Skip to content

LDAP Authentication

Overview

LDAP (Lightweight Directory Access Protocol) is a protocol designed to manage and access distributed directory information services over an Internet Protocol network. LDAP is used to store and retrieve data in a hierarchical directory structure, such as usernames and passwords, organizational units, and configuration settings. It facilitates directory management and authentication processes, allowing for a centralized approach to maintaining user credentials and policy settings.

Info

For comprehensive guidance on configuring and managing LDAP, refer to the official LDAP documentation.

Configuration steps

Step 1: Enabling LDAP Authentication

  1. As an administrator, go to Settings -> Server Configuration.

  2. Find and activate the LDAP option in the Configuration section.

  3. Save the changes.

Step 2: Adding an Identity Provider

  1. As an administrator, navigate to Settings -> Identity Providers.

  2. Click on the + Add button.

  3. Fill in the following fields:

    Field Description Parameters used to configure LDAP in the CloudBeaver Community
    Provider Select LDAP from the dropdown menu.
    ID Enter a unique identifier for the configuration.
    Configuration name Enter a descriptive name for this configuration.
    Description (Optional) Provide a brief description of this identity provider configuration.
    Icon URL (Optional) Enter the URL of an icon to represent this provider.
    Disabled (Optional) Leave unchecked to enable this identity provider.
    Host Enter the server hostname or IP address where LDAP authentication is handled. ldap-host: ""
    Port Specify the port number used for LDAP communication. Default port is 389 for standard mode, 636 for SSL. ldap-port: ""
    User identifier attribute Enter the attribute used to uniquely identify LDAP users. Default value in PRO versions is cn. ldap-identifier-attr: ""
    Base Distinguished Name (Optional) Enter the Base Distinguished Name (DN) for LDAP queries. It should be in the format appropriate for your LDAP directory, such as dc=example,dc=com. If not explicitly specified, this value will be automatically appended to the end of the User DN during authorization. ldap-dn: ""
    Bind User DN (Optional) Enter the Distinguished Name (DN) of the user who has permissions to search for entries (e.g., users) in the directory. This user will be used to verify access to the application with the specified filter. ldap-bind-user: ""
    Bind User Password (Optional) Enter the password associated with the Bind User DN account. ldap-bind-user-pwd: ""
    User Filter (Optional) Specify criteria for searching specific entries (users, groups, attributes). The filter must always be written in parentheses. Logical operators are supported. Bind User DN and Bind User Password must be configured for this field to work. ldap-filter: "()"
    User login parameter (Optional) Enter the LDAP attribute to be used as the user login. The attribute must be unique. This parameter enables users to log in with the specified LDAP attribute sAMAccountName. Bind User DN and Bind User Password must be configured for this field to work. ldap-login: ""
    Enable SSL (Optional) Set to true to enable SSL encryption for LDAP communication. ldap-enable-ssl: true
    SSL certificate (Optional) Provide the SSL certificate in base64 format to trust the LDAP server. ldap-ssl-cert: ""
    First name field (Optional) Enter the name of the LDAP attribute used for the user's first name (e.g., fn). This attribute will be automatically detected during user provisioning.
    Last name field (Optional) Enter the name of the LDAP attribute used for the user's last name (e.g., ln). This attribute will be automatically detected during user provisioning.
    Role field (Optional) Enter the name of the LDAP attribute that contains the userā€™s role (e.g., department). Any attribute can be used for role mapping. The value of this attribute will be used to assign the userā€™s role in Team Edition (e.g., administrator, viewer, developer). This attribute will be automatically detected during user provisioning.

  4. Click on the Create button.

    Tip

    You can specify organizational units within the Base Distinguished Name to streamline access, such as ou=unit1,dc=example,dc=com. These can be set during the Identity Provider setup or during login in Team Edition. For automatic mapping of Teams to LDAP groups, fill in the LDAP Group name field. Use the cn attribute containing one of the following: memberOf, member, uniqueMember, or gidNumber. For example, if you specify cn=groupName in LDAP Group name, only users whose member attribute is listed in cn=groupName will be mapped.

Step 3: Logging in

  1. With the LDAP configuration now established, proceed to the login screen.

  2. Select the LDAP authentication method.

  3. In the User login field, enter the Distinguished Name (DN) of the user who is logging in. This specifies the exact entry within the LDAP directory associated with your user account.

    Tip

    If the User login parameter was configured during the setup, you can alternatively enter the value of the specified login attribute instead of the full User DN.

  4. Enter your User password in the corresponding field to authenticate.

    Note

    If the Base Distinguished Name was specified during the setup of your LDAP configuration, it will be automatically appended to the User DN if not explicitly included. This can simplify the login process, especially when managing multiple users.

  5. After entering the required information, click Login to access the application.