DocumentationLDAP Authentication Setup
Configure the required settings in the SKOOR Engine’s server configuration file:
/etc/opt/eranger/eranger-server.cfg
The following example shows a minimal configuration for querying Active Directory. Adapt the values to fit the AD/LDAP server parameters:
auth_ldap = on ldap_server = ldap://myldapserver:389 ldap_base = dc=mycompany,dc=local
If the LDAP users that are trying to log in have no sufficient permissions to determine their own LDAP group membership, the dn can be defined using the ldap_user and ldap_pass items.
Other configuration parameters for LDAP:
Parameter | Description |
|---|---|
ldap_auth_dn | Must be set to true in case the login users are unable to read their group membership in the LDAP directory |
ldap_charset | If there are issues with special characters (e.g. umlauts) in the data received from the LDAP server, configure SKOOR Engine to convert the response from the specified character set, for example ISO8859-1, to UTF-8. |
ldap_item_user | LDAP field to match against the login name. This parameter is relevant for the login process. Typically, sAMAccountName or userPrincipalName are used |
ldap_item_name | LDAP field to display as Fullname in SKOOR (e.g. displayName) |
ldap_item_mail | LDAP field to display as E-mail in SKOOR (e.g. mail) |
ldap_item_phone | LDAP field to display as Phone in SKOOR (e.g. telephoneNumber) |
ldap_item_comment | LDAP field to display as Comment in SKOOR (e.g. comment) |
ldap_item_group | LDAP field to seach the login users group memberships. Typically, memberOf is used |
ldap_pass | Password for the user configured for the ldap_user parameter |
ldap_server1ldap_server2 | If more than one LDAP server is available, they can be configured using these parameters instead of ldap_server |
ldap_user | User to search the LDAP tree if the login user has no permission |
ldap_user_expire | Number of inactive days after which LDAP managed users are deleted from the SKOOR Engine. (Default = 90 days) |
Reload the SKOOR Engine Server to activate the configuration:
/opt/eranger/bin/eRanger.sh reload server
For a user to be authenticated against the AD/LDAP, set its User type to Remote authenticated in the user configuration.
The LDAP passwords are encrypted locally in the same way they are for normal users, i.e. using salted MD5 encryption. The clear text password is never stored anywhere in SKOOR Engine. This allows a user to log on to the SKOOR Engine even if the LDAP directory is not accessible.