LDAPS
Categories:
The LDAPS ID Provider
The CDM Server provides an embedded LDAPS ID-Provider which enables LDAPS connections to e.g. a Company’s LDAP server. The connection(s) to the LDAP are established using a connection pool which needs an LDAP user account to connect.
This LDAP connection account is used for every query from CDM-Server to the configured LDAP independent from the rights of the authenticated user. This means all queries are executed on LDAP with the LDAP permissions of the configured Connection Pool user.
CDM Server only needs the permissions to read users and groups in sub nodes under one parent node which are relevant to be used in CDM Server workflows.
LDAP Authentication of users via CDM-Server
The CDM Servers embedded LDAPS ID-Provider can be used to authenticate users LDAP credentials agains the companies LDAP. LDAP group informations can also be connected to cdm server roles. After this configuration in cdm server setup CDM users automatically are linked to roles matching the users group - role configuration.
Here is a sample .env.idp file with the ldaps IdP configured:
## HELP
# https://get.apis.de/docs/idproviders/ldaps/
## User Management
# Available options: local, azure, ldaps
ID_PROVIDER=ldaps
### User Management -> LDAP
# Only required if ID_PROVIDER=ldaps
# LDAPS server host
AUTH_HOST=
## LDAPS server port
# Change it if you are using a different port
AUTH_PORT=636
## The DN of the user to use to query the LDAP server. This user must have read access to the LDAP server.
# Example
AUTH_USER=
## Password for that user
AUTH_PASSWORD=
## User Management -> LDAP -> Internal References
# The full DN of the user in LDAP who is considered admin (This account is needed for server setup)
LDAP_ADMIN_DN=
## The base DN for the LDAP group tree
# Example: "ou=groups,o=apis,dc=apis,dc=de"
LDAP_GROUP_TREE_DN=
## The template for the login name. This is used to construct the full DN of the user to authenticate.
# Must contain {loginName} as a placeholder for the login name.
# Example: "uid={loginName},ou=users,ou=unix,o=apis,c=de,dc=apis,dc=de"
LDAP_LOGIN_TEMPLATE=
## USE CUSTOM HTTPS CERTIFICATE FOR LDAPS (PUBLIC-KEY)
# We always use HTTPS for LDAP.
# If you have a self-signed certificate for your LDAP instance, set this to true.
# You need to place the custom certificate (public key) in the same directory as your `docker-compose.yml` file (where you have downloaded CDM-Server).
# The certificate file name must be `cdm-ldaps.pfx`
# For a false value, we will attempt to validate the LDAP-Server certificate and it will fail for self-signed/expired certificates.
# Default is false
LDAP_CUSTOM_CERT=falseInital CDM Server configuration workflow
On first CDM Server Start an ID Provider specific configuration for the Admin User has to be setup in the environment of the docker container. Therefor the parameters LDAP_ADMIN_DN and LDAP_Login_TEMPLATE have to be set to a valid LDAP DN (Distinguished Name) and matching Login Template. The LDAP_GROUP_TREE_DN parameter is needed, too.
| Environment Parameter | Value |
|---|---|
| LDAP_ADMIN_DN | uid=admin,ou=users,o=companyname,dc=domainname,dc=country |
| LDAP_LOGIN_TEMPLATE | uid={loginName},ou=users,o=companyname,dc=domainname,dc=country |
| LDAP_GROUP_TREE_DN | ou=groups,o=companyname,dc=domainname,dc=country |