LDAP Integration in Zmanda
LDAP Integration in Zmanda allows you to use your corporate user directories and their MFA capabilities to log into Zmanda and simplify user management.
This user guide describes the steps to enable LDAP Integration in Zmanda, allowing users to import their existing domains, easily import existing users, and log-in using their existing credentials.
You can access the LDAP Domain tab by navigating to Settings on the left side navigation bar. You can click on the ‘Add LDAP Domain’ button on top right to add LDAP configuration to be used for adding LDAP users and allowing added LDAP users to log in using LDAP credentials.
To enable/ Disable LDAP Login, you can toggle the slider (blue slider) shown below. Please note that this toggle represents the global level enabling & disabling of LDAP based login.
Enable/Disable LDAP login
You can click on the ADD LDAP Domain button to add a new domain. It opens a Add LDAP Domain drawer as below stating the required fields.
Add LDAP Domain drawer
- URI: This is the IP or hostname of LDAP server. If hostname is provided the IP of the hostname needs to be mapped with ip in ‘/etc/hosts’ file of system on which application is running. For using LDAP, hostname is required in place of IP.
- Domain Name: This is the unique LDAP config identifier. Any unique string can be used.
- Base DN: The Base DN is the starting point an LDAP server uses when searching for users authentication within your Directory. Ex: ‘DC=domain-name,DC=com’.
- Master User DN: This is the Distinguished Name of service user which will be utilized to create a bind with LDAP server for operations such as search. The user DN used as a service user must have binding access.
- Master User Password: Password for the user discussed user.
- Use SSL checkbox: If checked LDAP will be used. If use SSL is checked, certificate needs to be uploaded to connect over LDAP. Supported certificate format - .pem/.cer.
On clicking NEXT, USER ATTRIBUTE MAPPING drawer opens as shown below which contains the additional fields required for LDAP Configuration
USER ATTRIBUTE MAPPING drawer
User Attribute Mapping Fields
- First Name: This refers to the value of user object from LDAP which will be utilized as the first name in our database. This is always stored as the givenName. So, the value which is contained in givenName on LDAP server for user will be saved as the First Name.
- Last Name: This refers to the value of user object from LDAP which will be utilized as last name in our database. This is always stored as sn. So, the value which is contained in sn on LDAP server for user will be saved as Last Name.
- Email: This refers to the value of user object from LDAP which will be utilized as email in our database. This is a dropdown and shows values as mail/userprincipalname whichever is available. Whichever value is selected will be utilized as the email value in our application. Please make sure the value selected should exist for the LDAP objects. In case the value doesn’t exist, user will not be listed.
- Username Identifier: It is a dropdown field. It shows values whichever is supported userprincipalname/uid/mail/samaccountname. This field value will be utilized as login username on UI screen. Ex: If LDAP user has uid value as ‘dummy_user’ and uid is selected in this field. On the login screen, you will need to enter ‘dummy_user’ as the username.Also, email is supported as username as well.The value selected for the LDAP user is required and cannot be blank. If a value is selected that contains a blank value for LDAP users, those users will not be listed while adding users.Ex: In case uid is selected as ‘username identifier’. If uid value of LDAP user does not exist, user will not be listed while adding user/users.
After saving the LDAP configuration, it can be enabled from LDAP config main screen by clicking on the enable icon from action.
- USER ATTRIBUTE MAPPING & Username Identifier fields cannot be changed once set.
- Any LDAP Domain cannot be deleted if there are any users who are linked to that particular LDAP Domain. To delete LDAP Domain, the LDAP users need to be deleted or converted to a general user.
- To allow login for LDAP user, the individual LDAP Domain needs to be in enabled state and the Global Enable/ Disable LDAP login also should be in enabled state.
You can add LDAP Users by selecting the LDAP User from Add User Drawer. The drawer shows two options, one for adding a single user and another for adding users by group. On selecting users only, a single user can be added. While under Group, bulk users can be selected to be added to the selected group.
Searched users will not be displayed if any of the fields in the LDAP domain does not have any value on the LDAP server under ‘USERNAME IDENTIFIER’ & ‘EMAIL’.
- If for any LDAP domain, ‘username identifier’ is set as ‘uid’ & ‘email’ is set as ‘mail’ from the dropdown.
- If for any user, either ‘uid’ or ‘mail’ value is not set on LDAP, the user will not appear on the search and cannot be added.
- 1.Select LDAP Domain from ‘LDAP Server’ dropdown to add user from. The dropdown list for users gets populated.
- 2.Select the user from the dropdown and the Role for user and click on the SAVE button.Adding a single user
- 1.Select LDAP Domain from ‘LDAP Server’ dropdown to search groups. The dropdown list for LDAP groups gets populated.
- 2.Select a group to fetch users for that group. Users in the group gets displayed on side drawer.
- 3.Select relevant users to be added & click on the SAVE button.
Adding multiple users
You can convert a user from general user to LDAP user and vice versa.
Converting a user from General to LDAP User
For General User, the ‘User Type’ is displayed as “General”. To convert user from general user to LDAP user, the steps are as follows.
- 1.Click on EDIT USER. The Edit User drawer opens with the User Type toggle on General User.Edit User
- 2.Under User Type move the toggle to LDAP User.
- 3.Select the registered LDAP domains from dropdown on which the user needs to be searched.
- 4.Search for the user on that domain through their email. Ex: For the above user, the search will happen for user on the LDAP server via the email [email protected] If matching email is found for any user the details are auto-filled.
- 5.Click Update.
Selecting the LDAP domain
Searching for the user
Converting user from LDAP User to General User
For LDAP User, the ‘User Type’ is displayed as “LDAP/DOMAIN_NAME”. To convert a user from LDAP user to general user, the steps are as follows:
- 1.Click on EDIT USER. It opens the below drawer showing User Type toggle set as LDAP User.Edit User
- 2.Under User Type move the toggle from LDAP User to General User.
- 3.Enter a new password for the general user to be used for login and click on SAVE. Password is required for general users. Username can be changed while switching from LDAP to general user.
Entering User Name and password
To allow LDAP users to login from an added LDAP Domain, the following conditions should be met:
- 1.The user should be added via Add user/group. Only LDAP users registered in the application as LDAP Domain users are allowed to login via LDAP credentials.
- 2.LDAP Domain linked to user trying to login should be enabled.
- 3.Global Enable/ Disable LDAP login should be enabled.
To disallow any login for LDAP users –
- To disallow all LDAP users login irrespective of LDAP Domain, disable the Global Enable/ Disable LDAP login. This will allow only local authentication for general users.
- To disallow users of a particular LDAP Domain from logging in, the corresponding individual LDAP domain can be disabled. This will block any LDAP users belonging to the disabled LDAP Domain from logging in. However, login will be allowed for other enabled LDAP Domains.
LDAP Users login username
The value selected as the username identifier during the addition of LDAP Domain should be used as the username by the LDAP users for login.
Ex: If the LDAP domain registered is set with ‘Username Identifier’ as uid. And, if we add Test1 user as a LDAP user and they have the uid value as ‘test_1’ on the LDAP server. In this case, ‘test_1’ should be used as the username during login along with LDAP password.
Master User password for LDAP Domain registered is saved as encrypted value. To reset the keys on basis of which encryption/decryption takes place, below file can be used –
This gives us 2 options for reset of keys as explained below:
- NORMAL RESET – In case of normal reset, all keys will be reset, any registered LDAP domains using the old keys will be made compatible with new set of keys and will remain usable.
- HARD RESET – In case of Hard reset only the keys are changed, no changes will be made for existing LDAP domains. This will make the already existing passwords unusable. The passwords, if they exist, for any LDAP domain will require a reset/update from UI.