Hub 2017.4 Help

LDAP Authentication Module

An LDAP authentication module lets users log in to Hub and any connected services with credentials that are stored in a directory service. Hub provides pre-configured authentication modules for LDAP, OpenLDAP, and Active Directory. You can configure a module to use the standard LDAP scheme or LDAPS over SSL.

The LDAP authentication module does not import all of the user accounts from the directory service. Hub only creates a user account when an unregistered user first logs in to Hub or a connected service.

When LDAP authentication is enabled, Hub checks the directory service for each login attempt. Users who have been removed from the directory service cannot log in to Hub.

Prerequisites

If you want to authenticate over SSL, import the trusted SSL certificate and key store before you enable the authentication module. For more information, see SSL Key Stores.

Enable LDAP Authentication

To allow users stored in a directory service to log in to Hub, enable an LDAP authentication module.

To enable LDAP authentication:

  1. In the Access Management section of the Administration menu, select Auth Modules.
  2. From the Add Module drop-down list, select the option that corresponds to the directory service you want to enable. You can select LDAP, OpenLDAP, or Active Directory.
    • The Add Module dialog opens in the sidebar.
  3. In the Add Module dialog, enter values for the following settings:
    FieldDescription
    NameEnter a name for the authentication module.
    ServerEnter the server address of the directory service.
    PortEnter the number of the port used to communicate with the directory service.
    • The default port for standard LDAP is 389.
    • The default port for LDAPS is 636.
    SSLSelect this option to authenticate over SSL.
    Search BaseEnter the domain components that define the top-level LDAP DN where user accounts are stored. For example, if your company uses the domain mycompany.com, enter the top-level LDAP DN dc=mycompany,dc=com.
    The value entered in this field is added to the LDAP URL and cannot contain unsafe characters.
    If you use organizational units to manage users, create separate auth modules for each organization. Include the organizational unit in the search base to create a unique LDAP URL for each module. LDAP authentication modules do not support recursive search in the LDAP tree.
  4. Click the Create Module button.
    • The LDAP authentication module is enabled. The current status of the module is displayed next to the name of the module in the header.
    • The Auth Modules page displays the settings for the LDAP authentication module. The module is pre-configured with standard settings that are based on the information you provided in the Add Module dialog. For additional information about the settings on this page, see the Settings section.
    ldapAddedModuleSettings.png

Test the Connection to your Directory Service

To verify that the LDAP authentication module is connected to your directory service, test the connection.

To test the connection:

  1. Click the Test Login button.
  2. In the Test Authentication dialog, enter the credentials of a user who is stored in your directory service:
    • In the Login field, enter the domainusername.
    • In the Password field, enter the password.
  3. Click the Test Login button.
    • Hub searches for the specified user account in the directory service. If the user is found, a success notification is displayed. If you get an error, check your user credentials and server URL.

Settings

Use the following settings to fine-tune the connection to your directory service.

FieldDescription
TypeDisplays the type of directory service that is enabled for third-party authentication in Hub.
NameStores the name of the authentication module. Use this setting to distinguish this module from other authentication modules in the Auth Modules list.
Server URLStores the LDAP URL of the directory service used to authenticate a login request in Hub.

The LDAP URL uses the format ldap://host:port/DN. Enter the full distinguished name (DN) of the directory where user accounts are stored.

SSL key storeSelect an uploaded SSL key store to encrypt the connection between Hub and the directory service. For more information about managing key stores in Hub, see SSL Key Stores. Also, see the Set Up SSL Keys for SAML 2.0 page: You can follow the procedure to create a key store and use it here.
Bind accountDetermines which account is used for the LDAP bind request. For more information, see Bind Account Options.
Bind DNStores the value that is used to bind with the directory service. For more information, see Bind Account Options.
FilterStores an expression that locates the record for a specific user in the LDAP service. The substitution variable in the expression is replaced with the value entered as the username or email on the login page.

Bind Account Options

You can configure the module to perform the bind request with the LDAP service in one of two ways. The method used is determined by the option selected for the Bind account setting.

The value that you use for the Bind DN setting depends on the option that you select for the Bind account setting. Use the following guidelines to set the value for the Bind DN setting:

OptionDescriptionGuideline for Bind DN Setting
FixedUses a fixed account to bind to the LDAP service and searches for the user you want to authenticate on behalf of the bind user. With this option, you can set up an LDAP authentication module and still use logins that are not part of the Distinguished Name (DN), like an email address or token. This method is also commonly called search + bind or two-step authentication.

To use this method, you need a special account on the directory server that has permission to look up other user accounts in the directory service.

Enter the full DN of the user account that you want to use for the LDAP bind request. This account must have permission to look up other user accounts in the directory service.

Use the Set password control to store the password for this account in Hub. The password for the bind user is stored as a hash of the plain-text value.

DynamicDerives the user DN from the login and attempts to bind to the LDAP service as the user directly. This method is also commonly called direct bind. Use a query to bind with the directory service. This query looks up the distinguished name of the user to be authenticated. Reference the username with an expression. The expression maps a substitution variable to the attribute that stores the username in the directory service. The attribute you select determines which query is used in the filter string.

The value entered as the username on the login page is trimmed before it replaces the substitution variable. If the user specifies a domain, it is discarded. For example, a username with the value WORKGROUP\smith is trimmed to smith. To specify a domain, enter the domain name as a static value. For example, WORKGROUP\%u.

Attribute Mapping

When Hub finds a record in the LDAP service that matches a filter, it fetches values from the LDAP attributes that are specified for each field and copies them to the user profile in Hub. Use the following settings to define the filter criteria and map attributes that are stored in your directory service to user accounts in Hub.

FieldDescription
LoginRequired. Maps to the LDAP attribute that stores the value to copy to the Login field in the Hub profile. The pre-filled default values are:
  • For LDAP or OpenLDAP, the default value is uid.
  • For Active Directory, the default value is sAMAccountName.

We urge you not to change the default values unless it is strictly required. If you do change the default value, the field must specify an attribute of the LDAP record that uniquely identifies a user account. Also, if the default value is changed, on the first next attempt to log in with the LDAP credentials, a new credentials record might be added to the Logins section of the user profile.

Full nameMaps to the LDAP attribute that stores the value to copy to the Full name field in the Hub profile.
EmailMaps to the LDAP attribute that stores the value to copy to the Email field in the Hub profile.
JabberMaps to the LDAP attribute that stores the value to copy to the Jabber field in the Hub profile.
VCS user nameMaps to the LDAP attribute that stores the value to copy to the VCS user name field in the Hub profile.

Additional Settings

The following options are located at the bottom of the page. Use these settings to manage Hub account creation, group membership, and connection options.

OptionDescription
User creationEnables creation of Hub accounts for unregistered users who log in with an account that is stored in the connected directory service. Hub uses the email address to determine whether the user has an existing account.

All LDAP authentication modules must allow user creation. If user creation is denied, unregistered users are shown an error.

Auto-join groupsAdds users to a group when they log in with an account that is stored in the connected directory service. You can select one or more groups. New users that auto-join a group inherit all of the permissions assigned to this group.
We recommend that you add users to at least one group. Otherwise, a new user is only granted the permissions that are currently assigned to the All Users group.
Connection timeoutSets the period of time to wait to establish a connection to the authorization service. The default setting is 5000 milliseconds (5 seconds).
Read timeoutSets the period of time to wait to read and retrieve user profile data from the authorization service. The default setting is 5000 milliseconds (5 seconds).
AuditLinks to the Audit Events page in Hub. There, you can view a list of changes that were applied to this authentication module.

Sample Configurations

Service TypeSettingValue
LDAPServer URL ldap://ldap.company.com:389/dc=company,dc=com
SSK key storeNo
Bind DN uid=%u,ou=People
Filter uid=%u
LDAP over SSLServer URL ldaps://ldap.company.com:636/dc=company,dc=com
SSK key storeLDAP SSL
Bind DN uid=%u,ou=People
Filter uid=%u
OpenLDAPServer URL ldap://ldap.company.com:389/dc=company,dc=com
SSK key storeNo
Bind DN uid=%u,dc=company,dc=com
Filter uid=%u
OpenLDAP over SSLServer URL ldaps://ldap.company.com:636/dc=company,dc=com
SSK key storeLDAP SSL
Bind DN uid=%u,dc=company,dc=com
Filter uid=%u
Active DirectoryServer URLldap://ldap.company.com:389/dc=company,dc=com*
SSK key storeNo
Bind DN %u@company.com
Filter sAMAccountName=%u
Active Directory over SSLServer URLldaps://ldap.company.com:636/dc=company,dc=com*
SSK key storeActive Directory SSL
Bind DN %u@company.com
Filter sAMAccountName=%u

* replace company.com with the domain name of the Active Directory.

Last modified: 21 February 2018