This component is currently in beta.
The LDAP Authenticator is a utility component which enables users to login to the Iguana application with an organization’s Active Directory credentials using LDAP (Lightweight Directory Access Protocol) for external authentication of users. For use with other directory services, the LDAP Authenticator component will need to be modified.
When a user logs into Iguana through LDAP, Iguana assigns the User a Role Tag corresponding to the user’s Active Directory Group. For example, if in the Active Directory, user John was a member of the groups dev
and support
then in Iguana, John would have the tags #dev
and #support
.
If a Role matching the #tag already exists in Iguana, the defined permissions will be in effect. If a new #tag is assigned, a corresponding Role will need to be created with defined permissions.
Connecting the LDAP Authenticator component to your Active Directory
Expand | ||
---|---|---|
| ||
Prior to setting up the LDAP Authenticator component, you will need to create an Iguana Service account in your Active Directory. This user account will be used as a service account. Iguana will use this account’s credentials to authenticate the users trying to login |
...
and update the information of users logged in through LDAP. |
...
In your Active Directory Server:
|
Expand | ||
---|---|---|
| ||
On the Iguana Dashboard, go to +Component and search for “LDAP Authenticator“, select the component and click Add. SeeCreate a Component if this is your first time. |
Expand | ||
---|---|---|
| ||
Copy your unique component GUID from the browser address bar. This will be used to create one of the Environmental Variables in the next step. |
Expand | ||
---|---|---|
| ||
In Settings > Environment, click create and add the following variables:
|
Expand | ||
---|---|---|
| ||
In the LDAP Authenticator component card, set the following custom fields:
|
Expand | ||
---|---|---|
| ||
To secure the LDAP component and it's logs, create a #ldap Component Role in Iguana Settings > Roles to match up with the #ldap component Tag. Using a component tag matched with a role tag, we can restrict the access to interact with the LDAP component to only the admin user and those users with the #ldap Role assigned to them. Note: You can use any naming convention required to match a specific AD Group that exists, instead of #ldap. Only users in this group will have full access to the LDAP Authenticator component. The #ldap Role should have all permissions applied: |
Expand | ||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||
The component uses curl to query the active directory server. For Windows, a version of the curl binary is shipped with the component. For linux, Check if curl is installed on your Linux machine – if your system does not have a version of curl that supports ldap, follow the directions at the bottom below to build curl.The steps below
These steps show building curl from source for Amazon Intel Linux. For other flavours of linux, adjust the commands accordingly (some common alternatives are included after the steps). Step 1: Get the latest curl download from the curl website download page.
Step 2: Use tar to extract the files.
Step 3: cd into the curl folder.
Step 4: Install gcc if needed.
Step 5: Install openldap-devel.x86_64 if needed.
Step 6: Install openssl-devel.x86_64 if needed.
Step 7: Run the command to configure and enable ldap.
Step 8: Compile the source code.
Step 9: Install source code.
Step 10: Check curl version and make sure LDAP is present in the Protocols list.
|
Expand | ||
---|---|---|
| ||
Users can now login to Iguana using their Active Directory credentials! The component will start automatically and run whenever a user logs in to Iguana. The Iguana Service account will try to authenticate the user credentials using the Active Directory first. Should authentication fail, Iguana will then try to see if the user credentials match any local user.. When logging in, you must use your Active Directory User Principal Name (UPN) as the username and password. UPN uses the standard format: When logged in as an externally authenticated user, you’ll see that any roles matching Active Directory groups are applied. |