Incorta Analytics supports Lightweight Directory Access Protocol (LDAP) to import users into Incorta in bulk, and for authentication. Incorta may be integrated with LDAP to import users in bulk, so that users can be identified internally, allowing them to log in using an Incorta username and password. Optionally, LDAP may also be used to authenticate users to log in to Incorta, using their existing LDAP username and password.
In order to proceed with the LDAP configuration, ensure access to the following information:
|ldap.base.provider.url||This is the base provider URL address of the LDAP directory server used by the back end.
|ldap.base.dn||This is the Base Distinguished Name, which is used while accessing the LDAP server.
|ldap.user.dn||This is the User Distinguished Name parameter, which is used by LDAP for authentication.
|ldap.user.dn.password||This parameter expects the password for the LDAP admin user.|
|ldap.use.encrypted.password||This parameter can be added to require the LDAP admin password to be encrypted. If true, use the encrypt_password.sh utility located in /IncortaNode/bin to generate an encrypted version of the password. (default: false)|
|ldap.user.mapping.login||This attribute will be mapped to the login name of the Incorta Analytics user.
|ldap.user. mapping. name||This parameter stores the LDAP attribute that will be used as the name of the Incorta Analytics user.
|ldap.user.mapping.mail||This parameter maps the LDAP attribute that stores the email address.
|ldap.group. mapping. name||This parameter maps the LDAP attribute that contains the group name.
|ldap.group.mapping.member||This parameter maps the DN of a member of a group.
|ldap.user.search.filter||This is the filter to be applied for queries used to look up users (i.e. filter).
|ldap.group.search.filter||This is the filter to be applied for queries used to look up users (i.e. filter).
|user.type||This parameter is optional, and is used to set the user type, i.e. internal (Incorta)or LDAP. The default value for this property is "ldap".
The setup mentioned below sets the login name by e-mail and not the UID, if login is by UID then put uid instead of mail :
# Provide ldap url
# Example: ldap://HOST_NAME:PORT_NUM
# Distinguished Name to connect with
# Distinguished Name and password of a user in the ldap to authenticate with
# The attributes that will map login name, mail and name of Incorta user
# The attributes that will map name and attached users of Incorta group
# a filter to search users with given example
# a filter to search groups with given example
#user.type is optional with default (ldap) and indicates the user type, possible values are: internal, sso, and ldap
Configure LDAP properties
- Prepare the
"ldap-config.properties"file, by setting the contained config parameters as described in the
"Pre-Requisites"section. Ensure that the
"ldap-config.properties"file is placed in the same folder as the
- Edit the shell script of the "
sync_directory_with_ldap.sh"file to reflect the connection info as shown below:
Edit the session definition line as shown in the following sample:
session=`$incorta_cmd login http://localhost:8080/incorta demo a a`
Replace the values in the sample following the template:
session=`$incorta_cmd login http://<IP_ADDRESS>:<PORT_NO>/incorta <TENANT_NAME> <USERNAME> <PASSWORD>`
- Use "localhost" as the value for the "IP_ADDRESS", if you are calling the Incorta instance from the same server machine as the one where Incorta is installed. Otherwise, use the Incorta server name.
- If you are using a load balance server, please use the direct URL to the Incorta server, not the virtual IP address.
Sync LDAP users with Incorta Analytics
This section describes the needed steps to import users from LDAP to Incorta. This step is important as it enables users to log in to Incorta either using an Incorta username and password, or using an existing LDAP account.
You may sync LDAP users with Incorta, using the Sync Directory tool, found in the
Enable Full Sync
Enable Full Sync, in order to reflect changes regarding the user-group relations, in addition to newly created users and groups. Use the following command providing the value "true" at the end, in order to enable the full sync:
$incorta_cmd sync_directory_with_ldap $session true
If you do not use "true", the default value "false" will be used.
Before running the Sync Directory tool
It is highly recommended that you back up the "
sync_directory_with_ldap.sh" file, using the following command:
cp sync_directory_with_ldap.sh sync_directory_with_ldap.sh.bak
Run the Sync Directory tool
Now that the files are all updated with your system configuration parameters, you are ready to import all the users to Incorta Analytics, using the Sync Directory tool. Simply go to the
"<INSTALLATION_FOLDER>/bin" directory, and run the following command:
You may optionally add the "Sync Directory" tool as a CRON job, in order to regularly update the Incorta instance with current directory information.
Use LDAP for authentication
As mentioned above, LDAP may be used for authentication, in addition to synchronizing users with Incorta Analytics (as described perviously). The authentication configuration can be done per tenant, as part of part of that tenant properties. Since one Incorta instance may host multiple tenants, you may enable LDAP for one tenant while using native authentication for another.
Firstly, edit the
"ldap.properties" file, found in the
"<INSTALLATION_FOLDER>/tmt" directory, in order set the configuration parameters as described in the
ldap.enabled" property determines if the LDAP authentication is enabled, and its default value is set to "false" (not enabled). Set it to "true" to enable the tenant for LDAP authentication.
Update a tenant to use LDAP for authentication
Now that you have made changes to a tenant in regards to their LDAP properties, you may run the following command to update that tenant with the changes:
./tmt.sh -u <TENANT_NAME> file ldap.properties