| Div | ||
|---|---|---|
| ||
|
...
The LDAP/Active Directory (AD) integration allows delegation of authentication to your organization's LDAP/AD server.The main steps to configure
- When you enable LDAP/AD
...
- Configure the Abiquo Properties.
- Create LDAP/AD users and enter all information to be passed to Abiquo including the fields for the Abiquo Enterprise and Role.
- Create matching Enterprise and Role in Abiquo (see Manage Enterprises and Manage Roles).
Configuring Abiquo to Log In Against LDAP/Active Directory
...
| title | Attention |
|---|
- , Abiquo authentication can still be used
- This feature should be enabled and configured immediately after you install Abiquo to
...
- ensure security and user coherence.
- The admin user has a Cloud Admin role that cannot be modified or disabled
To support LDAP/AD, new properties have been added to the Abiquo configuration file (abiquo.properties). The most important of these properties is abiquo.auth.module, which actually sets the authentication mode. This property must have one of the following values:
- abiquo: to log in against Abiquo database. Default mode.
- ldap: to log in against a configured LDAP/AD server.
Turn LDAP mode on by modifying the abiquo.auth.module property to 'ldap'. Users created in the Abiquo database will still be able to log in to Abiquo. To prevent those users from logging in to Abiquo you must manually disable them.
When operating in 'ldap' mode:
- Abiquo user creation is disabled.
- Abiquo user edition is enabled with two restrictions:
- Roles cannot be changed for LDAP users. Roles will be synchronized with LDAP every time the user performs a successful login.
- Enterprise can be modified but it will be overwritten the next time the user performs a successful login. This allows users with the administer all enterprises privilege to use the impersonate feature to administer any enterprise.
Abiquo Cloud Admin User
The Abiquo admin user has a Cloud Administrator role and it cannot be modified or disabled. The Cloud Admin should log in with this admin user, set a very secure password, and configure the enterprises and roles for LDAP. The Cloud Admin may also configure an LDAP Cloud Administrator user.
LDAP/AD Abiquo Configuration Properties
The following properties are used for configuring LDAP/AD integration. All of these properties are explained in the Abiquo Configuration Properties section.
...
| class | tinycode |
|---|
- It is also possible to create additional Cloud Admin type users through LDAP/AD
Configure the LDAP/AD integration
To configure the LDAP/AD integration do these steps:
- Configure the Abiquo Properties as described below
- Check LDAP/AD users have all information to be passed to Abiquo as described below
- Log in to Abiquo as the admin user. Remember to set a secure password
- In Abiquo, create the following entities to match your LDAP/AD entities:
- Abiquo enterprises, see Manage Enterprises
- Abiquo roles, see Manage Roles
After you have completed the configuration, allow your users to log in using LDAP authentication
Configure Abiquo properties
To support LDAP/AD configure the following properties. See also Abiquo Configuration Properties#ldap
Property | Default Value | Explanation _____________________________________________ |
|---|---|---|
abiquo.auth.module | abiquo | Whether Abiquo should authenticate only via |
...
database or it should also authenticate against LDAP/Active Directory. | ||
abiquo.ldap.authentication.server.url |
| URL of LDAP/Active Directory server |
...
abiquo.ldap.authentication.server.port | 389 | Port to connect to on LDAP/Active Directory |
...
server. |
...
, even if |
...
it is |
...
the default |
...
value | ||
abiquo.ldap.authentication.server.protocol | ldap | Protocol to be used when authenticating to |
...
LDAP/Active Directory. Values: ldap , ldaps | ||
abiquo.ldap.authentication.server.baseDN |
| Base Distinguished Name of the LDAP/Active Directory. |
abiquo.ldap.authentication.custom.userDnPattern | cn={0},CN=Users | Use this property to tell Abiquo |
...
to perform an additional custom query against the specified schema in the LDAP/Active Directory. |
abiquo.ldap.authentication. |
...
attribute.enterprise | organizationname | The attribute in LDAP/Active Directory to look up the Enterprise Name which must be an Enterprise in Abiquo |
...
Notes about the properties:
...
. |
...
|
...
Automatic User Creation
When working in LDAP mode the manual user creation in Abiquo is disabled. When the user successfully logs in against LDAP/AD, Abiquo will perform a look-up in the local database to check if the user already exists. If the user does not exist (first login), it will be automatically created. The information will be retrieved from LDAP/AD server. After the user has been created, the user's details can be modified, except for the Role.
| Note | ||
|---|---|---|
| ||
After users have been created at first login, the only user information that is synchronized between Abiquo and LDAP/AD is the Role and the Enterprise. |
LDAP/AD Enterprises
...
| abiquo.ldap.authentication.autoUserCreation | true | Whether Abiquo must create a user in Abiquo based on a successful login to LDAP |
Information that Abiquo retrieves to create users
In LDAP/AD mode, at first login, Abiquo will retrieve the following information from LDAP/AD to create the users.
Field | Description |
|---|---|
Enterprise | From the attribute defined by the abiquo.ldap.authentication.attribute.enterprise |
...
LDAP/AD Emails
Users created automatically with no email information in LDAP/AD will not receive system notifications. We recommend that you complete the 'email' field in LDAP/AD before first login or modify the Abiquo user details afterwards.
LDAP/AD Roles
After a user logs in, the platform grants them the role that is mapped to their LDAP/AD groups in the platform, first in their tenant or else at a global level. Abiquo allows only one role per user, so we recommend that you map each set of user groups to a single Abiquo role at the enterprise and/or global level. The user's role is synchronized between LDAP/AD and the Abiquo database.
LDAP/AD User Uniqueness
Users that were automatically created are labeled with 'LDAP' in the authType column in the Abiquo database. And the username will be the Distinguished Name (DN) of the user in LDAP/AD. The user is unique because it is a combination of the username and authtype. Toggling between authentication modes is not supported, but it is possible to swap to LDAP mode after installation by changing the appropriate properties. So if you install Abiquo and later decide to change to LDAP mode, users will still be unique.
...
property | |
| Full Name | The user's given name and surname. |
Role | From the groups of the user that match a single Abiquo role by its External roles attributes |
Username | The Distinguished Name (DN) of the user |
The contact e-mail address of the user for notifications. If this value is not present at user creation, you can enter it in Abiquo later | |
| Phone | The phone number of the user. The platform will not validate this field |
| Description | The description of the user |
Updating users in Abiquo
In LDAP/AD mode:
- You cannot update the user's enterprise in Abiquo. The platform will overwrite it from LDAP/AD the next time the user logs in.
- Administrators can still switch enterprises while they are logged in
- You cannot update the user's role in Abiquo. The platform will overwrite it from LDAP/AD at next login
- You can update the user's details, e.g. email address and phone number
Supported username forms
Abiquo currently supports these username forms:
- username
- username@full.dn
- domain\username
- displayname
You can use any of these and even switch from one to another and this will not add extra users to the Abiquo database. Each user will only have one database entry.
Tested Implementations
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|
Login Resource
To perform a login, and retrieve the currently logged in user , a new resource has been published in the API. Please see the API Documentation for further informationthe API has a LoginResource. This is a secure resource that can only be accessed after a successful login.
Switching Authentication Modes
...
| title | Warning |
|---|
...
Troubleshooting
Abiquo DOES NOT support switching authentication modes after installation.
...
However:
If you need to switch from Abiquo to LDAP/AD
...
authentication, to prevent previously created Abiquo users from logging in, delete or disable their accounts
If you need to switch from LDAP/AD to another authentication type, LDAP/AD users will not be able to log in because the password field is blank.
If the automatic user creation fails, as does the login, and the platform returns a 401 (Bad Credentials) error, it may be that Abiquo cannot link the user entry in LDAP/AD to an active Enterprise in the Abiquo database. Check if there is an appropriate enterprise attribute in LDAP/AD and that there is a matching enterprise in Abiquo. There should be debugging output in the platform logs. The property that Abiquo will look up should be configured in the abiquo.properties file (abiquo.ldap.authentication.attribute.enterprise). The user's Enterprise can be modified but it will be overwritten at each new login.
Remember that the user's group may only match to one Abiquo role.
If you are using a non-standard schema, and the integration fails, check that you correctly set the abiquo.ldap.authentication.custom.userDnPattern to define the userDN pattern.
If you are have connection timeout issues, you can also set the connection timeout and read timeout in abiquo.properties. See Abiquo Configuration Properties#ldap
Abiquo does not guarantee the uniqueness of users based on their username. Abiquo users are made unique by username + authType. AuthType is what the user is logged in against. So it is possible to have more than one user with the same username as long as their 'AuthType' is different . This means that you will not have problems with LDAP/AD users not being able to log in because of another user with the same username. But it also means that if you are delegating authentication to a centralized server in your company and you want this server to be the only authorities provider, you must either delete or disable any previously created users or else those users are also able to log in.
Switching from LDAP/AD to Abiquo Database Authentication
This should not cause problems. LDAP/AD users will not be able to log in because the password field is blank.
Tested Implementations
...
the platform should log in the appropriate user based on the authentication module property.