LDAP Authenticator

Prior to setting up the LDAP Authenticator component, you will need to create an Iguana Service account in your Active Directory. This user account will be used as a service account. Iguana will use this account’s credentials to authenticate the users trying to login and update the information of users logged in through LDAP.

In your Active Directory Server:

1. In the menu bar, click Actions > New > User

2. Provide a firstname, lastname, and user logon name - e.g., IguanaService@interfaceware.biz.

3. Configure a password. Review the user object details and click Finish.

On the Iguana Dashboard, go to +Component and search for “LDAP Authenticator“, select the component and click Add. See Create a Component if this is your first time.

Copy your unique component GUID from the browser address bar. This will be used to create one of the Environmental Variables in the next step.

Open

In Settings > Environment, click create and add the following variables:

1. Set IFW_EAUTH_COMPONENT to the Component GUID (copied in the last step)

2. Set IFW_EAUTH_POLL_INTERVAL to a frequency in seconds for the LDAP user cache refresh (default 60 seconds)

Open

In the LDAP Authenticator component card, set the following custom fields:

1. Set the HostUrl field. The host url must begin with ldap:// or ldaps:// and must contain the port number if you are not using the standard ldap ports.

2. Set the BaseDN field. The BaseDN is an LDAP Distinguished Name that identifies the base object that Iguana uses to search for users. When a user logs in to Iguana, the Iguana Service account will search for a user using the BaseDN as the root for the search.

3. Set the ServiceUsername and ServicePassword to the credentials of your Iguana Service account. The ServiceUsername must be fully qualified with the domain, for example IguanaService@example.com instead of just IguanaService.

Open

To secure the LDAP component and it's logs, create a #ldap Component Role in Iguana Settings > Roles to match up with the #ldap component Tag. Using a component tag matched with a role tag, we can restrict the access to interact with the LDAP component to only the admin user and those users with the #ldap Role assigned to them.

Note: You can use any naming convention required to match a specific AD Group that exists, instead of #ldap. Only users in this group will have full access to the LDAP Authenticator component.

The #ldap Role should have all permissions applied:

Open

The component uses curl to query the active directory server. For Windows, a version of the curl binary is shipped with the component.

Check if curl is installed on your Linux machine – if your system does not have a version of curl that supports ldap, follow the directions below to build curl.

These steps show building curl from source for Amazon Intel Linux. For other flavours of linux, adjust the commands accordingly (some common alternatives are included after the steps).

Step 1: Get the latest curl download from the curl website download page.

Step 2: Use tar to extract the files.

Step 3: cd into the curl folder.

Step 4: Install gcc if needed.

Step 5: Install openldap-devel.x86_64 if needed.

Step 6: Install openssl-devel.x86_64 if needed.

Step 7: Run the command to configure and enable ldap.

Step 8: Compile the source code.

Step 9: Install source code.

Step 10: Check curl version and make sure LDAP is present in the Protocols list.

Users can now login to Iguana using their Active Directory credentials!

The component will start automatically and run whenever a user logs in to Iguana. The Iguana Service account will try to authenticate the user credentials using Active Directory. When logging in, you must use your Active Directory User Principal Name (UPN) as the username and password. UPN uses the standard format: username@domain_name.

When logged in as an externally authenticated user, you’ll see that any roles matching Active Directory groups are applied.

Open