LDAP Server Setup
If you need to test the LDAP configuration you have two options:
Use the hosted LDAP server at http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/
Setup your own LDAP server by following the instructions below:
You may need to quickly set up a local LDAP server for debugging/setting up auth. This document provides a quickstart
way to setup a simple LDAP server with a group and a couple users.
This step will vary depending on the platform you are running. On Mac OS, we ran brew install openldap
which gets you an LDAP server and a bunch of command-line tools to use.
Your LDAP server configuration should be located at /private/etc/openldap
. There are two files that we care about, ldap.conf
and slapd.conf
. Here is what these files should contain. Note: you may need to use sudo
when working with these files.
ldap.conf: Remember to change the URI below.
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=wso2,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
URI ldap://<your-ip>
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_REQCERT demand
slapd.conf: The rootpw
in this file needs to be a SHA. If you use plain-text, your server will fail to start with the error ldap_bind: Invalid credentials (49)
. You can create a SHA password by running
$ slappasswd -s your-password
Use the output of this in the rootpw
field below. You will also need this password when running commands on the server:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /private/etc/openldap/schema/core.schema
include /private/etc/openldap/schema/cosine.schema
include /private/etc/openldap/schema/nis.schema
include /private/etc/openldap/schema/inetorgperson.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /private/var/db/openldap/run/slapd.pid
argsfile /private/var/db/openldap/run/slapd.args
# Load dynamic backend modules:
modulepath /usr/libexec/openldap
# moduleload back_bdb.la
# moduleload back_hdb.la
# moduleload back_ldap.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database ldif
suffix "dc=wso2,dc=com"
rootdn "cn=admin,dc=wso2,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}+3C2TBVW0P7tI2qEWiPNE5TSfWDXla4e
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /private/var/db/openldap/openldap-data
# Indices to maintain
# index objectClass eq
To start your server, run sudo /usr/libexec/slapd -d3
in your terminal. You should see a message like slapd starting
version: 1
dn: dc=wso2,dc=com
objectClass: dcObject
objectClass: organizationalUnit
objectClass: top
dc: wso2
ou: WSO2
dn: ou=people,dc=wso2,dc=com
objectClass: organizationalUnit
objectClass: top
ou: people
dn: cn=John Smith,ou=people,dc=wso2,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: John Smith
mail: john@smith.com
sn: Smith
uid: user001
userPassword:: e1NTSEF9amNNc1dCYmV0cy9zUW0wd1ozcmcrenJNUU5vMlBzRnYzVS9vVFl0O
HVJYU14eTdOUUFseU1BPT0=
dn: cn=Jane Doe,ou=people,dc=wso2,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Jane Doe
mail: jane@doe.com
sn: Doe
uid: user002
userPassword:: e1NTSEF9ZlIwWXhQU1k1d01pbmJZMGUwT0crNFIwZGgvbW1VK1J1c0ZmQ2U3Z
npGakdONHJGRTh2Q0d3PT0=
dn: ou=groups,dc=wso2,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups
dn: cn=employees,ou=groups,dc=wso2,dc=com
objectClass: posixGroup
objectClass: top
cn: employees
gidNumber: 626
memberUid: user001
memberUid: user002
$ ldapadd -cxWD "cn=admin,dc=wso2,dc=com" -f /Users/pivotal/your-file.ldif
This file contains 2 users, Jane Doe and John Smith, and they are part of a group called 'employees'. Here are the credentials used:
- John Smith -> username:
user001
, password:password
- Jane Doe -> username:
user002
, password:password
These are the LDAP-specific values we used to configure our Concourse with this setup:
- CONCOURSE_MAIN_TEAM_LDAP_GROUP=employees
- CONCOURSE_LDAP_HOST=<your-ip>
- CONCOURSE_LDAP_BIND_DN=cn=admin,dc=wso2,dc=com
- CONCOURSE_LDAP_BIND_PW=password
- CONCOURSE_LDAP_INSECURE_NO_SSL=true
- CONCOURSE_LDAP_GROUP_SEARCH_BASE_DN=ou=groups,dc=wso2,dc=com
- CONCOURSE_LDAP_GROUP_SEARCH_USER_ATTR=uid
- CONCOURSE_LDAP_GROUP_SEARCH_GROUP_ATTR=memberUid
- CONCOURSE_LDAP_GROUP_SEARCH_NAME_ATTR=cn
- CONCOURSE_LDAP_USER_SEARCH_BASE_DN=ou=people,dc=wso2,dc=com
- CONCOURSE_LDAP_USER_SEARCH_ID_ATTR=uid
- CONCOURSE_LDAP_USER_SEARCH_EMAIL_ATTR=mail
- CONCOURSE_LDAP_USER_SEARCH_USERNAME=uid
Go ahead, log in. It should work. Theoretically. If it doesn't, look at this page for help. We tried.
Footnote: We used JXplorer to visualize and edit the LDAP server configuration. You may find it useful too.