LDAP Authentication Module
An LDAP authentication module lets users log in to Hub and any connected services with credentials that are stored in a directory service. Hub provides pre-configured authentication modules for LDAP, OpenLDAP, and Active Directory. You can configure a module to use the standard LDAP scheme or LDAPS over SSL.
The LDAP authentication module does not import all of the user accounts from the directory service. Hub only creates a user account when an unregistered user first logs in to Hub or a connected service.
When LDAP authentication is enabled, Hub checks the directory service for each login attempt. Users who have been removed from the directory service cannot log in to Hub.
Prerequisites
If you want to authenticate over SSL, import the trusted SSL certificate and key store before you enable the authentication module. For more information, see SSL Key Stores.
Enable LDAP Authentication
To allow users stored in a directory service to log in to Hub, enable an LDAP authentication module.
To enable LDAP authentication:
- In the Access Management section of the Administration menu, select .
- From the Add Module drop-down list, select the option that corresponds to the directory service you want to enable. You can select LDAP, OpenLDAP, or Active Directory.
- In the Add Module dialog, enter values for the following settings:
Field Description Name Enter a name for the authentication module. Server Enter the server address of the directory service. Port Enter the number of the port used to communicate with the directory service. SSL Select this option to authenticate over SSL. Search Base Enter the domain components that define the top-level LDAP DN where user accounts are stored. For example, if your company uses the domain mycompany.com
, enter the top-level LDAP DNdc=mycompany,dc=com
.
The value entered in this field is added to the LDAP URL and cannot contain unsafe characters.
If you use organizational units to manage users, create separate auth modules for each organization. Include the organizational unit in the search base to create a unique LDAP URL for each module. LDAP authentication modules do not support recursive search in the LDAP tree. - Click the Create Module button.
- The LDAP authentication module is enabled. The current status of the module is displayed next to the name of the module in the header.
- The Auth Modules page displays the settings for the LDAP authentication module. The module is pre-configured with standard settings that are based on the information you provided in the Add Module dialog. For additional information about the settings on this page, see the Settings section.
Test the Connection to your Directory Service
To verify that the LDAP authentication module is connected to your directory service, test the connection.
To test the connection:
Settings
Use the following settings to fine-tune the connection to your directory service.
Field | Description |
---|---|
Type | Displays the type of directory service that is enabled for third-party authentication in Hub. |
Name | Stores the name of the authentication module. Use this setting to distinguish this module from other authentication modules in the Auth Modules list. |
Server URL | Stores the LDAP URL of the directory service used to authenticate a login request in Hub. The LDAP URL uses the format |
SSL key store | Select an uploaded SSL key store to encrypt the connection between Hub and the directory service. For more information about managing key stores in Hub, see SSL Key Stores. Also, see the Set Up SSL Keys for SAML 2.0 page: You can follow the procedure to create a key store and use it here. |
Bind account | Determines which account is used for the LDAP bind request. For more information, see Bind Account Options. |
Bind DN | Stores the value that is used to bind with the directory service. For more information, see Bind Account Options. |
Filter | Stores an expression that locates the record for a specific user in the LDAP service. The substitution variable in the expression is replaced with the value entered as the username or email on the login page. |
Bind Account Options
You can configure the module to perform the bind request with the LDAP service in one of two ways. The method used is determined by the option selected for the Bind account setting.
The value that you use for the Bind DN setting depends on the option that you select for the Bind account setting. Use the following guidelines to set the value for the Bind DN setting:
Attribute Mapping
When Hub finds a record in the LDAP service that matches a filter, it fetches values from the LDAP attributes that are specified for each field and copies them to the user profile in Hub. Use the following settings to define the filter criteria and map attributes that are stored in your directory service to user accounts in Hub.
Additional Settings
The following options are located at the bottom of the page. Use these settings to manage Hub account creation, group membership, and connection options.
Sample Configurations
Service Type | Setting | Value |
---|---|---|
LDAP | Server URL | ldap://ldap.company.com:389/dc=company,dc=com |
SSK key store | No | |
Bind DN | uid=%u,ou=People | |
Filter | uid=%u | |
LDAP over SSL | Server URL | ldaps://ldap.company.com:636/dc=company,dc=com |
SSK key store | LDAP SSL | |
Bind DN | uid=%u,ou=People | |
Filter | uid=%u | |
OpenLDAP | Server URL | ldap://ldap.company.com:389/dc=company,dc=com |
SSK key store | No | |
Bind DN | uid=%u,dc=company,dc=com | |
Filter | uid=%u | |
OpenLDAP over SSL | Server URL | ldaps://ldap.company.com:636/dc=company,dc=com |
SSK key store | LDAP SSL | |
Bind DN | uid=%u,dc=company,dc=com | |
Filter | uid=%u | |
Active Directory | Server URL | ldap://ldap.company.com:389/dc=company,dc=com * |
SSK key store | No | |
Bind DN | %u@company.com | |
Filter | sAMAccountName=%u | |
Active Directory over SSL | Server URL | ldaps://ldap.company.com:636/dc=company,dc=com * |
SSK key store | Active Directory SSL | |
Bind DN | %u@company.com | |
Filter | sAMAccountName=%u |
* replace company.com
with the domain name of the Active Directory.