LDAP

xltrail allows central user management via LDAP services such as OpenLDAP or Microsoft's Active Directory.

NOTE:
  • Use quotes around anything that contains a space or special character.
  • After changing the config file, you need to run xltrail restart to apply the changes.
  • LDAP is only available with the Enterprise plan.

A full example

Your /etc/xltrail/xltrail.conf should have entries similar to this:

AUTH_PROVIDER=ldap
LDAP_URL="ldaps://ldap.mycompany.com:636"
LDAP_BIND_DN="serviceaccount@domain.local"
LDAP_BIND_PASSWORD="mypassword"
LDAP_BASE_DN="ou=Users,dc=mycompany,dc=com"
LDAP_USER_DN="{userid}@domain.local"
LDAP_USER_EMAIL_ATTRIBUTE="mail"
LDAP_USER_DISPLAYNAME_ATTRIBUTE="displayName"
LDAP_USER_FILTER="(&(sAMAccountName={userid})(memberOf=cn=xltrail-user,ou=Users,dc=mycompany,dc=com))"
LDAP_ADMIN_FILTER="(&(sAMAccountName={userid})(memberOf=cn=xltrail-admin,ou=Users,dc=mycompany,dc=com))"

Explanations

Start by adding the following setting to the config file (/etc/xltrail/xltrail.conf) to switch from the app internal user management to LDAP:

AUTH_PROVIDER=ldap

Then configure LDAP via the following settings:

LDAP_URL (required)

LDAP server URL. Make sure to provide the correct protocol: ldap or ldaps.

Example:

LDAP_URL="ldap[s]://ldap.mycompany.com:port"
LDAP_BIND_DN (required)

LDAP user with search privileges in the form of a distinguished name (DN). With Active Directory, the domain\myuser or myuser@domain syntax are more common.

Examples:

LDAP_BIND_DN="cn=myuser,dc=domain,dc=com"
LDAP_BIND_DN="mydomain\myuser"
LDAP_BIND_DN="myuser@domain.local"
LDAP_BIND_PASSWORD (required)

The password for LDAP_BIND_DN.

Example:

LDAP_BIND_PASSWORD="mypassword"
NOTE:
To save the password encrypted, use SECURE_LDAP_BIND_PASSWORD instead of LDAP_BIND_PASSWORD and encrypt the password via the xltrail CLI: xltrail encrypt.
LDAP_BASE_DN (required)

The fully qualified DN of an LDAP subtree you want to search for users and groups.

Example:

LDAP_BASE_DN="ou=Users,dc=mycompany,dc=com"
LDAP_USER_DN (required)

The fully qualified DN of the user you need to authenticate when verifying a login. The placeholder {userid} will be replaced with the value that the user types in for username in the xltrail login screen.

Examples:

LDAP_USER_DN="sAMAccountName={userid},ou=Users,dc=mycompany,dc=com"
LDAP_USER_DN="mydomain\{userid}"
LDAP_USER_DN="{userid}@domain.local"
LDAP_USER_FILTER (required)

LDAP search filter for regular xltrail users. The first example is a dummy filter that allows all users.

Examples:

LDAP_USER_FILTER="(sAMAccountName={userid})"
LDAP_USER_FILTER="(&(sAMAccountName={userid})(memberOf=cn=xltrail-user,ou=Users,dc=mycompany,dc=com))"
LDAP_ADMIN_FILTER (required)

LDAP search filter for xltrail admins. Admins have access to settings where they can delete projects, for example.

Examples:

LDAP_ADMIN_FILTER="(sAMAccountName={userid})"
LDAP_ADMIN_FILTER="(&(sAMAccountName={userid})(memberOf=cn=xltrail-admin,ou=Users,dc=mycompany,dc=com))"
LDAP_USER_EMAIL_ATTRIBUTE (required)

Email attribute for user object.

Example:

LDAP_USER_EMAIL_ATTRIBUTE="mail"
LDAP_USER_DISPLAYNAME_ATTRIBUTE (required)

Display name attribute for user object.

Examples:

LDAP_USER_DISPLAYNAME_ATTRIBUTE="displayName"
LDAP_USER_DISPLAYNAME_ATTRIBUTE="cn"

Troubleshooting

To make sure that you are using the correct username/password, verify your settings with ldapsearch.

Note that you should run the following command both for the service account as well as for a sample user.

Make sure to use -H and not -h.

ldapsearch -x \
           -D "mydomain\myuser" \
           -w "password" \
           -H ldap://ldap.mycompany.com:389 \
           -b "ou=Users,dc=mycompany,dc=com"

Instead of using -w "password", you can also use -W which will prompt you to type in the password (without it being shown on screen). This can be useful if you are sharing your screen on a support call.

To test out a specific filter, use it like this:

ldapsearch -x \
           -D "mydomain\myuser" \
           -w "password" \
           -H ldap://ldap.mycompany.com:389 \
           -b "ou=Users,dc=mycompany,dc=com" \
           "(sAMAccountName=myuser@domain.local)"

results matching ""

    No results matching ""