Importing Users from LDAP and Leveraging LDAP Authentication
Integrate Key Manager Plus with the LDAP servers in your environment. Through the LDAP integration, you can import AD users from Microsoft Active Directory and OpenLDAP into Key Manager Plus Linux installations and the user database can be regularly updated through the sync operation provided in the UI. In addition, users can leverage the LDAP authentication for access, bypassing the local authentication provided by Key Manager Plus. Currently supported LDAP server types are Microsoft Active Directory and OpenLDAP. This LDAP integration works with both Windows and Linux installations of Key Manager Plus, however, it's more beneficial for users with Linux installations as it helps them import Microsoft AD users in their environment, in the absence of the Active Directory import option which works only in Windows installations of Key Manager Plus. This section explains the configurations involved in integrating LDAP server with Key Manager Plus.
Similar to importing users manually, from AD, and from RADIUS server, you can also import users from your LDAP directory. Follow the below steps:
Steps Required
There are three steps involved in importing users from an LDAP directory:
To begin, navigate to Settings >> User Management >> LDAP. The LDAP Servers page is displayed.
1. Importing Users from LDAP
Follow the below steps to enter the required credential details and import users from LDAP:
- Click the Add button in the LDAP Servers page.
- Connection Mode: You can configure the connection between LDAP Server and Key Manager Plus to be over an encrypted channel (SSL) or Non-SSL. If you choose, SSL mode, do the following. Otherwise, proceed with providing other attributes.
- To enable the SSL mode, the LDAP server should be serving over SSL in port 636 and you will have to import the LDAP server's root certificate, LDAP server's certificate and all other certificates that are present in the respective root certificate chain into the Key Manager Plus server machine's certificate store.
- To import certificates, open a command prompt and navigate to <KMP_SERVER_HOME>\bin directory and execute the following command:
For Windows:
importCert.bat <Absolute Path of certificate>
For Linux:
importCert.sh <Absolute Path of certificate>
Restart Key Manager Plus server. Then, continue with the following steps.
- Provider URL - Enter the url of the LDAP provider in the format attribute://ldap server host:port (Example ldap://192.168.4.83 <:389/)
- Username and Password - Enter the credentials of any one of the user already present in LDAP for authentication. It should be in the format of how users submit their username when logging into your application. For example, a typical entry would look something like: cn=Eric,cn=Users,o=kmp,c=com. And then, enter the password.
- BaseDN - This is the 'base' or 'root' from where directory lookups should take place. Enter the LDAP base (top level of the LDAP directory tree). Enter it exactly in the format used in your LDAP. No spaces are allowed between the commas or the '=' equal symbol and entries that are case sensitive.
- Search Filter - If you want to add only specific users from your LDAP directory, just perform a search using the appropriate search filter. For example, for adding only those users who belong to the category Managers, a typical search filter would be like: ou=Managers,ou=Groups,o=kmp,c=com.
- Group Name - Enter the group name. While importing users from LDAP, Key Manager Plus will automatically create a user group with all the imported users. If you enable synchronization, the user group will get synchronized based on the search filter created by you.
- Select your LDAP server type
- Microsoft Active Directory (or)
- OpenLDAP
- First Name and Last Name Attribute Label - Enter the distinguished name attribute - that is the LDAP attribute that uniquely defines this object. For instance, for LDAP making use of AD, the entry would be "distinguishedName" and for OpenLDAP, the entry would be "dn".
- Click Import & Save. Soon after hitting the Save button, Key Manager Plus will start adding all users from LDAP. During subsequent imports only the new users entries in LDAP are added to the local database. During import, every user will be notified through email about their account, along with a password that can be used to login to Key Manager Plus when LDAP authentication is disabled.
1.1 Configure Synchronization and Manage LDAP Server Details
Whenever new users get added to the LDAP, there is provision to automatically add them to Key Manager Plus and keep the user database in sync. In the LDAP Servers page, you can view the list of LDAP servers already integrated, integrate new LDAP servers, delete existing ones, edit entries and manage the entries pertaining to the LDAP servers. In the LDAP Servers page, there are three main icons:
- Edit - Click this icon to edit the server details of the selected LDAP server.
- Users - Click this icon to view all the users imported from this LDAP server.
- Import Users - Click this icon to sync Key Manager Plus with the LDAP server and keep the user database updated. Check the Delete users if deleted in LDAP option to remove deleted LDAP users from Key Manager Plus during the sync operation.
Below the LDAP server details, click Enable LDAP Authentication to make LDAP authentication as the default type for your users.
To schedule an LDAP sync, click the calendar icon () in the top right corner of the page:
- Click Enable and specify a recurrence type Daily/Weekly/Monthly.
- Enter a Start Time and specify a day, depending on your recurrence type. This will be the time interval at which Key Manager Plus has to query the LDAP server to keep the user database in sync. The time interval could be as low as a minute or it can be in the range of hours/days.
- Check the Delete users if deleted in LDAP option to remove deleted LDAP users from Key Manager Plus during the sync operation. Click Save to save the LDAP Sync schedule.
2. Specifying Appropriate User Roles
2.2 Assigning Roles
All the users imported from LDAP will be assigned the Operator role by default. To assign specific roles to specific users and/or to assign SSH user accounts of discovered resources, refer to the Modify Users help page.
To delete the users, refer to the delete section of this help document.
3. Enabling LDAP Authentication
Once LDAP users are added to Key Manager Plus, they can user their LDAP credentials to leverage access to Key Manager Plus. Choose the LDAP Authentication option at the login page, provide your LDAP credentials and click login.
Also, Key Manager Plus provides an option for the LDAP users to login independently using the local authentication option provided. With local authentication, users should specify user credentials provided to them by administrators. Users can choose between the two authentication modes at the time of login as shown below: