| Table of Contents |
|---|
...
- When you enable LDAP/AD, Abiquo database authentication can still be used
- This feature should be enabled and configured immediately after you install Abiquo to ensure security and user coherence.
- The admin user has a Cloud Admin role that cannot be modified or disabled
- It is also possible to create additional Cloud Admin type users through LDAP/AD
Configure the LDAP/AD integration
To configure the LDAP/AD integration do these steps:
...
After you have completed the configuration, allow your users to log in using LDAP authentication
Configure Abiquo properties
To support LDAP/AD configure the following properties. See also Abiquo configuration properties#ldap
Property | Default Valuevalue | Explanation _____________________________________________ |
|---|---|---|
abiquo.auth.module | abiquo | Whether Abiquo should authenticate only via database or it should also authenticate against LDAP/Active Directory. |
abiquo.ldap.authentication.server.url |
| URL of LDAP/Active Directory server |
abiquo.ldap.authentication.server.port | 389 | Port to connect to on LDAP/Active Directory server. |
abiquo.ldap.authentication.server.protocol | ldap | Protocol to be used when authenticating to LDAP/Active Directory. Values: ldap , ldaps |
abiquo.ldap.authentication.server.baseDN |
| Base Distinguished Name of the LDAP/Active Directory. |
abiquo.ldap.authentication.custom.userDnPattern | cn={0},CN=Users | Use this property to tell Abiquo to perform an additional custom query against the specified schema in the LDAP/Active Directory. |
abiquo.ldap.authentication.attribute.enterprise | organizationname | The attribute in LDAP/Active Directory to look up the Enterprise Name which must be an Enterprise in Abiquo.
|
| abiquo.ldap.authentication.autoUserCreation | true | Whether Abiquo must create a user in Abiquo based on a successful login to LDAP |
Information that Abiquo retrieves to create users
In LDAP/AD mode, at first login, Abiquo will retrieve the following information from LDAP/AD to create the users.
Field | Description |
|---|---|
Enterprise | From the attribute defined by the abiquo.ldap.authentication.attribute.enterprise property |
| Full Name | The user's given name and surname. |
Role | From the groups of the user that match a single Abiquo role by its External roles attributes |
Username | The Distinguished Name (DN) of the user |
The contact e-mail address of the user for notifications. If this value is not present at user creation, you can enter it in Abiquo later | |
| Phone | The phone number of the user. The platform will not validate this field |
| Description | The description of the user |
Updating users in Abiquo
In LDAP/AD mode:
- You cannot update the user's enterprise in Abiquo. The platform will overwrite it from LDAP/AD the next time the user logs in.
- Administrators can still switch enterprises while they are logged in
- You cannot update the user's role in Abiquo. The platform will overwrite it from LDAP/AD at next login
- You can update the user's details, e.g. email address and phone number
Supported username forms
Abiquo currently supports these username forms:
...
You can use any of these and even switch from one to another and this will not add extra users to the Abiquo database. Each user will only have one database entry.
Tested
...
implementations
| Include Page | ||||
|---|---|---|---|---|
|
Login
...
resource
| Tip | ||
|---|---|---|
| ||
For the Abiquo API documentation of this feature, see Abiquo API Resources and the page for this resource LoginResource. |
...
To perform a login, and retrieve the currently logged in user the API has a LoginResource. This is a secure resource that can only be accessed after a successful login.
Troubleshooting
Abiquo DOES NOT support switching authentication modes after installation. However:
...