NetBeez provides the ability for your users to authenticate via LDAP. Before we go any further there are some things worth noting:
- This is an experimental feature, ensure you have at least one local administrator account created before enabling this setting.
- We only support LDAP over TLS.
- This feature was designed for direct LDAP communication, trying to authenticate over LDAP through an intermediate service or appliance may not work as expected or at all.
- Users must be able to perform LDAP directory searches for their own record in order to use Role Mapping and control user permissions via your LDAP directory.
Preparing for LDAP authentication
There are a few things you will need to do before configuring and enabling LDAP authentication.
- The NetBeez server must be able to communicate with your desired LDAP service:
- If you have an on-prem installation, ensure you have the proper firewall rules in place.
- If you have a cloud installation or your dashboard is hosted by NetBeez, ensure your firewall rules allow for inbound traffic from your cloud installation over your required port. If you are using a hosted LDAP service such as Microsoft Azure Active Directory there may be additional steps required.
- There are two ways NetBeez user roles are handled with LDAP authentication.
- If you wish to control the NetBeez user roles through LDAP you must create 3 groups in your LDAP directory, one for each NetBeez role (read-only, read-write, and administrator), and assign users into those groups.
- If you do not wish for LDAP to control NetBeez user roles then any valid LDAP authentication against your directory will allow access to your NetBeez dashboard. By default users are given read-only permissions when authenticating for the first time. Permissions can then be controlled under NetBeez user management.
Configuring LDAP settings
Before you begin you will need to have the following information about your LDAP directory:
- Host: Domain or IP address of your LDAP service.
- Port: Port of your LDAP service, default port for TLS is 389.
- Bind Attribute: This is the directory attribute that will be used when doing LDAP searches on an authenticated users directory record. For OpenLDAP this typically is “uid”, but for Active Directory it may be “userPrincipalName“.
- Login Attribute: This is the directory attribute that will be used when authentication is attempted against your LDAP directory. For OpenLDAP this typically is “uid”, but for Active Directory it may be “sAMAccountName“.
- User DN: This is the full organizational path for your users. This is used in conjunction with the Login Attribute, username, and password for authentication against your LDAP directory. For example: ou=Users,dn=example,dn=org
- If you are planning on using LDAP to manage NetBeez roles you will also need:
- Read-Only DN: This is the full path of a directory group specifically for NetBeez read-only users. For example: cn=netbeez-readonly,ou=users,dc=example,dc=org
- Read-Write DN: This is the full path of a directory group specifically for NetBeez read-write users. For example: cn=netbeez-readwrite,ou=users,dc=example,dc=org
- Admin DN: This is the full path of a directory group specifically for NetBeez administrative users. For example: cn=netbeez-admins,ou=users,dc=example,dc=org
- Active Directory: Specify if you will be using LDAP to connect to Active Directory.
You will also need the following information about the security of your LDAP directory:
- Encryption Method: We offer the “Simple TLS” and “Start TLS”. “Start TLS” is the most common option.
- TLS Version: This will be which TLS Version your LDAP directory supports during communication.
- CA File: If you require the use of a self signed certificate you can upload it.
Once you have compiled this list of information you can go into the LDAP Settings page under NetBeez Settings and fill out the form information.
Verifying LDAP settings
On the LDAP Settings page there is a verification section where you validate your settings by attempting to authenticate an LDAP user. By supplying the username and password of a valid LDAP user an authentication attempt will be made, and if you have Role Mapping turned on it will ensure exists in one of the mapped LDAP groups, to determine if authentication can be made successfully. If verification is successful you can save the LDAP configuration.