LDAP Authentication

Since 3.2 it's possible to configure CloverETL Server to use LDAP server for users authentication. So the credentials of users registered in LDAP may be used for authentication to any CloverETL Server interface (API or web console).

However authorization (access levels to sandboxes content and privileges for operations) is still handled by Clover security module. Each user, event though logged-in using LDAP authentication, must have his own "user" record (with related groups) in the CloverETL security module. So there must be the user with the same username and domain set to "LDAP". Such record has to be created by a Server administrator before the the user can log in.

What does the CloverETL do to authenticate an LDAP user?

  1. User specifies the LDAP credentials in a login form to the Server web console

  2. CloverETL Server looks up a user record and checks whether has "LDAP" domain set

  3. If the system is configured to use LDAP for authentication only, it attempts to connect to LDAP server using user's credentials. If it succeeds, the user is logged in.

  4. In case the system is configured for user group synchronization the procedure is as follows:

  5. CloverETL Server connects to the LDAP server and checks whether the user exists (it uses specified search to lookup in LDAP).

  6. If the user exists in LDAP, CloverETL Server performs authentication.

  7. If succeeded, CloverETL Server searches LDAP for user's groups.

  8. Clover user is assigned to the Clover groups according to his current assignation to the LDAP groups.

  9. User is logged-in.

[Note]Note

Switching domains:

  • If a user was created as LDAP and then switched to clover domain, you have to set a password for him in Change password tab.

  • If a user was created as clover and then switched to LDAP domain, he has a password in clover domain, but it is overridden by the LDAP password. After switching back to clover domain, the original password is re-used. It can be reset in the Change password tab if needed (e.g. forgotten).

Configuration

By default CloverETL Server allows only its own internal mechanism for authentication. To enable authentication with LDAP, set the configuration property "security.authentication.allowed_domains" properly. It is a list of user domains that are used for authentication.

Currently there are 2 authentication mechanism implemented: "LDAP" and "clover" ("clover" is an identifier of CloverETL internal authentication and may be changed by security.default_domain property, but only for white-labeling purposes). To enable LDAP authentication, set value to "LDAP" (only LDAP) or "clover,LDAP". Users from both domain may login. It's recommended to allow both mechanisms together, until the LDAP is properly configured. So the admin user can still login to web GUI although the LDAP connection isn't properly configured.

You can use Setup to configure LDAP authentication. See the section called “LDAP” in Chapter 7, Setup.

Basic LDAP connection properties

# Implementation of context factory
security.ldap.ctx_factory=com.sun.jndi.ldap.LdapCtxFactory
# URL of LDAP server
security.ldap.url=ldap://hostname:port
# User DN pattern that will be used to create LDAP user DN from login name. 
security.ldap.user_dn_pattern=uid=${username},dc=company,dc=com

Depending on the LDAP server configuration the property security.ldap.user_dn_pattern can be pattern for user's actual distinguished name in the LDAP directory, or just the login name - in such case just set the property to ${username}.

Configuration of user and group lookup

In order to be able to synchronize the Clover groups with those defined in LDAP directory, the security.ldap.user_dn_pattern has to be left unspecified. There are additional properties required so that the server is able to search the LDAP directory.

# User DN of a user that has sufficient privileges to search LDAP for users and groups
security.ldap.userDN=cn=Manager,dc=company,dc=com
# The password for user mentioned above.
security.ldap.password=

There are optional settings affecting how the LDAP directory is searched.

# Timeout for queries searching the directory.
security.ldap.timeout=5000
# Maximal number of records that the query can return.
security.ldap.records_limit=2000
# How LDAP referrals are processed, possible values are: 'follow', 'ignore' and 'throw'.
# The default depends on the context provider. 
security.ldap.referral=

Specified values work for this specific LDAP tree:

  • dc=company,dc=com

    • ou=groups

      • cn=admins (objectClass=groupOfNames,member=(uid=smith,dc=company,dc=com),member=(uid=jones,dc=company,dc=com))

      • cn=developers (objectClass=groupOfNames,member=(uid=smith,dc=company,dc=com))

      • cn=consultants (objectClass=groupOfNames,member=(uid=jones,dc=company,dc=com))

    • ou=people

      • uid=smith (fn=John,sn=Smith,mail=smith@company.com)

      • uid=jones (fn=Bob,sn=Jones,mail=jones@company.com)

Following properties are necessary for lookup for the LDAP user by his username. (step [4] in the login process above)

# Base specifies the node of LDAP tree where the search starts
security.ldap.user_search.base=dc=company,dc=eu
# Filter expression for searching the user by his username. 
# Note, that this search query must return just one record.
# Placeholder ${username} will be replaced by username specified by the logging user.
security.ldap.user_search.filter=(uid=${username})
# Scope specifies type of search in "base". There are three possible values: SUBTREE | ONELEVEL | OBJECT 
# http://download.oracle.com/javase/6/docs/api/javax/naming/directory/SearchControls.html
security.ldap.user_search.scope=SUBTREE

Following properties are names of attributes from the search defined above. They are used for getting basic info about the LDAP user in case the user record has to be created/updated by Clover security module: (step [6] in the login process above)

security.ldap.user_search.attribute.firstname=fn
security.ldap.user_search.attribute.lastname=sn
security.ldap.user_search.attribute.email=mail
# This property is related to the following step "searching for groups". 
# Groups may be obtained from specified user's attribute, or found by filter (see next paragraph)
# Leave this property empty if the user doesn't have such attribute.
security.ldap.user_search.attribute.groups=memberOf

In the following step, clover tries to find groups which the user is assigned to. (step [4] in the login process above). There are two ways how to get list of groups which the user is assigned to. The user-groups relation is specified on the "user" side. The user record has some attribute with list of groups. It's "memberOf" attribute usually. Or the relation is specified on the "group" side. The group record has an attribute with list of assigned users. It's "member" attribute usually.

In case the relation is specified on users side, please specify property:

security.ldap.user_search.attribute.groups=memberOf

Leave it empty otherwise.

In case the relation is specified on the groups side, set properties for searching:

security.ldap.groups_search.base=dc=company,dc=com
# Placeholder ${userDN} will be replaced by user DN found by the search above
# If the filter is empty, searching will be skipped.
security.ldap.groups_search.filter=(&(objectClass=groupOfNames)(member=${userDN}))
security.ldap.groups_search.scope=SUBTREE

Otherwise, please leave property security.ldap.groups_search.filter empty, so the search will be skipped.

Clover user record will be assigned to the clover groups according to the LDAP groups found by the search (or the attribute). (Groups synchronization is performed during each login)

# Value of the following attribute will be used for lookup for the Clover group by its code.
# So the user will be assigned to the Clover group with the same "code"
security.ldap.groups_search.attribute.group_code=cn