LDAP Authentication Module
An LDAP authentication module lets users log in to Hub and any connected services with credentials that are stored in a directory service.
- Background Information
- Prerequisites
- Enable LDAP Authentication
- Test the Connection to your Directory Service
- Settings
- LDAP Attributes
- Auto-join Groups
- Sample Configurations
Background Information
An LDAP integration does not import all of the user accounts from the directory service. Hub only creates a user account when an unregistered user first logs in to Hub or a connected service.
When LDAP authentication is enabled, Hub checks the directory service for each login attempt. Users who have been removed from the directory service cannot log in to Hub.
Hub provides pre-configured authentication modules for LDAP, OpenLDAP, and Active Directory. You can configure a module to use the standard LDAP scheme or LDAPS over SSL.
Prerequisites
Before you start, verify the following requirements:
- You have Create Auth Module and Update Auth Module permissions in Hub.
- If you want to authenticate over SSL, you have imported the trusted SSL certificate and key store.
Enable LDAP Authentication
To allow users stored in a directory service to log in to Hub, enable an LDAP authentication module.
- From the More Settings menu, select Auth Modules.
- From the Add Module drop-down list, select the option that corresponds to the directory service you want to enable.
You can select LDAP, OpenLDAP, or Active Directory.
- The Add Module dialog opens.
- In the Add Module dialog, enter values for the following settings:
Field Description Name Enter a name for the authentication module. Server Enter the server address of the directory service. Port Enter the number of the port used to communicate with the directory service. - The default port for standard LDAP is 389.
- The default port for LDAPS is 636.
SSL Select this option to authenticate over SSL. Search Base Enter the domain components that define the top-level LDAP DN where user accounts are stored. For example, if your company uses the domain mycompany.com
, enter the top-level LDAP DNdc=mycompany,dc=com
.
The value entered in this field is added to the LDAP URL and cannot contain unsafe characters.
If you use organizational units to manage users, create separate auth modules for each organization. Include the organizational unit in the search base to create a unique LDAP URL for each module. LDAP authentication modules do not support recursive search in the LDAP tree. - Click the Create Module button.
- The LDAP authentication module is enabled.
- The Auth Modules page displays the settings for the LDAP authentication module. The module is pre-configured with standard settings that are based on the information you provided in the Add Module dialog. For additional information about the settings on this page, see LDAP Authentication Module.
Test the Connection to your Directory Service
To verify that the LDAP authentication module is connected to your directory service, test the connection.
- Click the Test Login button.
- In the Test Authentication dialog, enter the credentials of a user who is stored in your directory service:
- In the Login field, enter the
domainusername
. - In the Password field, enter the
password
.
- In the Login field, enter the
- Click the Test Login button.
- Hub searches for the specified user account in the directory service. If the user is found, a success notification is displayed. If you get an error, check your user credentials and server URL.
Settings
Use the following settings to configure how Hub connects to your directory service.
Field | Description | Additional Information |
---|---|---|
Type | Displays the name of the application or service that is enabled for third-party authentication in Hub. | |
Name | Stores the name of the authentication module. Use this setting to distinguish this module from other authentication modules in the Auth Modules list. | |
Authentication | Displays the current status of the module. This status indicates whether the module is currently enabled or disabled. | |
Audit | Links to the Audit Events page in Hub. There, you can view a list of changes that were applied to this authentication module. | |
Server URL | Stores the LDAP URL of the directory service used to authenticate a login request in Hub. | The LDAP URL uses the format ldap://host:port:DN . Enter the full distinguished name (DN) of the directory where user accounts are stored. |
Bind DN | Stores the query used to bind with the directory service. This query looks up the distinguished name of the user to be authenticated. The username is referenced with an expression. The expression maps a substitution variable to the attribute that stores the username in the directory service. The attribute you select determines which query is used in the filter string. | The value entered as the username on the login page is trimmed before it replaces the substitution variable.
If the user specifies a domain, it is discarded. For example, a username with the value WORKGROUP\smith is trimmed to smith .
To specify a domain, enter the domain name as a static value. For example, WORKGROUP\%u . |
Filter | Stores the expression used to filter for a specific user. The substitution variable in the expression is replaced with the value entered as the username on the login page. | The value entered in this field locates the authenticated user in the directory service. |
SSL Key | Selects the key store that is used by your trusted SSL certificate. | |
Create Users | Enables creation of Hub accounts for unregistered users who log in with an account that is stored in the connected directory service. Hub uses the email address to determine whether the user has an existing account. | All LDAP authentication modules must allow user creation. If user creation is denied, unregistered users are shown an error. |
LDAP Attributes
Use the following settings to map attributes stored in your directory service to user accounts in Hub.
Field | Description |
---|---|
Name | Stores the name of the LDAP attribute that contains the name of the user. |
Login | Stores the name of the LDAP attribute that contains the username. |
Stores the name of the LDAP attribute that contains the email address. | |
Jabber | Stores the name of the the LDAP attribute that contains the username for a Jabber account. |
VCS User Name | Stores the name of the LDAP attribute that contains the username for the version control system. |
Auto-join Groups
Use this setting to add users to a group when they log in with an account that is stored in the connected directory service.
You can select one or more groups.
New users that auto-join a group inherit all of the permissions assigned to this group.
We recommend that you add users to at least one group.
Otherwise, a new user is only granted the permissions that are currently assigned to the All Users group.
Sample Configurations
Service Type | Configuration | Additional Information |
---|---|---|
LDAP | Server URL: ldap://ldap.company.com:389/dc=company,dc=com Bind DN: uid=%u,ou=People Filter: uid=%u Select SSL Key: No Key | |
LDAP over SSL | Server URL: ldaps://ldap.company.com:636/dc=company,dc=com Bind DN: uid=%u,ou=People Filter: uid=%u Select SSL Key: LDAP SSL | |
OpenLDAP | Server URL: ldap://ldap.company.com:389/dc=company,dc=com Bind DN: uid=%u,dc=company,dc=com Filter: uid=%u Select SSL Key: No Key | |
OpenLDAP over SSL | Server URL: ldaps://ldap.company.com:636/dc=company,dc=com Bind DN: uid=%u,dc=company,dc=com Filter: uid=%u Select SSL Key: LDAP SSL | |
Active Directory | Server URL: ldap://ldap.company.com:389/dc=company,dc=com Bind DN: %u@company.com Filter: sAMAccountName=%u Select SSL Key: No Key | Replace company.com with the domain name of the Active Directory. |
Active Directory over SSL | Server URL: ldaps://ldap.company.com:636/dc=company,dc=com Bind DN: %u@company.com Filter: sAMAccountName=%u Select SSL Key: Active Directory SSL | Replace company.com with the domain name of the Active Directory. |