Docs

LDAP Authentication Setup

Configure the required settings in the SKOOR Engine’s server configuration file:

/etc/opt/eranger/eranger-server.cfg

The following example shows a minimal configuration for querying Active Directory. Adapt the values to fit the AD/LDAP server parameters:

auth_ldap       = on
ldap_server     = ldap://myldapserver:389
ldap_base       = dc=mycompany,dc=local

If the LDAP users that are trying to log in have no sufficient permissions to determine their own LDAP group membership, the dn can be defined using the ldap_user and ldap_pass items.

Other configuration parameters for LDAP:

Parameter

Description

ldap_auth_dn

Must be set to true in case the login users are unable to read their group membership in the LDAP directory

ldap_charset

If there are issues with special characters (e.g. umlauts) in the data received from the LDAP server, configure SKOOR Engine to convert the response from the specified character set, for example ISO8859-1, to UTF-8.

ldap_item_user

LDAP field to match against the login name. This parameter is relevant for the login process. Typically, sAMAccountName or userPrincipalName are used

ldap_item_name

LDAP field to display as Fullname in SKOOR (e.g. displayName)

ldap_item_mail

LDAP field to display as E-mail in SKOOR (e.g. mail)

ldap_item_phone

LDAP field to display as Phone in SKOOR (e.g. telephoneNumber)

ldap_item_comment

LDAP field to display as Comment in SKOOR (e.g. comment)

ldap_item_group

LDAP field to seach the login users group memberships. Typically, memberOf is used

ldap_pass

Password for the user configured for the ldap_user parameter

ldap_server1ldap_server2
ldap_server3

If more than one LDAP server is available, they can be configured using these parameters instead of ldap_server

ldap_user

User to search the LDAP tree if the login user has no permission

ldap_user_expire

Number of inactive days after which LDAP managed users are deleted from the SKOOR Engine. (Default = 90 days)

Reload the SKOOR Engine Server to activate the configuration:

/opt/eranger/bin/eRanger.sh reload server

For a user to be authenticated against the AD/LDAP, set its User type to Remote authenticated in the user configuration.

The LDAP passwords are encrypted locally in the same way they are for normal users, i.e. using salted MD5 encryption. The clear text password is never stored anywhere in SKOOR Engine. This allows a user to log on to the SKOOR Engine even if the LDAP directory is not accessible.

Previous
External Authentication Providers
Next
SKOOR Webservice installation