LDAP

xltrail allows central user management via LDAP services such as OpenLDAP or Microsoft's Active Directory.

NOTE:
  • Use quotes around anything that contains a space or special character.
  • After changing the config file, you need to run xltrail restart to apply the changes.
  • LDAP is only available with the Enterprise plan.

A full example

Your /etc/xltrail/xltrail.conf should have entries similar to this:

AUTH_PROVIDER=ldap
LDAP_URL="ldaps://ldap.mycompany.com:636"
LDAP_BIND_DN="mydomain\serviceaccount"
LDAP_BIND_PASSWORD="mypassword"
LDAP_BASE_DN="ou=Users,dc=mycompany,dc=com"
LDAP_USER_DN="uid={userid},ou=Users,dc=mycompany,dc=com"
LDAP_USER_EMAIL_ATTRIBUTE="mail"
LDAP_USER_DISPLAYNAME_ATTRIBUTE="displayName"
LDAP_USER_FILTER="(&(userid={userid})(memberOf=cn=xltrail-user,ou=Users,dc=mycompany,dc=com))"
LDAP_ADMIN_FILTER="(&(userid={userid})(memberOf=cn=xltrail-admin,ou=Users,dc=mycompany,dc=com))"

Explanations

Start by adding the following setting to the config file (/etc/xltrail/xltrail.conf) to switch from the app internal user management to LDAP:

AUTH_PROVIDER=ldap

Then configure LDAP via the following settings:

LDAP_URL (required)

LDAP server URL.

Example:

LDAP_URL="ldap[s]://ldap.mycompany.com:port"
LDAP_BIND_DN (required)

LDAP user with search privileges in the form of a distinguished name (DN). With Active Directory, you can also use the domain\username syntax.

Examples:

LDAP_BIND_DN="cn=myuser,dc=domain,dc=com"
LDAP_BIND_DN="mydomain\myuser"
LDAP_BIND_PASSWORD (required)

The password for LDAP_BIND_DN.

Example:

LDAP_BIND_PASSWORD="mypassword"
LDAP_BASE_DN (required)

The fully qualified DN of an LDAP subtree you want to search for users and groups.

Example:

LDAP_BASE_DN="ou=Users,dc=mycompany,dc=com"
LDAP_USER_DN (required)

The fully qualified DN of the user you need to authenticate when verifying a login. Use {userid} as placeholder for user.

Examples:

LDAP_USER_DN="uid={userid},ou=Users,dc=mycompany,dc=com"
LDAP_USER_DN="mydomain\{userid}"
LDAP_USER_FILTER (required)

LDAP search filter for regular xltrail users.

Examples:

LDAP_USER_FILTER="(sAMAccountName={userid})"
LDAP_USER_FILTER="(&(userid={userid})(memberOf=cn=xltrail-user,ou=Users,dc=mycompany,dc=com))"
LDAP_ADMIN_FILTER (required)

LDAP search filter for xltrail admins. Admins have access to settings where they can delete projects, for example.

Examples:

LDAP_ADMIN_FILTER="(sAMAccountName={userid})"
LDAP_ADMIN_FILTER="(&(userid={userid})(memberOf=cn=xltrail-admin,ou=Users,dc=mycompany,dc=com))"
LDAP_USER_EMAIL_ATTRIBUTE (required)

Email attribute for user object.

Example:

LDAP_USER_EMAIL_ATTRIBUTE="mail"
LDAP_USER_DISPLAYNAME_ATTRIBUTE (required)

Display name attribute for user object.

Examples:

LDAP_USER_DISPLAYNAME_ATTRIBUTE="displayName"
LDAP_USER_DISPLAYNAME_ATTRIBUTE="cn"

Advanced

LDAP_OPT_X_TLS_CACERTFILE (optional)

Only for ldaps: Path of the file containing all trusted CA certificates.

Example:

LDAP_OPT_X_TLS_CACERTFILE="/path/to/ca.crt"
LDAP_OPT_X_TLS_REQUIRE_CERT (optional)

Only for ldaps: Certificate validation. Set to one of the following values:

OPT_X_TLS_NEVER
OPT_X_TLS_ALLOW
OPT_X_TLS_TRY
OPT_X_TLS_DEMAND

Explanation:

DEMAND (default):

  • no certificate provided: quits
  • bad certificate provided: quits

TRY

  • no certificate provided: continues
  • bad certificate provided: quits

ALLOW

  • no certificate provided: continues
  • bad certificate provided: continues

NEVER

  • no certificate is requested

Examples:

LDAP_OPT_X_TLS_REQUIRE_CERT="OPT_X_TLS_ALLOW"

Troubleshooting

To make sure that you are using the correct settings, verify your settings with ldapsearch.

Make sure to use -H and not -h.

ldapsearch -x \
           -D "mydomain\serviceaccount" \
           -w "password" \
           -H ldap://ldap.mycompany.com:389 \
           -b "ou=Users,dc=mycompany,dc=com"

results matching ""

    No results matching ""