LDAPS

Setup Instructions for connecting CDM Server to LDAP

Purpose

This guide provides information and instructions for configuring CDM Server to log in using an LDAP as Identity Provider.

The LDAPS ID Provider

The CDM Server provides an embedded LDAPS ID-Provider which enables LDAPS connections to e.g. a Company’s LDAP server. The connection(s) to the LDAP are established using a connection pool which needs an LDAP user account to connect.

This LDAP connection account is used for every query from CDM-Server to the configured LDAP independent of the rights of the authenticated user. This means all queries are executed on LDAP with the LDAP permissions of the configured Connection Pool user.

CDM Server only needs the permissions to read users and groups in sub nodes under one parent node which are relevant to be used in CDM Server workflows.

Prerequisites

The CDM Server supports authentication of users on behalf of an LDAP Service. An existing or new Login-Group and an Admin-User is needed to configure the CDM-Server.

LDAP Authentication of users via CDM-Server

The CDM-Server embedded LDAPS ID-Provider can be used to authenticate user LDAP credentials against the companies LDAP. LDAP group informations can also be connected to cdm server roles. After this configuration in CDM-SERVER setup CDM users automatically are linked to roles matching the users group - role configuration.

In the image above a CDM-Users group is defined which contains the users that are allowed to use the CDM Server. All of them can log in after configuration is finalized.

LDAP Authentication of users via CDM-Server

The CDM Servers embedded LDAPS ID-Provider can be used to authenticate users LDAP credentials agains the companies LDAP. LDAP group information can also be connected to cdm server roles. After this configuration in cdm server setup CDM users automatically are linked to roles matching the users group - role configuration.

Here is a sample .env.idp file with the ldaps IdP configured:

## HELP
# https://get.apis.de/docs/idproviders/ldaps/

## User Management
# Available options: local, azure, ldaps
ID_PROVIDER=ldaps

### User Management -> LDAP
# Only required if ID_PROVIDER=ldaps
# LDAPS server host
AUTH_HOST=

## LDAPS server port
# Change it if you are using a different port
AUTH_PORT=636

## The DN of the user to use to query the LDAP server. This user must have read access to the LDAP server.
# Example: uid=admin,ou=users,o=companyname,dc=domainname,dc=country
AUTH_USER=

## Password for that user
AUTH_PASSWORD=

## User Management -> LDAP -> Internal References
# The full DN of the user in LDAP who is considered admin (This account is needed for server setup)
# Example: uid=admin,ou=users,o=companyname,dc=domainname,dc=country
LDAP_ADMIN_DN=

## The base DN for the LDAP group tree
# Example: ou=groups,o=companyname,dc=domainname,dc=country
LDAP_GROUP_TREE_DN=

## The template for the login name. This is used to construct the full DN of the user to authenticate.
# Must contain {loginName} as a placeholder for the login name.
# Example: uid={loginName},ou=users,o=companyname,dc=domainname,dc=country
LDAP_LOGIN_TEMPLATE=

## USE CUSTOM HTTPS CERTIFICATE FOR LDAPS (PUBLIC-KEY)
# We always use HTTPS for LDAP.
# If you have a self-signed certificate for your LDAP instance, set this to true.
# You need to place the custom certificate (public key) in the same directory as your `docker-compose.yml` file (where you have downloaded CDM-Server).
# The certificate file name must be `cdm-ldaps.pfx`
# For a false value, we will attempt to validate the LDAP-Server certificate and it will fail for self-signed/expired certificates.
# Default is false
LDAP_CUSTOM_CERT=false

Inital CDM Server configuration workflow

Before first CDM-Server start an ID Provider specific configuration for the Admin User has to be setup in the environment of the docker container. Therefore the parameters LDAP_ADMIN_DN and LDAP_LOGIN_TEMPLATE have to be set to a valid LDAP DN (Distinguished Name) and matching login template. The LDAP_GROUP_TREE_DN parameter is needed, too.

The following table shows an example configuration.