid=,ou=users,dc=,dc=<.com/.net>'.
- The search would be rooted at 'ou=groups,dc=,dc=net', looking for directory entries that include the attribute 'uniqueMember=uid=,ou=users,dc=,dc=<.com/.net>', which is the structure for the 'groupOfUniqueNames' group standard.
- Group/rolename can be extracted by using the 'groupRoleAttribute'. For example, all entries that pass the filter will then have the cn (common name) attribute returned.
- Use Halyard to Fiat, to setup the LDAP manager credentials and search patternshal config security authz ldap edit \--url ldaps://<ldap.mydomain.net>:636/dc=mydomain,dc=net \--manager-dn uid=admin,ou=system \--manager-password \--user-dn-pattern uid={0},ou=users \--group-search-base ou=groups \--group-search-filter "(uniqueMember={0})" \--group-role-attributes cn
- Now edit the security authorization type, using the below commandhal config security authz edit --type ldap
- Enable, LDAP authorization using the below commandhal config security authz enable
Last modified 1yr ago