Configure LDAP
Continuous Delivery supports use of the Lightweight Directory Access Protocol (LDAP) for managing user authentication. After configuring LDAP, use group mapping to associate your existing LDAP groups with role-based access control (RBAC) groups in Continuous Delivery.
For organizational or failover protection purposes, you can add multiple LDAP configurations, each specifying a separate LDAP server, to your Continuous Delivery instance. Continuous Delivery uses the LDAP configurations you set up to search LDAP users in a specified order. Once a user is found, the search ends and that LDAP configuration is used to perform the login operation.
Create a new LDAP configuration
Add an LDAP configuration to Continuous Delivery by providing key information on the mapping of user and group attributes in your LDAP server implementation.
A super user or the root user must perform this task.
- Log into the root console by signing in as the root user or by selecting Root console from the workspaces menu at the top of the Continuous Delivery navigation bar.
- Click Settings and click the Single sign on tab if you are not already on it.
- Select LDAP and click Add LDAP configuration.
- In the New LDAP configuration window, enter the
configuration information as per the instructions below.
Name
A friendly identifier for this LDAP configuration. You can't change this, so choose carefully.
Endpoint URL
The LDAP server's endpoint URL, including the LDAP scheme, hostname, and port. If these aren’t included, the default scheme is
ldaps
and the default port is 636.Bind DN
The distinguished name of the LDAP account that Continuous Delivery binds as when performing LDAP operations. Usually, this is an admin account or a service account created specifically for Continuous Delivery. If you create a new account, make sure it has permission to search for users and groups.
Bind DN password
The password associated with the bind DN account.
You must enter this password each time you update the LDAP configuration. You don't have to enter the password when you disable the LDAP configuration.User base DN
The LDAP base DN that informs Continuous Delivery where users are located in the directory. Using a more specific DN results in better LDAP search performance.
User attribute
The LDAP user attribute that maps LDAP users to Continuous Delivery usernames. Usually, this is the
mail
attribute, but you can use any attribute as long as the LDAP database doesn't contain any duplicate values for that attribute.Optional: User base filter
A filter that Continuous Delivery can use to restrict user search results. This is useful in edge cases where you want to include or exclude certain users.
Group base DN
The LDAP base DN that informs Continuous Delivery where groups are located in the directory. Using a more specific DN results in better LDAP search performance.
If users and groups are stored in the same location, the Group base DN is the same as the User base DN.Group user attribute
The user attribute that group entries use to identify users. Usually, this is
dn
.Group member attribute
The group attribute that maps to a group member. Usually, this is either
member
oruniqueMember
.Group name attribute
The group attribute that identifies the group name. Usually, this is
cn
.Optional: Group base filter
A filter that Continuous Delivery can use to restrict group search results. This is useful in edge cases where you want to include or exclude certain groups.
User object class
Specifies the value of the
objectClass
attribute that allows Continuous Delivery to query user entries. Usually, this is eitheruser
orperson
.Group object class
Specifies the value of the
objectClass
attribute that allows Continuous Delivery to query group entries. Usually, this is eithergroup
orgroupOfUniqueNames
.Optional: Mail attribute
The LDAP user attribute used to identify each member's email address. Defaults to
mail
if unset.Optional: User member attribute
Specifies the user attribute that can be used to identify the membership of a group. If present, this is usually
memberOf
. - Optional: Enter the trusted server's CA certificate. If the LDAP server uses a certificate signed by a trusted CA, you do not need to enter a CA certificate here.
- Select the Priority number for this LDAP configuration. If you have multiple LDAP configurations, this number indicates the order in which Continuous Delivery searches for users in your LDAP configurations during login and when synchronizing groups.
- Optional: Set the toggle to enable recursive LDAP queries for nested groups. This option is available only if your LDAP server's implementation supports the ExtensibleMatch search filter.
- Optional: Set the toggle to enable use of login filtering. When enabled, users who are not part of mapped LDAP groups are not allowed to log in to Continuous Delivery.
- Activate the Enable LDAP switch and click Run
configuration test to check the connection between Continuous Delivery and the LDAP server.This configuration test checks the LDAP server connection; it does not test the other configuration options.
- Click Save configuration. Your new LDAP configuration is
shown on the Single sign on settings page, where you can
edit or delete the configuration.Once you enable an LDAP configuration, Continuous Delivery automatically disables all local Continuous Delivery accounts other than the root account, and it attempts to use LDAP authentication. If LDAP authentication fails, navigate to
<YOUR CD4PE WEB UI ENDPOINT>/root/login
, sign in as the root user, and adjust the LDAP settings.
Create an LDAP group map
After adding an LDAP configuration to Continuous Delivery, use group maps to map your existing LDAP groups to Continuous Delivery RBAC groups. This makes it possible to mirror LDAP group membership in Continuous Delivery groups.
You must add at least one LDAP configuration to your Continuous Delivery instance before you can create an LDAP group map.
- Log in to the root console by navigating to
<YOUR CD4PE WEB UI ENDPOINT>/root/login
and signing in as the root user. - Click Settings and click the Single sign on tab if you are not already on it.
- Click LDAP > Manage groups > Add LDAP group mapping.
- From the LDAP configuration name list, select the LDAP configuration you want to create group mapping for.
- From the LDAP group name list, select the group to use
to perform the mapping.You can search for groups by name (partial matches and case-insensitive matches allowed) or distinguished name (case-insensitive matches allowed).
- Select a Continuous Delivery account associated with the RBAC group you want to map to the selected LDAP group.
- From the list of available Continuous Delivery RBAC groups, select the RBAC group you want to map to the selected LDAP group.
- Click Add group mapping.
After setting up a group map, Continuous Delivery synchronizes with your LDAP groups based on the mapping you created.
Configure LDAP server search result limits
By default, Continuous Delivery requests 500 search results at a time from a connected LDAP server. If your LDAP server's search result limitation is below 500, you can configure Continuous Delivery to match the LDAP server's search result threshold.
To change your LDAP server's search result limitation:
- In the data/common.yaml file, edit the
ldap_group_search_size_limit
:ldap_group_search_size_limit: <limit>