Configure LDAP

Continuous Delivery supports use of the Lightweight Directory Access Protocol (LDAP) for managing user authentication. After configuring LDAP, use group mapping to associate your existing LDAP groups with role-based access control (RBAC) groups in Continuous Delivery.

For organizational or failover protection purposes, you can add multiple LDAP configurations, each specifying a separate LDAP server, to your Continuous Delivery instance. Continuous Delivery uses the LDAP configurations you set up to search LDAP users in a specified order. Once a user is found, the search ends and that LDAP configuration is used to perform the login operation.

If your LDAP server has a search result limitation below 500, you'll need to Configure LDAP.

Create a new LDAP configuration

Add an LDAP configuration to Continuous Delivery by providing key information on the mapping of user and group attributes in your LDAP server implementation.

A super user or the root user must perform this task.

  1. Log into the root console by signing in as the root user or by selecting Root console from the workspaces menu at the top of the Continuous Delivery navigation bar.
  2. Click Settings and click the Single sign on tab if you are not already on it.
  3. Select LDAP and click Add LDAP configuration.
  4. In the New LDAP configuration window, enter the configuration information as per the instructions below.

    Name

    A friendly identifier for this LDAP configuration. You can't change this, so choose carefully.

    Endpoint URL

    The LDAP server's endpoint URL, including the LDAP scheme, hostname, and port. If these aren’t included, the default scheme is ldaps and the default port is 636.

    Bind DN

    The distinguished name of the LDAP account that Continuous Delivery binds as when performing LDAP operations. Usually, this is an admin account or a service account created specifically for Continuous Delivery. If you create a new account, make sure it has permission to search for users and groups.

    Bind DN password

    The password associated with the bind DN account.

    You must enter this password each time you update the LDAP configuration. You don't have to enter the password when you disable the LDAP configuration.

    User base DN

    The LDAP base DN that informs Continuous Delivery where users are located in the directory. Using a more specific DN results in better LDAP search performance.

    User attribute

    The LDAP user attribute that maps LDAP users to Continuous Delivery usernames. Usually, this is the mail attribute, but you can use any attribute as long as the LDAP database doesn't contain any duplicate values for that attribute.

    Optional: User base filter

    A filter that Continuous Delivery can use to restrict user search results. This is useful in edge cases where you want to include or exclude certain users.

    Group base DN

    The LDAP base DN that informs Continuous Delivery where groups are located in the directory. Using a more specific DN results in better LDAP search performance.

    If users and groups are stored in the same location, the Group base DN is the same as the User base DN.

    Group user attribute

    The user attribute that group entries use to identify users. Usually, this is dn.

    Group member attribute

    The group attribute that maps to a group member. Usually, this is either member or uniqueMember.

    Group name attribute

    The group attribute that identifies the group name. Usually, this is cn.

    Optional: Group base filter

    A filter that Continuous Delivery can use to restrict group search results. This is useful in edge cases where you want to include or exclude certain groups.

    User object class

    Specifies the value of the objectClass attribute that allows Continuous Delivery to query user entries. Usually, this is either user or person.

    Group object class

    Specifies the value of the objectClass attribute that allows Continuous Delivery to query group entries. Usually, this is either group or groupOfUniqueNames.

    Optional: Mail attribute

    The LDAP user attribute used to identify each member's email address. Defaults to mail if unset.

    Optional: User member attribute

    Specifies the user attribute that can be used to identify the membership of a group. If present, this is usually memberOf.

  5. Optional: Enter the trusted server's CA certificate. If the LDAP server uses a certificate signed by a trusted CA, you do not need to enter a CA certificate here.
  6. Select the Priority number for this LDAP configuration. If you have multiple LDAP configurations, this number indicates the order in which Continuous Delivery searches for users in your LDAP configurations during login and when synchronizing groups.
  7. Optional: Set the toggle to enable recursive LDAP queries for nested groups. This option is available only if your LDAP server's implementation supports the ExtensibleMatch search filter.
  8. Optional: Set the toggle to enable use of login filtering. When enabled, users who are not part of mapped LDAP groups are not allowed to log in to Continuous Delivery.
  9. Activate the Enable LDAP switch and click Run configuration test to check the connection between Continuous Delivery and the LDAP server.
    This configuration test checks the LDAP server connection; it does not test the other configuration options.
  10. Click Save configuration. Your new LDAP configuration is shown on the Single sign on settings page, where you can edit or delete the configuration.
    Once you enable an LDAP configuration, Continuous Delivery automatically disables all local Continuous Delivery accounts other than the root account, and it attempts to use LDAP authentication. If LDAP authentication fails, navigate to <YOUR CD4PE WEB UI ENDPOINT>/root/login, sign in as the root user, and adjust the LDAP settings.

Create an LDAP group map

After adding an LDAP configuration to Continuous Delivery, use group maps to map your existing LDAP groups to Continuous Delivery RBAC groups. This makes it possible to mirror LDAP group membership in Continuous Delivery groups.

Before you begin:
You must add at least one LDAP configuration to your Continuous Delivery instance before you can create an LDAP group map.
  1. Log in to the root console by navigating to <YOUR CD4PE WEB UI ENDPOINT>/root/login and signing in as the root user.
  2. Click Settings and click the Single sign on tab if you are not already on it.
  3. Click LDAP > Manage groups > Add LDAP group mapping.
  4. From the LDAP configuration name list, select the LDAP configuration you want to create group mapping for.
  5. From the LDAP group name list, select the group to use to perform the mapping.
    You can search for groups by name (partial matches and case-insensitive matches allowed) or distinguished name (case-insensitive matches allowed).
  6. Select a Continuous Delivery account associated with the RBAC group you want to map to the selected LDAP group.
  7. From the list of available Continuous Delivery RBAC groups, select the RBAC group you want to map to the selected LDAP group.
  8. Click Add group mapping.
Results
After setting up a group map, Continuous Delivery synchronizes with your LDAP groups based on the mapping you created.

Configure LDAP server search result limits

By default, Continuous Delivery requests 500 search results at a time from a connected LDAP server. If your LDAP server's search result limitation is below 500, you can configure Continuous Delivery to match the LDAP server's search result threshold.

To change your LDAP server's search result limitation:

  1. In the data/common.yaml file, edit the ldap_group_search_size_limit:
     ldap_group_search_size_limit: <limit>