Articles in this section

See more

How-to: Configure SkyFormation Authentication to Use LDAP server

Avatar
Nadav Lavy (Greenberg)
  • Updated
Follow

If you're having trouble at any stage please contact us at support@skyformation.com

Compatible with SkyFormation App Version

This guide is compatible with SkyFormation App version 2.1.21 (see Get Your SkyFormation App Version). If you are using an older version of SkyFormation we highly recommend to update to the latest one.

Preface

SkyFormation platform is using an authentication mechanism based on local file with the relevant user:role:credentials information.

It is highly recommended to replace the default authentication mechanism with LDAP based one.
This would allow an easy way to add/remove users allowed access to SkyFormation, and improve the
user's information and credentials security.

This post explains how to use LDAP server as the SkyFormation authentication service provider.
SkyFormation application will ask the user for her user:password and validate these with the configured
LDAP server.

SkyFormation application will not save the user's credentials sent to the LDAP. 

Prerequisites

- Make sure the SkyFormation machine could communicate with the LDAP server

- Have the LDAP server name and port number to use

- Make sure each user you would like to allow access to SkyFormation app has an attribute
  with a specific value you would use to identify allowed users (e.g. ou with value SkyFormation admin)

Step

- SSH to your SkyFormation machine

- Enter the SkyFormation tomcat container by running the command

   sudo docker container exec -it sk4_sk4_tomcat_1 bash

- Make a copy of the following file (in case the LDAP change will not work)

    sudo cp sk4conf/shiro/client-shiro.ini sk4conf/shiro/client-shiro.ini.orig

- Edit the file we just created a copy for

  %skyformation root%/tomcat/sk4conf/shiro/client-shiro.ini

  () Add the following LDAP configuration lines     

     ldapRealm = com.skyformation.shiro.realms.SK4LdapRealm
     ldapRealm.bindByAttribute = %the user attribute to lookup for authentication
     ldapRealm.contextFactory.url = ldaps://%ldap server address%:%LDAP server port with SSL%
     ldapRealm.membershipAttribute = %the user's attribute name to look for%
     ldapRealm.groupRolesMap = %"users attribute to lookup for each AuthN user to allow SkyFormation
     app access"%:sk4-admin           

     // Optional - needed only in large scale LDAP deployments to avoid lengthy lookup
     ldapRealm.baseSearch = %base DN to start the users seach from% (Optional)   

     // Only needed if anonymous LDAP search is not supported
     ldapRealm.contextFactory.systemUsername = %search user's DN for the LDAP search
     ldapRealm.contextFactory.systemPassword = %search user's password for the LDAP search%

     securityManager.realms = $ldapRealm     

 
      LDAP configuration lines example:
     ldapRealm = com.skyformation.shiro.realms.SK4LdapRealm
     ldapRealm.bindByAttribute = uid
     ldapRealm.contextFactory.url = ldap://ldapserver.mycorp.com:389
     ldapRealm.membershipAttribute = ou
     ldapRealm.groupRolesMap = "Product Development":sk4-admin
 
     ldapRealm.baseSearch = ou=people,dc=mycorp,dc=com     
 
     ldapRealm.contextFactory.systemUsername = uid=ajensen,ou=people,dc=mycorp,dc=com
     ldapRealm.contextFactory.systemPassword = secret
     
     securityManager.realms = $ldapRealm     
 
          
     () Remove the following lines

        [users]
        sk4admin = password, sk4-admin  

 

- Exit the SkyFormation tomcat container you are at

  Press Ctrl+D

- To support LDAPS (LDAP over SSL) if used above please follow these steps as well:

   Adding a SSL Certificate to the SkyFormation Trusted Certificates Store

 

- Restart the SkyFormation application

  sudo service sk4compose restart

 

Done 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.