The LDAP/Active Directory (AD) integration allows delegation of authentication to your organization's LDAP/AD server.
The main steps to configure LDAP/AD integration are:
This feature should be enabled and configured immediately after you install Abiquo to assure security and user coherence.
To support LDAP/AD, new properties have been added to the Abiquo configuration file (abiquo.properties). The most important of these properties is abiquo.auth.module, which actually sets the authentication mode. This property must have one of the following values:
Turn LDAP mode on by modifying the abiquo.auth.module property to 'ldap'. Users created in the Abiquo database will still be able to log in to Abiquo. To prevent those users from logging in to Abiquo you must manually disable them.
When operating in 'ldap' mode:
The Abiquo admin user has a Cloud Administrator role and it cannot be modified or disabled. The Cloud Admin should log in with this admin user, set a very secure password, and configure the enterprises and roles for LDAP. The Cloud Admin may also configure an LDAP Cloud Administrator user.
The following properties are used for configuring LDAP/AD integration. All of these properties are explained in the Abiquo Configuration Properties section.
Whether Abiquo should authenticate only via Database or it should also authenticate against LDAP/Active Directory. Values: abiquo , ldap
LDAP/Active Directory server URL
LDAP/Active Directory port. In LDAP mode this property is required, even if the server is listening at the default LDAP/Active Directory port
Protocol to be used when authenticating to a LDAP/Active Directory. Values: ldap , ldaps
Base Distinguished Name of the LDAP/Active Directory
Abiquo will perform an additional custom query against the specified schema in the LDAP/Active Directory. This value is required. With the default value, Abiquo does not perform an additional query.
The attribute in LDAP/Active Directory to look up the Enterprise Name which must be an Enterprise in Abiquo.
|abiquo.ldap.authentication.autoUserCreation||true||Whether Abiquo must create a user in Abiquo based on a successful login to LDAP|
Notes about the properties:
When working in LDAP mode the manual user creation in Abiquo is disabled. When the user successfully logs in against LDAP/AD, Abiquo will perform a look-up in the local database to check if the user already exists. If the user does not exist (first login), it will be automatically created. The information will be retrieved from LDAP/AD server. After the user has been created, the user's details can be modified, except for the Role.
After users have been created at first login, the only user information that is synchronized between Abiquo and LDAP/AD is the Role and the Enterprise.
If you wish to provide email addresses, or any other information, from LDAP/AD, then this must be entered in LDAP before the user's first Abiquo login.
Abiquo must be able to link the user entry in LDAP/AD to an active Enterprise in the Abiquo database. The property that Abiquo will look up is configurable in the abiquo.properties file (abiquo.ldap.authentication.attribute.enterprise). If there is no matching enterprise, or the property is blank in LDAP/AD, the automatic user creation will fail, as will the login, and a 401 (Bad Credentials) error will be returned. Debugging output will be written to the logs. The Enterprise can be modified but it will be overwritten at each new login.
Users created automatically with no email information in LDAP/AD will not receive system notifications. We recommend that you complete the 'email' field in LDAP/AD before first login or modify the Abiquo user details afterwards.
After users log in, they are granted the first matching role. That is, if more than one LDAP/AD group has equivalence with Abiquo roles, the user will be granted the first group name because only one role is permitted in Abiquo. We do not guarantee the order of roles, so we strongly recommend that System Administrators maintain a one-to-one LDAP/AD group to Abiquo role relation for each user. The Role is synchronized between LDAP/AD and the Abiquo database.
Users that were automatically created are labeled with 'LDAP' in the authType column in the Abiquo database. And the username will be the Distinguished Name (DN) of the user in LDAP/AD. The user is unique because it is a combination of the username and authtype. Toggling between authentication modes is not supported, but it is possible to swap to LDAP mode after installation by changing the appropriate properties. So if you install Abiquo and later decide to change to LDAP mode, users will still be unique.
Abiquo currently supports these username forms:
You can use any of these and even switch from one to another and this will not add extra users to the Abiquo database. Each user will only have one database entry.
To perform a login, and retrieve the currently logged in user, a new resource has been published in the API. Please see the API Documentation for further information. This is a secure resource that can only be accessed after a successful login.
Abiquo does not support switching authentication modes after installation.
Abiquo no longer guarantees the uniqueness of users based on their username. Starting from version 1.8 Abiquo users are made unique by username + authType. AuthType is what the user is logged in against. So it is possible to have more than one user with the same username as long as their 'AuthType' is different. This means that you will not have problems with LDAP/AD users not being able to log in because of another user with the same username. But it also means that if you are delegating authentication to a centralized server in your company and you want this server to be the only authorities provider, you must either delete or disable any previously created users or else those users are also able to log in.
This should not cause problems. LDAP/AD users will not be able to log in because the password field is blank.