0

LDAP

Incorta Analytics supports Lightweight Directory Access Protocol (LDAP) to import users into Incorta in bulk, and for authentication. Incorta may be integrated with LDAP to import users in bulk, so that users can be identified internally, allowing them to log in using an Incorta username and password. Optionally, LDAP may also be used to authenticate users to log in to Incorta, using their existing LDAP username and password.

Pre-Requisites

In order to proceed with the LDAP configuration, ensure access to the following information:

Property Description
ldap.base.provider.url This is the base provider URL address of the LDAP directory server used by the back end.
Example: 
ldap://ldap.incorta.com:389
ldap.base.dn This is the Base Distinguished Name, which is used while accessing the LDAP server.
Example:
dc=incorta, dc=com
ldap.user.dn This is the User Distinguished Name parameter, which is used by LDAP for authentication.
Example:
“cn=IncortaAdmin,ou=people,dc=incorta,dc=com"
ldap.user.dn.password This parameter expects the password for the LDAP admin user. 
ldap.use.encrypted.password This parameter can be added to require the LDAP admin password to be encrypted. If true, use the encrypt_password.sh utility located in /IncortaNode/bin to generate an encrypted version of the password. (default: false) 
ldap.user.mapping.login This attribute will be mapped to the login name of the Incorta Analytics user.
Example: mail
ldap.user. mapping. name This parameter stores the LDAP attribute that will be used as the name of the Incorta Analytics user.
Example: name
ldap.user.mapping.mail This parameter maps the LDAP attribute that stores the email address.
Example: mail
ldap.group. mapping. name This parameter maps the LDAP attribute that contains the group name.
Example: name
ldap.group.mapping.member This parameter maps the DN of a member of a group.
Example: member
ldap.user.search.filter This is the filter to be applied for queries used to look up users (i.e. filter).
Example: (objectClass=user)
ldap.group.search.filter This is the filter to be applied for queries used to look up users (i.e. filter).
Example: (objectClass=group)
user.type This parameter is optional, and is used to set the user type, i.e. internal (Incorta)or LDAP. The default value for this property is "ldap".
  • If a user type is "internal", they would need an Incorta username/password to log in.
  • If a user type is "ldap", they may log in to Incorta using their existing username/password in ldap.

Sample Setup

The setup mentioned below sets the login name by e-mail and not the UID, if login is by UID then put uid instead of mail :
# Provide ldap url
# Example: ldap://HOST_NAME:PORT_NUM
ldap.base.provider.url=ldap://104.197.245.188:389
# Distinguished Name to connect with
ldap.base.dn=dc=incorta,dc=com
# Distinguished Name and password of a user in the ldap to authenticate with
ldap.user.dn=cn=Manager,dc=incorta,dc=com
ldap.user.dn.password=<>
# The attributes that will map login name, mail and name of Incorta user
ldap.user.mapping.login=mail
ldap.user.mapping.name=cn
ldap.user.mapping.mail=mail
# The attributes that will map name and attached users of Incorta group
ldap.group.mapping.name=cn
ldap.group.mapping.member=uniqueMember
# a filter to search users with given example
ldap.user.search.filter=(objectClass=inetOrgPerson)
# a filter to search groups with given example
ldap.group.search.filter=(objectClass=groupOfUniqueNames)
#user.type is optional with default (ldap) and indicates the user type, possible values are: internal, sso, and ldap 
user.type=ldap

Configure LDAP properties

  1. Prepare the "ldap-config.properties" file, by setting the contained config parameters as described in the "Pre-Requisites" section. Ensure that the "ldap-config.properties" file is placed in the same folder as the "sync_directory.py" file.
  2. Edit the shell script of the "sync_directory_with_ldap.sh" file to reflect the connection info as shown below:

    vi sync_directory_with_ldap.sh
    Edit the session definition line as shown in the following sample:
    session=`$incorta_cmd login http://localhost:8080/incorta demo a a`
    Replace the values in the sample following the template:
    session=`$incorta_cmd login http://<IP_ADDRESS>:<PORT_NO>/incorta <TENANT_NAME> <USERNAME> <PASSWORD>`

Notes

  • Use "localhost" as the value for the "IP_ADDRESS", if you are calling the Incorta instance from the same server machine as the one where Incorta is installed. Otherwise, use the Incorta server name.
  • If you are using a load balance server, please use the direct URL to the Incorta server, not the virtual IP address.

Sync LDAP users with Incorta Analytics

This section describes the needed steps to import users from LDAP to Incorta. This step is important as it enables users to log in to Incorta either using an Incorta username and password, or using an existing LDAP account.

You may sync LDAP users with Incorta, using the Sync Directory tool, found in the "<INSTALLATION_FOLDER>/bin" directory.

Enable Full Sync

Enable Full Sync, in order to reflect changes regarding the user-group relations, in addition to newly created users and groups. Use the following command providing the value "true" at the end, in order to enable the full sync:

$incorta_cmd sync_directory_with_ldap $session true
If you do not use "true", the default value "false" will be used.

Before running the Sync Directory tool

It is highly recommended that you back up the "sync_directory_with_ldap.sh" file, using the following command:

cp sync_directory_with_ldap.sh sync_directory_with_ldap.sh.bak

Run the Sync Directory tool

Now that the files are all updated with your system configuration parameters, you are ready to import all the users to Incorta Analytics, using the Sync Directory tool. Simply   go to the "<INSTALLATION_FOLDER>/bin" directory, and run the following command:

./sync_directory_with_ldap.sh

You may optionally add the "Sync Directory" tool as a CRON job, in order to regularly update the Incorta instance with current directory information.

Use LDAP for authentication

As mentioned above, LDAP may be used for authentication, in addition to synchronizing users with Incorta Analytics (as described perviously). The authentication configuration can be done per tenant, as part of part of that tenant properties. Since one Incorta instance may host multiple tenants, you may enable LDAP for one tenant while using native authentication for another.

Firstly, edit the "ldap.properties" file, found in the "<INSTALLATION_FOLDER>/tmt" directory, in order set the configuration parameters as described in the "Pre-Requisites" section. 

The "ldap.enabled" property determines if the LDAP authentication is enabled, and its default value is set to "false" (not enabled). Set it to "true" to enable the tenant for LDAP authentication.

Update a tenant to use LDAP for authentication

Now that you have made changes to a tenant in regards to their LDAP properties, you may run the following command to update that tenant with the changes:

./tmt.sh -u <TENANT_NAME> file ldap.properties

Reply Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
Like Follow
  • 1 yr agoLast active
  • 503Views
  • 2 Following

Product Announcement

Incorta 4.9 is now Generally Available (GA)!!!