Table of contents
No headers
LDAP Integration in Zmanda
This document describes the steps to enable LDAP Integration in Zmanda, allowing users to import their existing domains, to then easily import existing users and allow them to login using their existing credentials.
Register LDAP Domains
LDAP Domain tab exists under settings. ‘Add LDAP Domain’ button on top right allows you to add LDAP config to be used for adding LDAP users and allowing added LDAP users to login using LDAP credentials.
On below screen Enable/ Disable LDAP Login slider (blue slider) shows global level enabling & disabling of LDAP based login.
Add LDAP Domain button opens a drawer as below stating the required fields.
Required Fields :
· URI – This is the IP or hostname of LDAP server. If hostname is provided the ip of the hostname needs to be mapped with ip in ‘/etc/hosts’ file of system on which application is running.
For using LDAP, hostname is required in place of IP.
· Domain Name – This is the unique LDAP config identifier. Any unique string can be used.
· Base DN - The Base DN is the starting point an LDAP server uses when searching for users authentication within your Directory. Example: ‘DC=domain-name,DC=com’.
· Master User DN – This is the Distinguished Name of service user which will be utilized to create a bind with LDAP server for operations such as search. The user DN used as service user must have binding access.
· Master User Password – Password for above user.
· Use ssl – If checked will use LDAP. If use SSL is checked, certificate needs to be upload to connect over LDAP. Supported certificate format - .pem/.cer.
On clicking next, second drawer opens as below which shows additional fields required for LDAP Config.
Second Drawer Fields :
· First Name – This refers to the value of user object from LDAP, which will be utilized as first name in our DB. This is always as givenName. So value which is contained in givenName on LDAP server for user will be saved as First name.
· Last Name – This refers to the value of user object from LDAP, which will be utilized as last name in our DB. This is always as sn. So value which is contained in sn on LDAP server for user will be saved as last name.
· Email – This refers to the value of user object from LDAP which will be utilized as email in our DB. This is a dropdown and shows values as mail/userprincipalname whichever is available. Whichever value selected will be utilized as email value in our Application. Please make sure the value selected should exist for the LDAP objects. In case the value doesn’t exist user will not be listed.
· Username Identifier- Dropdown Field. Shows values whichever is supported userprincipalname/uid/mail/samaccountname.
This field value will be utilized as login username on UI screen. Ex. If LDAP user has uid value as ‘dummy_user’ and uid is selected in this field. On login screen user need to enter dummy_user as username.
Email is also supported as username.
The value selected for LDAP user is required and cannot be blank. In case a value is selected which contains blank value for LDAP users, those users will not be listed while adding users.
Ex. In case uid is selected as ‘username identifier’. If uid value of LDAP user does not exist user will not be listed while adding user/users.
After saving LDAP configuration, it can be enabled from LDAP config main screen by clicking on enable icon from action.
Notes :
· USER ATTRIBUTE MAPPING & Username Identifier fields cannot be changed once selected.
· Any LDAP Domain cannot be deleted if any users are linked to that LDAP Domain. To delete LDAP Domain, users needs to be deleted or converted to general user.
· To allow login for LDAP user individual LDAP Domain needs to be in enabled state & Global Enable/ Disable LDAP login should be in Enabled state.
Add LDAP User/Users
LDAP Users can be added by selecting LDAP User from Add User Drawer. The drawer shows 2 options one for adding user and second for adding users by group. On selecting users only a single user can be added. While under Group bulk users can be selected to add belonging to selected group.
*Searched users will not be displayed if any of the fields set on LDAP domain under ‘USERNAME IDENTIFIER’ & ‘EMAIL’ does not have any value on LDAP server.
Ex. if for any LDAP domain ‘username identifier’ Is set as ‘uid’ & ‘email’ is set as ‘mail’ from dropdown. If for any user either ‘uid’ or ‘mail’ value is not set on LDAP, the user will not appear on search and cannot be added.
Adding Single User – As shown below, select LDAP Domain from ‘LDAP Server’ dropdown to add user from, the dropdown list for users gets populated. Select user from the dropdown & select Role for user and click save.
Adding Multiple Users from Group – As shown below, select LDAP Domain from ‘LDAP Server’ dropdown to search groups, the dropdown list for groups gets populated. Select group to fetch users for that group, Users for the group gets displayed on side drawer, select relevant users to be added & click save.
Converting Users
A User can be converted from general user to LDAP user & from LDAP user to general user.
Converting user from General to LDAP User – For General User ‘User Type’ is displayed as “General”.To convert user from general user to LDAP user –
· click on edit user. Opens drawer with General User checked.
· Under User Type move switcher to LDAP User. And select the registered LDAP domains from dropdown on which user needs to be searched. User is searched on that domain with email value. Ex. for above user the search will happen for user on LDAP server with email [email protected]. If matching email is found for any user the details are auto-filled. Then click Update.
Converting user from LDAP User to General User – For LDAP User ‘User Type’ is displayed as “LDAP/DOMAIN_NAME”. To convert user from LDAP user to general user –
· click on edit user. It opens below drawer showing LDAP User as checked.
· Under User Type move switcher from LDAP User to General User. Enter a new password for general user to be used for login, click save. Password is required for general users. Username can be changed while switching from LDAP to general user.
Login Related Functionalities
To allow LDAP users to login for an added LDAP Domain. Below conditions should be met –
· User should be added via Add user/group. Only LDAP users registered in Application as LDAP Domain users are allowed to login via LDAP creds.
· LDAP Domain linked to user trying login should be enabled.
· Global Enable/ Disable LDAP login should be enabled.
To disallow any login for LDAP users –
· To disallow all LDAP users login irrespective of LDAP Domain, Disable the Global Enable/ Disable LDAP login. This will allow only local authentication for general users.
· To disallow single LDAP Domain based users from login, individual LDAP Domain can be disabled. This will block any LDAP users from login belonging to disabled LDAP Domain but login will be allowed for other enabled LDAP Domains.
LDAP Users login username – Whatever value is selected as username identifier on addition of LDAP Domain, same vaue for LDAP users need to be used as username for login.
Ex. LDAP Domain registered is set with ‘Username Identifier’ as uid. Now we added Test1 user as LDAP user, Test1 LDAP user has uid value as ‘test_1’ on LDAP server. So ‘test_1’ need to be used as username on login along with LDAP password.
Security Related Functionalities
Master User password for LDAP Domain registered is saved as encrypted value. To reset the keys on basis of which encryption/decryption takes place, below file can be used –
‘/opt/zmanda/amanda/bin/reset-keys.sh’
This gives us 2 options for reset of keys as below–
· NORMAL RESET – In case of normal reset, all the keys will be reset, any registered LDAP domains using the keys will be made compatible with new set of keys and will remain usable.
· HARD RESET – In case of Hard reset only the keys are changed, no changes will be made for existing LDAP domains. This will make already existing passwords unusable. The passwords, if exist, for any LDAP domain will require a reset/update from UI.