| Table of Contents |
|---|
Introduction to Abiquo and LDAP and Active Directory
The LDAP/Active Directory (AD) integration allows delegation of authentication to your organization's LDAP/AD server.
When you enable LDAP/AD, Abiquo database authentication can still be used
This feature should be enabled and configured immediately after you install Abiquo to ensure security and user coherence.
The admin user has a Cloud Admin role that cannot be modified or disabled
It is also possible to create additional Cloud Admin type users through LDAP/AD
From Abiquo 6.0.3 it is possible to enable LDAP/AD and Abiquo database authentication with Abiquo properties.
See “Use LDAP and Active Directory integration and basic authentication together” below
...
Configure the LDAP/AD integration
...
After you have completed the configuration, allow your users to log in using LDAP authentication.
...
Configure Abiquo properties
To support LDAP/AD configure the following properties. See also also the ldap section in Abiquo configuration properties#ldapproperties
Property | Default value | Explanation _____________________________________________ |
|---|---|---|
abiquo.auth.module | abiquo | Whether Abiquo should authenticate only via database or it should also authenticate against LDAP/Active Directory. |
abiquo.ldap.authentication.server.url | URL of LDAP/Active Directory server | |
abiquo.ldap.authentication.server.port | 389 | Port to connect to on LDAP/Active Directory server. |
abiquo.ldap.authentication.server.protocol | ldap | Protocol to be used when authenticating to LDAP/Active Directory. Values: ldap , ldaps |
abiquo.ldap.authentication.server.baseDN | Base Distinguished Name of the LDAP/Active Directory. | |
abiquo.ldap.authentication.custom.userDnPattern | cn={0},CN=Users | Use this property to tell Abiquo to perform an additional custom query against the specified schema in the LDAP/Active Directory. |
abiquo.ldap.authentication.attribute.enterprise | organizationname | The attribute in LDAP/Active Directory to look up the Enterprise Name which must be an Enterprise in Abiquo.
|
abiquo.ldap.authentication.autoUserCreation | true | Whether Abiquo must create a user in Abiquo based on a successful login to LDAP |
...
Use LDAP and Active Directory integration and basic authentication together
In versions prior to 6.0.3, you could use LDAP/AD and basic authentication at the same time.
With this configuration the platform blocked the Abiquo user management functionality.
| Code Block |
|---|
abiquo.auth.module=ldap,abiquo |
Now in 6.0.3, you should always set LDAP/AD as the only authentication module.
| Code Block |
|---|
abiquo.auth.module=ldap |
This is the recommended configuration.
In Abiquo 6.0.3, you can also enable basic authentication by setting an additional LDAP mode property.
| Code Block |
|---|
abiquo.ldap.mode=multi |
With this configuration you can create new users in Abiquo and in LDAP/AD.
This configuration does not support duplicate username values for the different authentication types, and affected users will receive a login error.
...
Information that Abiquo retrieves to create users
...
To perform a login, and retrieve the currently logged in user the API has a LoginResource. This is a secure resource that can only be accessed after a successful login.
...
Troubleshooting LDAP and Active Directory
Abiquo DOES NOT support switching authentication modes after installation. However:
...