New In 2.5.92 - UI page to help you configure LDAP authentication
If you're having trouble at any stage please contact us at support@skyformation.com.
Compatible with SkyFormation App Version
This guide is compatible with SkyFormation App version 2.1.21 (see Get Your SkyFormation App Version). If you are using an older version of SkyFormation we highly recommend to update to the latest one.
Preface
SkyFormation platform is using an authentication mechanism based on local file with the relevant user:role:credentials information.
It is highly recommended to replace the default authentication mechanism with LDAP based one.
This would allow an easy way to add/remove users allowed access to SkyFormation, and improve the
user's information and credentials security.
This post explains how to use LDAP server as the SkyFormation authentication service provider.
SkyFormation application will ask the user for her user:password and validate these with the configured
LDAP server.
SkyFormation application will not save the user's credentials sent to the LDAP.
Prerequisites
- Make sure the SkyFormation machine could communicate with the LDAP server
- Have the LDAP server name and port number to use
- Make sure each user you would like to allow access to SkyFormation app has an attribute
with a specific value you would use to identify allowed users (e.g. ou with value SkyFormation admin)
Step
- SSH to your SkyFormation machine
- Enter the SkyFormation tomcat container by running the command
For 2.3.x versions: sudo docker container exec -it sk4_sk4_tomcat_1 bash
For 2.4.x versions: sudo docker container exec -it sk4tomcat bash
- Make a copy of the following file (in case the LDAP change will not work)
sudo cp sk4conf/shiro/client-shiro.ini sk4conf/shiro/client-shiro.ini.orig
- Edit the file we just created a copy for
%skyformation root%/tomcat/sk4conf/shiro/client-shiro.ini
() Add the following LDAP configuration lines
ldapRealm.bindByAttribute = %the user attribute to lookup for authentication%
ldapRealm.contextFactory.url = ldaps://%ldap server address%:%LDAP server port with SSL%
ldapRealm.membershipAttribute = %the user's attribute name to look for%
ldapRealm.groupRolesMap = %"users attribute to lookup for each AuthN user to allow SkyFormation
app access"%:sk4-admin
// Optional - needed only in large scale LDAP deployments to avoid lengthy lookup
ldapRealm.baseSearch = %base DN to start the users seach from% (Optional)
// Only needed if anonymous LDAP search is not supported
ldapRealm.contextFactory.
ldapRealm.contextFactory.
securityManager.realms = $ldapRealm
ldapRealm.bindByAttribute = uid
[users]
sk4admin = currentpasswordhere, sk4-admin
- Exit the SkyFormation tomcat container you are at
Press Ctrl+D
- To support LDAPS (LDAP over SSL) if used above please follow these steps as well:
Adding a SSL Certificate to the SkyFormation Trusted Certificates Store
- Restart the SkyFormation application
sudo service sk4compose restart
Done
Comments
1 comment
Correction to step #2 for entering the sk4tomcat docker container as the sk4_sk4_tomcat_1 container doesn't exist in version 2.4.x. The corresponding docker id for docker name "sk4tomcat" contains the client_shiro.ini file. Using docker exec -it "<docker id>" bash appears to work.
Please sign in to leave a comment.