Skip to main content

Snowflake Documentation

Enabling LDAP authentication for Unravel UI

You can configure a lightweight directory access protocol (LDAP) by

  • Using UPN lookup and Group lookups using DN.

  • sAMAccount name to match users.

Simple configuration using UPN lookup and Group lookups using DN

This configuration example is for the newer implementation of Unravel with MS Active Directory and for objects located in separate OUs. In this method, the user lookup is on the login ID appended with the configured domain defined in the properties to make UPN (User Principal Name) for the lookup.

Note

This configuration does not:

  • Work if objects in the directory do not have the expected UPN format.

  • Include bindDn and password, which older implementations used.

Important

You must substitute your local values for the parameters and values used in the following examples.

Contact your LDAP Admin if you do not know the following directory information.

  1. Stop Unravel.

    <Unravel installation directory>/unravel/manager stop
    
  2. Check that the object can be found and the user is part of the expected groups.

    ldapsearch -v -h ariel.unraveldata.com -p 389 -D CN=sethbind,OU=seth,DC=unraveldata,DC=com -w unraveldata1! -b DC=unraveldata,DC=com -s sub "(userPrincipalName=commauser@unraveldata.com)"
     
  3. Set the properties for LDAP authentication as follows:

    <Unravel installation directory>/unravel/manager config properties set <property> <value>
    

    For example:

    ##LDAP
    <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.mode ldap
    <Unravel installation directory>/unravel/manager config properties set com.unraveldata.ldap.url ldap://ariel.unraveldata.com
    <Unravel installation directory>/unravel/manager config properties set com.unraveldata.ldap.base.dn DC=unraveldata,DC=com
    
    ##LDAP groups
    <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.groupFilter seth-test-group,seth-test-admingroup
    <Unravel installation directory>/unravel/manager config properties set com.unraveldata.rbac.role.admin.groups seth-test-admingroup

    Refer to LDAP properties for the complete list.

  4. Apply the changes.

    <Unravel installation directory>/unravel/manager config apply
    
  5. Start Unravel

    <Unravel installation directory>/unravel/manager start
Advanced configuration where UPN cannot be used

This configuration uses the sAMAccount name to match users. Using the Manager tool, set the bindDN and password in the properties. It uses CN to match groups instead of DN, which was used in the example above. The configuration uses bind user to get groups, then matches it using CN to filter out groups located in com.unraveldata.login.groupFilter, and assign admin users specified in com.unraveldata.rbac.role.admin.groups.

Important

You must substitute your local values for the parameters and values used in the following example.

Please contact your LDAP Admin if you don't know the following directory information.

  1. Stop Unravel.

    <Unravel installation directory>/unravel/manager stop
    
  2. Check that the object can be found and the user is part of the expected groups.

    ldapsearch -v -h ariel.unraveldata.com -p 389 -D 
    CN=sethbind,OU=seth,DC=unraveldata,DC=com -w unraveldata1! -b 
    DC=unraveldata,DC=com -s sub "(sAMAccountname=commauser)"
  3. Set the properties for LDAP authentication as follows:

    <Unravel installation directory>/unravel/manager config properties set <property> <value>
    

    For example:

    #LDAP
    <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.mode ldap
    <Unravel installation directory>/unravel/manager config properties set com.unraveldata.ldap.url ldap://ariel.unraveldata.com
    <Unravel installation directory>/unravel/manager config properties set com.unraveldata.ldap.base.dn DC=unraveldata,DC=com
    <Unravel installation directory>/unravel/manager config properties set com.unraveldata.ldap.bind_dn CN=sethbind,OU=seth,DC=unraveldata,DC=com
    <Unravel installation directory>/unravel/manager config properties set com.unraveldata.ldap.bind_pw unraveldata1!
    <Unravel installation directory>/unravel/manager config properties set com.unraveldata.ldap.uid.attr sAMAccountName 
    
    #LDAP groups
    <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.groupFilter seth-test-group,seth-test-admingroup
    <Unravel installation directory>/unravel/manager config properties set com.unraveldata.ldap.group.member.attr member
    <Unravel installation directory>/unravel/manager config properties set com.unraveldata.rbac.role.admin.groups seth-test-admingroup

    Refer to LDAP properties for the complete list.

  4. Apply the changes.

    <Unravel installation directory>/unravel/manager config apply
    
  5. Start Unravel

    <Unravel installation directory>/unravel/manager start
What is the difference between the two group properties in LDAP configurations?
  • com.unraveldata.ldap.groupFilter: Lists the groups Unravel looks in for users who are allowed to log in.

  • com.unraveldata.rbac.role.admin.groups: Lists the groups Unravel looks in for users who are allowed to log in as admins.

Important

com.unraveldata.rbac.role.admin.groups is a subset of com.unraveldata.ldap.groupFilter, i.e., a group defined in com.unraveldata.rbac.role.admin.groups must also be defined in com.unraveldata.ldap.groupFilter.

For example,

com.unraveldata.ldap.groupFilter=secs-lab-admins,secs-lab-users
# the admins.ldap group is also defined in ldap.groupFilter
com.unraveldata.rbac.role.admin.groups=secs-lab-admins

If a user is:

  • Not listed in the groups defined in com.unraveldata.ldap.groupFilter, they cannot log in.

  • Listed in the group defined in com.unraveldata.rbac.role.admin.groups, they are logged in as an admin.

  • Only listed in the groups defined in com.unraveldata.ldap.groupFilter, they are logged in as a non-admin user.

LDAP