4.6. Active Directory¶

This section describes the Active Directory (LDAP) integration for Ngenea Hub.

4.6.1. Configuration¶

The following settings control LDAP configuration.

The following are set in the main configuration file for Ngenea Hub at /etc/sysconfig/ngeneahub. Any setting which doesn't specify a default is required when LDAP_ENABLED is true.

Setting	Description
LDAP_ENABLED	Setting to enable or disable LDAP-based authentication. Default: False
LDAP_HOSTNAME	The URI of the LDAP server.
LDAP_USERNAME	The 'distinguished name' of the user to use when binding to the LDAP server
LDAP_PASSWORD	The password matching `LDAP_USERNAME` for binding the the LDAP server
LDAP_USER_SEARCH	Domain to search for users who may authenticate.
LDAP_GROUP_SEARCH	Domain to search for groups to populate when mirroring groups
LDAP_MIRROR_GROUPS	If True, LDAP groups will be auto-populated (see below). Default: False

4.6.1.1. Example Configurations¶

LDAP_ENABLED=True

LDAP_HOSTNAME=ldap://localhost
LDAP_USERNAME=cn=bind,cn=Users,dc=tech,dc=local
LDAP_PASSWORD=password123

LDAP_USER_SEARCH=cn=Users,dc=tech,dc=local
LDAP_GROUP_SEARCH=cn=Groups,dc=tech,dc=local
LDAP_MIRROR_GROUPS=False

4.6.2. Log in with an AD user¶

After enabling and configuring LDAP as above, an AD user can log in to Ngenea Hub using their AD credentials.

The username corresponds to the AD user's sAMAccountName

A Ngenea Hub user account will be automatically created for that user.

Only AD users belonging to the LDAP_USER_SEARCH domain may authenticate.

When LDAP is enabled, non-AD users can still be created and authenticate as before.

4.6.3. Managing users and groups from AD in HUB¶

The user account which is generate for an AD user behaves the same as any other Ngenea Hub user. This means it can be assigned to Ngenea Hub groups, and will gain the permissions from those groups.

By default, a new AD user will not belong to any groups, and therefore will not have any permissions. A privileged user will need to assign the user to any appropriate Ngenea Hub groups.

If LDAP_MIRROR_GROUPS is enabled, then when a user logs in to Ngenea Hub, groups will be automatically be created for any AD groups the user belongs to (if the group doesn't already exist), and the user will be assigned to those groups.

Only groups belonging to the LDAP_GROUP_SEARCH domain will be populated.

Mirrored AD groups behave the same as any other Ngenea Hub group, meaning permissions can be assigned to them to apply role-based access controls (RBAC). By default, mirrored AD groups will have no permissions assigned.

Any user can be assigned to a mirrored AD group. This WILL NOT change group membership in AD itself.