Skip to end of metadata
Go to start of metadata

Introduction

This document describes how to configure LDAP authentication in the Men & Mice Suite. 

Installation on Centos Linux

To use LDAP authentication and authorization, start by installing python-ldap on the machine where the Men & Mice Central service is run and install the python extension used by Central when connecting to an LDAP directory:

 

A signature file for the python extension will also have to be installed and placed in the extension directory:

Note that security reasons, the Central service will not execute mm_ldap.py unless the signature inmm_ldap.signature matches the signature calculated for mm_ldap.py.

Configuring LDAP

LDAP configurations are stored in a JSON config file that should be stored in the Men & Mice Central service root directory:

 

The configuration file has the following schema:

 

 

NameDescriptionExampleRequiredDefault value 
uriURI for LDAP service.
"ldaps://example.com:636"
YesNone 
reader_dnDN or login name for a user that has permissions to search in the directory. Not needed when all users have permissions to search (for example AD LDAP service)."user@example.com"NoNone 
reader_passwordPassword for reader_dn user. NoNone 
skip_cert_verificationIf true, then certificates will not be verified. Set to true when using self signed certificates. Nofalse 
ca_cert_filePath of file containing all trusted CA certificates.  NoNone 
disable_referralsSkip referrals when doing LDAP queries. Should be set to true for AD LDAP services. Notrue  
user_start_tlsUse TLS when connecting to LDAP service. This is still experimental. Please use LDAPS instead. Nofalse  
user_search_config.base_dnDN from where to start searching for a user in the directory.

"dc=corp, dc=example, dc=com"

YesNone 
user_search_config.search_filterFilter to use for searching for a user. Username will be inserted into placeholder "{username}" if specified.

"(&(objectClass=user)(userPrincipalName={username}))"

YesNone 
scopeScope to use when searching. Should be either "subtree" or "onelevel". Defaults to "subtree"."subtree"No"subtree" 
email_attributeLDAP attribute used to store users email address."userPrincipalName"NoNone 
group_search_config.base_dnDN from where to start searching for groups in the directory."dc=corp, dc=example, dc=com"If group authentication is used.None 
group_search_config.scopeScope to use when searching. Should be either "subtree" or "onelevel". Defaults to "subtree"."subtree"No"subtree" 
group_search_config.search_filterSearch filter to use when searching for groups. Users DN will be inserted into placeholder "{dn}", if specified. Username will be inserted into placeholder "{username}", if specified.

"(&(objectClass=group)(member:={dn}))"

If group authentication is used.None 
group_search_config.group_name_attributeAttribute used to store name of group."name"If group authentication is used."name" 

 

Example configuration for connecting to an AD LDAP service:

 

Configuring the Men & Mice Central service to authenticate users using an LDAP service.

To configure the Men & Mice Central service, login as the superuser "administrator" through the Men & Mice Management Console. In the top left-hand corner select "System Settings" from the "Tools" menu, click on the "Advanced..." button and check the  "Enable LDAP integration" checkbox.

 

 

 

 

  • No labels