Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Introduction to Abiquo and LDAP and Active Directory

The LDAP/Active Directory (AD) integration allows delegation of authentication to your organization's LDAP/AD server.

  • When you enable LDAP/AD, Abiquo database authentication can still be used

  • This feature should be enabled and configured immediately after you install Abiquo to ensure security and user coherence.

    • The admin user has a Cloud Admin role that cannot be modified or disabled

    • It is also possible to create additional Cloud Admin type users through LDAP/AD

From Abiquo 6.0.3 it is possible to enable LDAP/AD and Abiquo database authentication with Abiquo properties.

  • See “Use LDAP and Active Directory integration and basic authentication together” below


Configure the LDAP/AD integration

To configure the LDAP/AD integration do these steps:

  1. Configure the Abiquo Properties as described below

  2. Check LDAP/AD users have all information to be passed to Abiquo as described below

  3. Log in to Abiquo as the admin user. Remember to set a secure password

  4. In Abiquo, create the following entities to match your LDAP/AD entities:

    1. Abiquo enterprises with the naming matching the value of the appropriate attribute from LDAP/AD. For details of how to create an enterprise, see Manage enterprises

    2. Abiquo roles with the External roles attribute set to the LDAP/AD groups of the role, see Manage Roles

      1. To use external roles, enter the role name only, for example:

        • External roles:  

          • my_ldap_role_01

          • my_ldap_role_02

After you have completed the configuration, allow your users to log in using LDAP authentication.


Configure Abiquo properties

To support LDAP/AD configure the following properties. See also the ldap section in Abiquo configuration properties  

Property

Default value

Explanation _____________________________________________

abiquo.auth.module

abiquo

Whether Abiquo should authenticate only via database or it should also authenticate against LDAP/Active Directory.
Values: abiquo , ldap, openid, saml

abiquo.ldap.authentication.server.url

URL of LDAP/Active Directory server

abiquo.ldap.authentication.server.port

389

Port to connect to on LDAP/Active Directory server.
You must enter this property, even if it is the default value

abiquo.ldap.authentication.server.protocol

ldap

Protocol to be used when authenticating to LDAP/Active Directory. Values: ldap , ldaps

abiquo.ldap.authentication.server.baseDN


Base Distinguished Name of the LDAP/Active Directory.
Usually it is the Domain Controller (or Domain in Windows).
For example, if the domain is office1.mycompany.com, you would enter "DC=office1,DC=mycompany,DC=com".

abiquo.ldap.authentication.custom.userDnPattern

cn={0},CN=Users

Use this property to tell Abiquo to perform an additional custom query against the specified schema in the LDAP/Active Directory.
This value is required. With the default value, Abiquo does not perform an additional query.
For a non-standard schema, enter the userDN pattern to successfully bind to LDAP/AD.

abiquo.ldap.authentication.attribute.enterprise

organizationname

The attribute in LDAP/Active Directory to look up the Enterprise Name which must be an Enterprise in Abiquo.

  • In OpenLDAP this value normally defaults to 'o'.

  • In Active Directory it defaults to 'company' but you could map it to 'department'.

abiquo.ldap.authentication.autoUserCreation

true

Whether Abiquo must create a user in Abiquo based on a successful login to LDAP


Use LDAP and Active Directory integration and basic authentication together

In versions prior to 6.0.3, you could use LDAP/AD and basic authentication at the same time.

With this configuration the platform blocked the Abiquo user management functionality.

abiquo.auth.module=ldap,abiquo

Now in 6.0.3, you should always set LDAP/AD as the only authentication module.

abiquo.auth.module=ldap

This is the recommended configuration.

In Abiquo 6.0.3, you can also enable basic authentication by setting an additional LDAP mode property.

abiquo.ldap.mode=multi

With this configuration you can create new users in Abiquo and in LDAP/AD.

This configuration does not support duplicate username values for the different authentication types, and affected users will receive a login error.


Information that Abiquo retrieves to create users

In LDAP/AD mode, at first login, Abiquo will retrieve the following information from LDAP/AD to create the users.

Field

Description

Enterprise

From the attribute defined by the abiquo.ldap.authentication.attribute.enterprise property 
(e.g. organizationname, "o", department, or company)

Full name

The user's given name and surname.

Role

From the groups of the user that match a single Abiquo role by its External roles attributes

Username

The Distinguished Name (DN) of the user

Email

The contact e-mail address of the user for notifications. If this value is not present at user creation, you can enter it in Abiquo later

Phone

The phone number of the user. The platform will not validate this field

Description

The description of the user


Updating users in Abiquo

In LDAP/AD mode:

  • You cannot update the user's enterprise in Abiquo. The platform will overwrite it from LDAP/AD the next time the user logs in. 

    • Administrators can still switch enterprises while they are logged in

  • You cannot update the user's role in Abiquo. The platform will overwrite it from LDAP/AD at next login

  • You can update the user's details, e.g. email address and phone number


Supported username forms

Abiquo currently supports these username forms:

You can use any of these and even switch from one to another and this will not add extra users to the Abiquo database. Each user will only have one database entry.


Tested implementations

Unable to render {include} The included page could not be found.


Login resource

API Documentation

For the Abiquo API documentation of this feature, see Abiquo API Resources and the page for this resource LoginResource.


To perform a login, and retrieve the currently logged in user the API has a LoginResource. This is a secure resource that can only be accessed after a successful login.


Troubleshooting LDAP and Active Directory

Abiquo DOES NOT support switching authentication modes after installation. However:

  • If you need to switch from Abiquo to LDAP/AD authentication, to prevent previously created Abiquo users from logging in, delete or disable their accounts

  • If you need to switch from LDAP/AD to another authentication type, LDAP/AD users will not be able to log in because the password field is blank.

If the automatic user creation fails, as does the login, and the platform returns a 401 (Bad Credentials) error, it may be that Abiquo cannot link the user entry in LDAP/AD to an active Enterprise in the Abiquo database. Check if there is an appropriate enterprise attribute in LDAP/AD and that there is a matching enterprise in Abiquo. There should be debugging output in the platform logs. The property that Abiquo will look up should be configured in the abiquo.properties file (abiquo.ldap.authentication.attribute.enterprise). The user's Enterprise can be modified but it will be overwritten at each new login.

Remember that the user's group may only match to one Abiquo role.

If you are using a non-standard schema, and the integration fails, check that you correctly set the abiquo.ldap.authentication.custom.userDnPattern to define the userDN pattern.

If you are have connection timeout issues, you can also set the connection timeout and read timeout in abiquo.properties. See Abiquo configuration properties#ldap  

Abiquo does not guarantee the uniqueness of users based on their username. Abiquo users are made unique by username + authType. AuthType is what the user is logged in against. So it is possible to have more than one user with the same username as long as their 'AuthType' is different and the platform should log in the appropriate user based on the authentication module property.

  • No labels