In this article we will be seeing how to setup LDAP authetnication in NetYCE. We will be using below sample LDAP server details for the setup.
LDAP Test server details
LDAP Server Information:
Server: ldap.test.com
Port: 389
Bind DN: cn=read-only-admin,dc=example,dc=com
Bind Password: secret
Group information:
ou=chemists,dc=example,dc=com
List of users
uid=curie,dc=example,dc=com
uid=boyle,dc=example,dc=com
uid=nobel,dc=example,dc=com
uid=pasteur,dc=example,dc=com
Configuring YCE_Setup to setup LDAP Auth
The Ldap/AD configuration for NetYCE is defined in the 'Yce_setup' table. We will be modifying the Yce_setup table values to setup the LDAP.
Accessing YCE_Setup
(1) Admin -> Custom data -> (2) YCE_Setup
Selecting the profile
Filter the Parameter column with "profile" . We see that the default profile value is netyce.org
Subsequent configurations to be linked to this profile name. Though this can be changed, in this example we will be continuing with netyce.org profile name.
Each profile consists of 4 sections
- Login_policy - The login process and the methods used is controlled using these settings.
- Ldap_admin - Defines how NetYCE must identify and authenticate itself with the Ldap server.
- Ldap_server - Defines which Ldap servers to consult and how failover behaves
- Ldap_schema - Defines the Ldap sources, attributes and relations. The local LDAP admin should be consulted before first attempts, as these are specific to the local implementations.
Updating the login_policy
(1) Apply the filter login_policy
(2) default_group and enable_ldap are important values to modify and other parameters are for further customization.
Type | Parameter | String | Description |
login_policy | default_group | Local or Ldap users are assigned to this user-group when the configured | |
login_policy | enable_ldap | yes | Enable LDAP login |
Updating Ldap_admin
(1) Apply the ldap_admin filter to the Type column
(2) ldap_admin_dn and ldap_admin_pass values to configure. use_anonymous set to no if we are not using anonymous login.
Type | Parameter | Str_value | Description |
ldap_admin | ldap_admin_dn | cn=read-only-admin,dc=example,dc=com | The admin DN of Ldap to consult user-admin |
ldap_admin | ldap_admin_pass | secret | Enter the password in cleartext |
ldap_admin | use_anonymous | no | Is anonymous admin allowed or not? |
Updating Ldap_server
(1) Apply the filter ldap_server to the Type column
(2) ldap_server_pri , ldap_port_pri, ldap_secure_pri are the Parameters to fill in.
Updating other Parameters is necessary if secondary LDAP server is available
Type | Parameter | Str_value | Description |
ldap_server | ldap_server_pri | ldap.test.com | The fqdn or ip of the primary Ldap server |
ldap_server | ldap_port_pri | 389 | The port of the primary Ldap server |
ldap_server | ldap_secure_pri | no | To use secure-ldap 'ldap over SSL'. Well-known ports overrule |
| ldap_server | enable_secondary | no | Is a fallback Ldap server available? |
Updating Ldap_schema
(1) Apply ldap_schema filter to the Type column
(2) Update grp_search_base and (3) usr_search_base values.
Type | Parameter | Str_value | Description |
ldap_schema | usr_search_base | dc=example,dc=com | used to locate the username in the ldap |
ldap_schema | usr_uid_attr | uid | used to locate the username in the ldap |
ldap_schema | usr_map_attr | gidNumber | Value extracted to identify the group |
ldap_schema | grp_search_base | ou=chemists,dc=example,dc=com | used to locate the group record |
ldap_schema | grp_name_attr | cn | Used to retrieve the group name |
ldap_schema | grp_map_attr | gidNumber | Attribute used to match the value extracted. |
The process involves locating a user record in LDAP based on their username attribute, and extracting a value from an attribute specified in usr_map_attr that identifies the user's group record.
Then, the group record is located in LDAP using grp_search_base and checking for a matching attribute in grp_map_attr. Once the group record is found, the group name is retrieved using grp_name_attr and compared against existing group names in NetYCE. If the group name does not exist in NetYCE, a default group name is used.
This is one of the LDAP Schema. Refer to article LDAP\AD setup for other type of implementations
Verifying LDAP Access
Login and test
Reviewing logs
(1) Admin -> User Logs
Validating LDAP-type users created
(1) Admin -> Users & Groups -> Users
We can see that ldap type user is created post login. It is part of the NetYCE group which was defined as default_group under login_policy earlier..
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article