Panel | |
---|---|
|
Overview
...
The combination between service and provider is flexible and allows the grouping per target environment or per desired authentication type.
...
The provider types are the following:
Name | Description | |
---|---|---|
local | Standard UDMG Server authentication, usernames and passwords are stored in the UDMG Server database. This includes the additional TOTP login method. | saml |
ldap | LDAP or LDAPS Server. | |
google | Google OAuth2 Provider. | |
ldap | LDAP Serveroauth | Standard OAuth2 Provider. |
oidc | Standard OpenID Provider. | oauth |
Standard OAuth2 saml | SAML 2.0 Provider. |
By default, the local
authentication is always enabled for all services.
...
Local authentication is the standard authentication with usernames and passwords that are stored in the UDMG Server database. It is available for UDMG Admin UI, the REST API interface , and the UDMG Client command line (CLI) tool.
Note | ||
---|---|---|
| ||
When the UDMG Server is first started, a single user named 'admin' is created with the password 'admin_password'. The user has full administrative permissions and should only be used to create other users to administer the UDMG Server. It is strongly recommended that you create one or more users immediately and then change the "admin" account password. |
Single Sign-On Settings
This covers the following provider types: google, oauth, oidc, saml.
Before you begin
In order to provide an integration via an SSO Provider, it is required that the UDMG users have an email value.
The user's email value value is the identifier that is shared between UDMG and the Identity Provider.
...
Please refer to the pages:
LDAP Settings
UDMG Admin UI login page with the LDAP Providerprovider.
The LDAP provider first initializes a connection to the LDAP directory using either anonymous or explicit binding. It then tries to search for the given username
and bind as that user to verify their password. Searches that return multiple entries are considered ambiguous and will return an error.
Example of a service section in UDMG Authentication Proxy for LDAP authentication.
Code Block | ||
---|---|---|
| ||
[service.ldap]
protocol = "http"
policy = "failover"
[service.ldap.credential]
username = "ldap_sync"
password = "ldap_password"
[[service.ldap.targets]]
hostname = "localhost"
port = 18080
[service.ldap.auth.ldap]
file = "udmg-ldap-config.json" |
Be careful that in this example for the section name "service.ldap.auth.ldap", the first "ldap" is simply the custom name for the service that is shown on the login page, the second "ldap" is the type of the login provider as listed on the above table.
The details of the LDAP server are defined in the JSON file.
...
In case of successful authentication on the LDAP, the UDMG user is created with default Read permission in the internal UDMG Server database, if it does not exist. Otherwise, the user credentials are updated in the UDMG Server database to enable the access and allow for authentication on the REST and CLI interfaces.The default permissions after the user provisioning:
The one-way LDAP replication requires access with a user with having the permission for creating and updating users. For example , to create the 'ldap_sync' user with the command line interface:
Code Block | ||
---|---|---|
| ||
udmg-client user add -u ldap_sync -p ldap_password -r 'U=rw' |
This user credentials are set in the section [service.ldap.credential] of the UDMG Authentication Proxy configuration file.
Example of log message for a succesful LDAP login and user synchronization:
Code Block | ||
---|---|---|
| ||
level=info TS=2024-04-10T14:39:03.127900325Z Internal="performing ldap search %s %s %s[ou=users,dc=stonebranch,dc=com sub (&(objectClass=*)(uid=john))]"
level=info TS=2024-04-10T14:39:03.128621001Z Internal="username %q mapped to entry %s[user cn=john,ou=users,ou=users,dc=stonebranch,dc=com]"
level=error TS=2024-04-10T14:39:04.98115277Z Authentication=Provider Sync=Created
level=info TS=2024-04-10T14:39:04.981406859Z Authentication=Request Session=Success
{"time":"2024-04-10T11:39:04.981480728-03:00","id":"","remote_ip":"127.0.0.1","host":"localhost:5000","method":"POST","uri":"/auth/ldap","user_agent":"vscode-restclient","status":200,"error":"","latency":2174162954,"latency_human":"2.174162954s","bytes_in":74,"bytes_out":184} |
The default permissions after the user provisioning:
After the initial synchronization and the user creation with default permission, it may be required that an administrator grant more permissions to the user.
Anonymous Binding
Example of provider configuration file udmg-ldap-config.json
for anonymous binding on the LDAP serverServer.
Code Block | ||
---|---|---|
| ||
{ "host": "ldap_hostname:1389389", "insecureNoSSL": true, "usernamePrompt": "Email Address", "userSearch": { "baseDN": "dc=stonebranch,dc=com", "filter": "(objectClass=*)", "username": "cn", "idAttr": "uidNumber", "emailAttr": "uidNumber", "nameAttr": "cn" }, "groupSearch": { "baseDN": "ou=readersusers,dc=stonebranch,dc=com", "filter": "(objectClass=groupOfNames)", "userMatchers": [ { "userAttr": "DN", "groupAttr": "member" } ], "nameAttr": "cn" } } |
...
Example of provider configuration file udmg-l
dap-config.json
for explicit binding on the LDAP server.
Note the addition of the bindDN
and bindPW
parameters for the LDAP user "proxy" and password"proxy_password".
Code Block | ||
---|---|---|
| ||
{ "host": "ldap_hostname:1389389", "bindDN": "cn=proxy,ou=users,dc=stonebranch,dc=com", "bindPW": "proxy_password", "insecureNoSSL": true, "usernamePrompt": "Email Address", "userSearch": { "baseDN": "dc=stonebranch,dc=com", "filter": "(objectClass=*)", "username": "uid", "idAttr": "uidNumber", "emailAttr": "uidNumber", "nameAttr": "cn" }, "groupSearch": { "baseDN": "ou=users,dc=stonebranch,dc=com", "filter": "(objectClass=groupOfNames)", "userMatchers": [{ "userAttr": "DN", "groupAttr": "member" }], "nameAttr": "cn" } } |
SSL/TLS Secured LDAP (LDAPS)
Example of provider configuration file udmg-l
daps-config.json
for explicit binding on the LDAPS Server.
Note the startTLS
and insecureSkipVerify
options to avoid the certificate verification.
Code Block | ||
---|---|---|
| ||
{
"host": "ldap_hostname:636",
"bindDN": "cn=proxy,ou=users,dc=stonebranch,dc=com",
"bindPW": "proxy_password",
"startTLS": false,
"insecureSkipVerify": true,
"usernamePrompt": "Email Address",
"userSearch": {
"baseDN": "dc=stonebranch,dc=com",
"filter": "(objectClass=*)",
"username": "uid",
"idAttr": "uidNumber",
"emailAttr": "uidNumber",
"nameAttr": "cn"
},
"groupSearch": {
"baseDN": "ou=users,dc=stonebranch,dc=com",
"filter": "(objectClass=groupOfNames)",
"userMatchers": [{
"userAttr": "DN",
"groupAttr": "member"
}],
"nameAttr": "cn"
}
} |
Example with the use of the root CA certificate of the LDAPS Server:
Code Block | ||
---|---|---|
| ||
{
"host": "ldap_hostname:636",
"rootCA": "ca-cert.pem",
"bindDN": "cn=proxy,ou=users,dc=stonebranch,dc=com",
"bindPW": "proxy_password",
"usernamePrompt": "Email Address",
"userSearch": {
"baseDN": "dc=stonebranch,dc=com",
"filter": "(objectClass=*)",
"username": "uid",
"idAttr": "uidNumber",
"emailAttr": "uidNumber",
"nameAttr": "cn"
},
"groupSearch": {
"baseDN": "ou=users,dc=stonebranch,dc=com",
"filter": "(objectClass=groupOfNames)",
"userMatchers": [{
"userAttr": "DN",
"groupAttr": "member"
}],
"nameAttr": "cn"
}
} |
LDAP provider configuration parameter list
Parameter | Description |
---|---|
host | Host and optional port of the LDAP server in the form "host:port". If the port is not supplied, it will be guessed based on "insecureNoSSL", and "startTLS" flags. 389 for insecure or StartTLS connections, 636 otherwise. |
| Following field is required if the LDAP host is not using TLS (port 389). Because this option inherently leaks passwords to anyone on the same network, THIS OPTION MAY BE REMOVED WITHOUT WARNING IN A FUTURE RELEASE. |
| If a custom certificate isn't provided, this option can be used to turn off TLS certificate checks. As noted, it is insecure and shouldn't be used outside of explorative phases. |
| When connecting to the server, connect using the ldap:// protocol then issue a StartTLS command. If unspecified, connections will use the ldaps:// protocol |
| Path to a trusted root certificate file. |
clientCert | Path to a client cert file generated by rootCA. |
clientKey | Path to a client private key file generated by rootCA. |
rootCAData | Base64 encoded PEM data containing root CAs. |
| The DN and password for an application service account. The connector uses these credentials to search for users and groups. Not required if the LDAP server provides access for anonymous auth. Please note that if the bind password contains a `$`, it has to be saved in an environment variable which should be given as the value to `bindPW`. |
| The attribute to display in the provided password prompt. If unset, will display "Username" |
| User entry search configuration, maps a username and password entered by a user to a LDAP entry. |
| BaseDN to start the search from. It will translate to the query "(&(objectClass=person)(uid=<username>))". For example "cn=users,dc=example,dc=com". |
| Optional filter to apply when searching the directory. For example "(objectClass=person)" |
| Attribute to match against the inputted username. This will be translated and combined with the other filter as "(<attr>=<username>)". |
scope | Can either be: "sub" - search the whole sub tree, default "one" - only search one level |
| String representation of the user. Defaults to "uid" |
| Required. Attribute to map to Email.Defaults to "mail" |
| Maps to display name of users. No default value. |
| Group search queries for groups given a user entry. |
| BaseDN to start the search from. It will translate to the query "(&(objectClass=group)(member=<user uid>))". For example "cn=groups,dc=example,dc=com" |
scope | Can either be: "sub" - search the whole sub tree, default "one" - only search one level |
filter | Optional filter to apply when searching the directory. For example "(objectClass=posixGroup)" |
| Array of the field pairs used to match a user to a group. |
| The two fields are used to match a user to a group. It adds an additional requirement to the filter that an attribute in the group must match the user's attribute value. |
| The attribute of the group that represents its name. |