LDAP Integration
A Contour node can either keep its own user database or it can connect using the LDAP protocol to an external user directory such as Active Directory. This guide describes how to configure it.
Basics
To enable connecting to an LDAP directory, open the application.properties file and set the following properties:
# Select one of the options
contour.auth.mode=OPENLDAP <or> ACTIVE_DIRECTORY
# The URL for the host. Use ldaps if connecting with TLS. Note the URL should also contain the root entity DN at the end
contour.auth.ldap.host=ldap://directoryserver.com:389/dc=root
contour.auth.ldap.principal=
contour.auth.ldap.password=
Contour will use the directory server to check user authentication and query which groups the user belongs to. Based on the LDAP groups, users will be assigned to Contour roles which specify which actions the user can take. Contour roles are stored inside the Contour’s database and can be edited using the UI or API. Each role has the attribute LDAP-Group which corresponds to the LDAP group name (not the full DN).
For LDAP standards mode
When switching from built-in to LDAP, the users will be migrated to LDAP. The roles will be kept, but the LDAP-Group attribute has to be set manually. The roles will be assigned to users based on the LDAP groups they belong to.
Config role and LDAP-Group mapping
Log in to the Node Admin or Company Admin interface and update LDAP Mapping for Contour Roles. And update the "Map to LDAP group" attribute for each role to match the LDAP group name.
Example of mapping Identity Admin to "admins" Ldap Group:
Update application.properties with the following properties:
# User Search Base
# Required
# The base of the DN for user search, omit the partition suffix
# Example:
# Given a user's DN: cn=maker,ou=people,dc=contour,dc=network
# For host without partition:
# ou=people,dc=contour,dc=network
# For host with dc=contour,dc=network partition:
# ou=people
contour.auth.ldap.user-search-base=ou=people
#########################
# OpenLDAP
#########################
# User DN Patterns
# Required
# If pattern search is not desired, please use the same value as `contour.auth.ldap.user-search-base`
# For pattern searching, e.g. matching username with the `cn`, {0} will be substituted with the login username
# e.g.: `cn={0},ou=people`
# Can separate multiple patterns with |
contour.auth.ldap.open-ldap.userDNPatterns=ou=people
# User Search Filter
# Optional
# Determines which attributes to search for and match the user
# e.g.: `(&(objectClass=person)(mail={0}))`
# This will match an entry which is a person,
# with `mail` having the value of the login username.
# This effectively means logging in with email
contour.auth.ldap.open-ldap.user-search-filter=(&(objectClass=person)(mail={0}))
# Group Search Base
# Required
# Where to search for groups. Note that search is not recursive but only one level
# e.g.:
# Given this group DN: cn=makers,ou=groups,dc=contour,dc=network
# If the host partition suffix is empty, then:
# ou=groups,dc=contour,dc=network
# If the host partition suffix is `dc=contour,dc=network`, then:
# ou=groups
contour.auth.ldap.open-ldap.group-search-base=ou=groups,dc=contour,dc=network
# Group Search Filter
# Optional
# Normally not required to be configured, unless the groups store membership in another custom attribute.
# Determines how to find groups where specific user belongs.
# {0} will be substituted with the user's DN, and {1} by the username
contour.auth.ldap.open-ldap.group-search-filter=(member={0})
# Group Name Attribute
# Optional
# Determines which *attribute* of group is taken as name
# This name is used for mapping to [UserRole.ldapGroup]
# E.g.:
# Given this group entry:
# dn: cn=makers,ou=groups,dc=contour,dc=network
# cn: TheMakers
# The configuration value of `cn` would extract the attribute value `TheMakers`.
# This would map the members of the group to have all UserRole where `ldapGroup` = 'TheMakers'
contour.auth.ldap.open-ldap.group-name-attr=cn
For Active Directory mode
# required
contour.auth.ldap.ad.domain=bigbank.com
# optional; can specify root entry on top of which all searches will happen
contour.auth.ldap.ad.rootDn=
# optional; the search expression used to find user. {1} will be replaced with username
contour.auth.ldap.ad.userSearchFilter=(&(objectClass=user)(cn={1}))