Skip to content

Instantly share code, notes, and snippets.

@micahlee

micahlee/authn_ldap_configuration.md

Last active November 28, 2018 18:55
Show Gist options
  • Save micahlee/48361d7e80110b071a1bdc928bcc93de to your computer and use it in GitHub Desktop.
Save micahlee/48361d7e80110b071a1bdc928bcc93de to your computer and use it in GitHub Desktop.
Download ZIP
LDAP Authenticator Configuration
Raw
authn_ldap_configuration.md

LDAP Authenticator Configuration

The LDAP authenticator is a built-in Conjur service and will authenticate users to Conjur using their LDAP credentials. The LDAP authenticator uses configuration defined in policy to connect to an LDAP server and bind against a directory using an LDAP username and password.

Prequisites

LDAP authenticator configuration requires these pre-conditions:

  1. A Conjur Master is running and available
  2. Conjur users that correspond with the LDAP users have been loaded into the Conjur Master

    This is typically accomplished using LDAP sync

  3. A Conjur CLI is available and configured to connect to the Conjur Master

Configuration Steps

  1. Define a policy branch for the ldap authenticator, for example:

    # 01_root.yaml

- !policy conjur/authn-ldap

  2. Load this policy into the Conjur root, using the Conjur CLI:

    conjur policy load root 01_root.yml

  3. Define a policy for the LDAP authenticator configuration, for example:

    # 01_authn_ldap.yml

- !policy
  id: ldap-server
  body:
  - !host
  - !webservice
    owner: !host
    annotations:
      ldap-authn/base_dn: dc=example,dc=org
      ldap-authn/bind_dn: cn=admin,dc=example,dc=org
      ldap-authn/connect_type: tls
      ldap-authn/host: ldap-server
      ldap-authn/port: 389
      ldap-authn/filter_template: (&(objectClass=person)(uid=%s))

  - !group clients

  - !permit
    role: !group clients
    privilege: [ read, authenticate ]
    resource: !webservice

  - !variable
    id: bind-password
    owner: !host

  - !variable
    id: tls-ca-cert
    owner: !host

    A few key attributes of this policy are:

    • id: ldap-server, the policy ID for the authenticator will be used to select it as the authentication method. For example, in this example, the value to add to CONJUR_AUTHENTICATORS would be authn-ldap/ldap-server

    • Most of the LDAP configuration parameters are defined as annotations on the !webservice resource in this policy. However, two parameters that are defined using Conjur variables instead are the bind-password and optional tls-ca-cert

    • The !group clients is intended to make it easier to permit users to authenticate using this authenticator.

  4. Load this policy into the conjur/authn-ldap policy branch using the Conjur CLI:

    conjur policy load conjur/authn-ldap 01_authn_ldap.yml

  5. Define a policy to grant the desired users to login via this authenticator, for example:

    # 02_auth_ldap_entitlements.yml

# "All Users" is a group added from the LDAP directory using LDAP sync
- !grant
 role: !group conjur/authn-ldap/ldap-server/clients
 member: !group All Users

  6. Load the entitlements policy, for example:

    conjur policy load root policy/02_authn_ldap_entitlements.yml

    It is not a requirement to load this entitlements policy at the root. It may be loaded to any policy branch.

  7. Load the secret values for the LDAP bind password and, optionally, the TLS CA certificate chain into the Conjur Variables:

    # Bind Password
$ conjur variable values add conjur/authn-ldap/ldap-server/bind-password $LDAP_ADMIN_PASSWORD

# PEM encoded CA certificate chain
$ cat ca.crt | conjur variable values add conjur/authn-ldap/ldap-server/tls-ca-cert
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment