User Authentication Methods
Active Directory User Authentication
Authenticating users against Active Directory (AD) is fairly easy to set up in its simplest form.
Assumptions: (for this guide)
- The AD domain is called
ad.homenet - There is a group named
HyperCloudwith which users need to be a member - A read-only account named
service-userexists so that HyperCloud can access AD to authenticate users
Procedure
SSH into HyperCloud and edit the file /dashboard/one/ldap_auth.conf.
You will need to modify the following items to enable the routing. Remove the # at the beginning of the row to uncomment the line if necessary.
:user: 'service-user@ad.homenet' # This is the read-only user account for binding to AD
:password: 'F00bar1' # This is the password for the user above
:host: 192.0.2.204 # This is the IP or DNS of the AD server
:base: 'DC=ad, DC=homenet' # This is the FQDN of the AD domain
:group: 'CN=HyperCloud, CN=users, DC=ad, DC=homenet' # This is the group that the users will need to belong to in order to log in
There are two options for the user_field designation, either:
:user_field: 'sAMAccountName' # This would be used so that users can log in with their plain user.name ID (e.g. john.doe)
Or,
:user_field: 'userPrincipalName' # This would be used to require users to log in with a user.name@domain ID (e.g. john.doe@ad.homenet)
Example file
The relevant portion of the file that has been modified should now look like this:
server1:
# Ldap user able to query, if not set connects as anonymous. For
# Active Directory append the domain name. Example:
# Administrator@my.domain.com
:user: 'service-user@ad.homenet'
:password: 'F00bar1'
# Ldap authentication method
:auth_method: :simple
# Ldap server
:host: 192.0.2.204
:port: 389
# Connection and authentication timeout
#:timeout: 15
# Uncomment this line for tls connections, use :simple_tls or :start_tls
#:encryption: :simple_tls
# base hierarchy where to search for users and groups
:base: 'DC=ad,DC=homenet'
# group the users need to belong to. If not set any user will do
:group: 'CN=HyperCloud,CN=Users,DC=ad,DC=homenet'
# field that holds the user name, if not set 'cn' will be used
#:user_field: 'cn'
# for Active Directory use this user_field instead
#:user_field: 'sAMAccountName'
:user_field: 'userPrincipalName'
:order:
- server1
To apply the changes, either reboot the dashboard with:
Or, simply copy the file into place with:The setup of this example requires the creation of a user account in the HyperCloud environment, following the steps found in Users and setting the Authentication to ldap. Optionally, the group assignment of this user can be modified.
LDAP to HyperCloud Group Authentication
The steps are similar to the AD-LDAP User Authentication example seen above; except, users from LDAP groups can be mapped to HyperCloud groups. This method requires the creation of a /dashboard/one/server1.yaml mapping file.
Example Configuration
The configuration file, /dashboard/one/ldap_auth.conf, would look similar to the block below:
server1:
:user: 'uid=ldap-bind,ou=people,dc=softiron,dc=com'
:password: 'sUp3rS4cret!1'
# Ldap authentication method
:auth_method: :simple
# Ldap server
:host: 10.127.4.10
:port: 389
# Connection and authentication timeout
#:timeout: 15
# Uncomment this line for tls connections, use :simple_tls or :start_tls
#:encryption: :simple_tls
# base hierarchy where to search for users and groups
:base: 'dc=softiron,dc=com'
# field that holds the user name, if not set 'cn' will be used
:user_field: 'uid'
:group_field: 'uniqueMember'
:mapping_generate: false
:mapping_filename: server1.yaml
:order:
- server1
Example YAML
The following example, /dashboard/one/server1.yaml, illustrates the link between the LDAP group and HyperCloud group: