Overview

...

The combination between service and provider is flexible and allows the grouping per target environment or per desired authentication type.

...

The provider types are the following:

By default, the local authentication is always enabled for all services.

...

Local authentication is the standard authentication with usernames and passwords that are stored in the UDMG Server database. It is available for UDMG Admin UI, the REST API interface , and the UDMG Client command line (CLI) tool.

Single Sign-On Settings

This covers the following provider types: google, oauth, oidc, saml.

Before you begin

In order to provide an integration via an SSO Provider, it is required that the UDMG users have an email value.

The user's email value value is the identifier that is shared between UDMG and the Identity Provider.

...

Please refer to the pages:

• SSO with Google, OpenID, and OAuth2 Identity Providers
• SSO SAML Settings

LDAP Settings

UDMG Admin UI login page with the LDAP Providerprovider.Image Removed

Image Added

The LDAP provider first initializes a connection to the LDAP directory using either anonymous or explicit binding. It then tries to search for the given username and bind as that user to verify their password. Searches that return multiple entries are considered ambiguous and will return an error.

Example of a service section in UDMG Authentication Proxy for LDAP authentication.

[service.ldap]
protocol = "http"
policy = "failover"

[service.ldap.credential]
username = "ldap_sync"
password = "ldap_password"

[[service.ldap.targets]]
hostname = "localhost"
port = 18080

[service.ldap.auth.ldap]
file = "udmg-ldap-config.json"

Be careful that in this example for the section name "service.ldap.auth.ldap", the first "ldap" is simply the custom name for the service that is shown on the login page, the second "ldap" is the type of the login provider as listed on the above table.

The details of the LDAP server are defined in the JSON file. 

...

In case of successful authentication on the LDAP, the UDMG user is created with default Read permission in the internal UDMG Server database, if it does not exist. Otherwise, the user credentials are updated in the UDMG Server database to enable the access and allow for authentication on the REST and CLI interfaces.The default permissions after the user provisioning:

Image Removed

The one-way LDAP replication requires access with a user with having the permission for creating and updating users. For example , to create the 'ldap_sync' user with the command line interface:

udmg-client user add -u ldap_sync -p ldap_password -r 'U=rw'

This user credentials are set in the section [service.ldap.credential] of the UDMG Authentication Proxy configuration file.

Example of log message for a succesful LDAP login and user synchronization:

level=info TS=2024-04-10T14:39:03.127900325Z Internal="performing ldap search %s %s %s[ou=users,dc=stonebranch,dc=com sub (&(objectClass=*)(uid=john))]"
level=info TS=2024-04-10T14:39:03.128621001Z Internal="username %q mapped to entry %s[user cn=john,ou=users,ou=users,dc=stonebranch,dc=com]"
level=error TS=2024-04-10T14:39:04.98115277Z Authentication=Provider Sync=Created
level=info TS=2024-04-10T14:39:04.981406859Z Authentication=Request Session=Success
{"time":"2024-04-10T11:39:04.981480728-03:00","id":"","remote_ip":"127.0.0.1","host":"localhost:5000","method":"POST","uri":"/auth/ldap","user_agent":"vscode-restclient","status":200,"error":"","latency":2174162954,"latency_human":"2.174162954s","bytes_in":74,"bytes_out":184}

The default permissions after the user provisioning:

Image Added

After the initial synchronization and the user creation with default permission, it may be required that an administrator grant more permissions to the user.

Anonymous Binding

Example of provider configuration file udmg-ldap-config.json for anonymous binding on the LDAP serverServer.

{
  "host": "ldap_hostname:1389389",
  "insecureNoSSL": true,
  "usernamePrompt": "Email Address",
  "userSearch": {
    "baseDN": "dc=stonebranch,dc=com",
    "filter": "(objectClass=*)",
    "username": "cn",
    "idAttr": "uidNumber",
    "emailAttr": "uidNumber",
    "nameAttr": "cn"
  },
  "groupSearch": {
    "baseDN": "ou=readersusers,dc=stonebranch,dc=com",
    "filter": "(objectClass=groupOfNames)",
    "userMatchers": [
      {
        "userAttr": "DN",
        "groupAttr": "member"
      }
    ],
    "nameAttr": "cn"
  }
}

...

Example of provider configuration file udmg-ldap-config.json for explicit binding on the LDAP server.

Note the addition of the bindDN and bindPW parameters for the LDAP user "proxy" and password"proxy_password".

{
	"host": "ldap_hostname:1389389",
	"bindDN": "cn=proxy,ou=users,dc=stonebranch,dc=com",
	"bindPW": "proxy_password",
	"insecureNoSSL": true,
	"usernamePrompt": "Email Address",
	"userSearch": {
		"baseDN": "dc=stonebranch,dc=com",
		"filter": "(objectClass=*)",
		"username": "uid",
		"idAttr": "uidNumber",
		"emailAttr": "uidNumber",
		"nameAttr": "cn"
	},
	"groupSearch": {
		"baseDN": "ou=users,dc=stonebranch,dc=com",
		"filter": "(objectClass=groupOfNames)",
		"userMatchers": [{
			"userAttr": "DN",
			"groupAttr": "member"
		}],
		"nameAttr": "cn"
	}
}

SSL/TLS Secured LDAP (LDAPS)

Example of provider configuration file udmg-ldaps-config.json for explicit binding on the LDAPS Server.

Note the startTLS and insecureSkipVerify options to avoid the certificate verification.

{
	"host": "ldap_hostname:636",
	"bindDN": "cn=proxy,ou=users,dc=stonebranch,dc=com",
	"bindPW": "proxy_password",
    "startTLS": false,
	"insecureSkipVerify": true,
	"usernamePrompt": "Email Address",
	"userSearch": {
		"baseDN": "dc=stonebranch,dc=com",
		"filter": "(objectClass=*)",
		"username": "uid",
		"idAttr": "uidNumber",
		"emailAttr": "uidNumber",
		"nameAttr": "cn"
	},
	"groupSearch": {
		"baseDN": "ou=users,dc=stonebranch,dc=com",
		"filter": "(objectClass=groupOfNames)",
		"userMatchers": [{
			"userAttr": "DN",
			"groupAttr": "member"
		}],
		"nameAttr": "cn"
	}
}

Example with the use of the root CA certificate of the LDAPS Server:

{
	"host": "ldap_hostname:636",
    "rootCA": "ca-cert.pem",
	"bindDN": "cn=proxy,ou=users,dc=stonebranch,dc=com",
	"bindPW": "proxy_password",
    "usernamePrompt": "Email Address",
	"userSearch": {
		"baseDN": "dc=stonebranch,dc=com",
		"filter": "(objectClass=*)",
		"username": "uid",
		"idAttr": "uidNumber",
		"emailAttr": "uidNumber",
		"nameAttr": "cn"
	},
	"groupSearch": {
		"baseDN": "ou=users,dc=stonebranch,dc=com",
		"filter": "(objectClass=groupOfNames)",
		"userMatchers": [{
			"userAttr": "DN",
			"groupAttr": "member"
		}],
		"nameAttr": "cn"
	}
}

LDAP provider configuration parameter list

Host and optional port of the LDAP server in the form "host:port".
If the port is not supplied, it will be guessed based on "insecureNoSSL",  and "startTLS" flags. 389 for insecure or StartTLS connections, 636 otherwise.

Following field is required if the LDAP host is not using TLS (port 389). Because this option inherently leaks passwords to anyone on the same network, THIS OPTION MAY BE REMOVED WITHOUT WARNING IN A FUTURE RELEASE.

If a custom certificate isn't provided, this option can be used to turn off TLS certificate checks. As noted, it is insecure and shouldn't be used outside of explorative phases.

When connecting to the server, connect using the ldap:// protocol then issue a StartTLS command. If unspecified, connections will use the ldaps:// protocol

Path to a trusted root certificate file.

The DN and password for an application service account. The connector uses these credentials to search for users and groups. Not required if the LDAP server provides access for anonymous auth.
Please note that if the bind password contains a `$`, it has to be saved in an environment variable which should be given as the value to `bindPW`.

The attribute to display in the provided password prompt. If unset, will display "Username"

User entry search configuration, maps a username and password entered by a user to a LDAP entry.

BaseDN to start the search from. It will translate to the query "(&(objectClass=person)(uid=<username>))".

For example "cn=users,dc=example,dc=com".

Optional filter to apply when searching the directory.

For example "(objectClass=person)"

Attribute to match against the inputted username. This will be translated and combined with the other filter as "(<attr>=<username>)".

String representation of the user. Defaults to "uid"

Required. Attribute to map to Email.Defaults to "mail"

Maps to display name of users. No default value.

Group search queries for groups given a user entry.

For example "cn=groups,dc=example,dc=com"

Optional filter to apply when searching the directory.

For example "(objectClass=posixGroup)"

Array of the field pairs used to match a user to a group.
Each pair adds an additional requirement to the filter that an attribute in the group match the user's attribute value. For example that the "members" attribute of a group matches the "uid" of the user. The exact filter being added is:
(userMatchers[n].<groupAttr>=userMatchers[n].<userAttr value>)

The two fields are used to match a user to a group. It adds an additional requirement to the filter that an attribute in the group must match the user's attribute value.

The attribute of the group that represents its name.