Skip to content

SSO/LDAP Integration

A Contour node can either keep its own user database or it can connect using the LDAP protocol to an external user directory such as Active Directory. This guide describes how to configure it.

Basics

To enable connecting to an LDAP directory, open the application.properties file and set the following properties:

# Select one of the options
contour.auth.mode=OPENLDAP <or> ACTIVE_DIRECTORY
# The URL for the host. Use ldaps if connecting with TLS. Note the URL should also contain the root entity DN at the end
contour.auth.ldap.host=ldap://directoryserver.com:389/dc=root
contour.auth.ldap.principal=
contour.auth.ldap.password=

Contour will use the directory server to check user authentication and query which groups the user belongs to. Based on the LDAP groups, users will be assigned to Contour roles which specify which actions the user can take. Contour roles are stored inside the Contour’s database and can be edited using the UI or API. Each role has the attribute LDAP-Group which corresponds to the LDAP group name (not the full DN).

For LDAP standards mode

If not connecting to Microsoft Active Directory and using a LDAP compliant server, set these options:

# required; how to map an username to full DN (excluding root dn given in URL). Can specify multiple patterns separated by |. 
# Username will replace the {0} placeholder
contour.auth.ldap.userDNPatterns=cn={0},ou=users|uid={0}
# Which attribute of the group is taken as the group name when matching to ldapGroup of role
contour.auth.ldap.groupNameAttr=cn
# LDAP filter expression used to find groups where specific user belongs? 
# {0} will be replaced by users DN, {1} would be replaced by its username
contour.auth.ldap.groupSearchFilter=(member={0})
# required; where to search for groups (excluding root DN). Note that search is not recursive but only one level
contour.auth.ldap.groupSearchBase=ou=groups

For Active Directory mode

# required
voltron.auth.ldap.domain=bigbank.com
# optional; can specify root entry on top of which all searches will happen
voltron.auth.ldap.rootDn=
# optional; the search expression used to find user. {1} will be replaced with username
voltron.auth.ldap.searchFilter=