This topic describes how to configure and use OpenLDAP to interact with Identity as a Service (IDaaS).
About OpenLDAP
Overview
OpenLDAP is an open source implementation of the Lightweight Directory Access Protocol (LDAP). It is used to manage resources such as users, computers, and networks within an organization. OpenLDAP is also referred to as LDAP due to its wide usage.
The network endpoint feature allows you to synchronize data from LDAP and delegate authentication to LDAP without the need to open public ports.
Bind IDaaS to LDAP
Log on to the IDaaS console. In the left-side navigation pane, click Quick Start or IdPs. On the page that appears, click Bind OpenLDAP.
Step 1: Connect to LDAP
Configure the LDAP information in IDaaS.
Nickname: the name that is displayed to a user when the user logs on to and uses IDaaS.
Network Access Endpoint: the network endpoint of the IDaaS instance. If you want to allow only IDaaS to access the LDAP server, add the network endpoint to the IP address whitelist on the LDAP server. If an IDaaS instance uses a shared endpoint, the IDaaS instance is provided with a shared and fixed public outbound IP address. If an IDaaS instance uses a dedicated endpoint, the IDaaS instance is provided with a dedicated and custom private outbound IP address and a public outbound IP address. An IDaaS instance with a dedicated endpoint can access your Alibaba Cloud Virtual Private Cloud (VPC) over a private network. This way, you can allow the IDaaS instance to access your LDAP without the need to open public ports. For more information, see Endpoints.
Server Address: the address of the LDAP server, such as 127.0.0.1:389. By default, port 389 is used for LDAP. Port 636 is used if LDAPS or StartTLS is enabled.
Enable StartTLS: specifies whether to enable StartTLS. We recommend that you enable LDAPS or StartTLS to improve the security of the connection. For more information about how to enable LDAPS or StartTLS, see the LDAP security configuration section of this topic.
Administrator Account: the LDAP administrator account used by IDaaS to read LDAP information for data synchronization or delegated authentication. The account must have read permissions at a minimum. Enter the value in the Distinguished Name (DN) format such as cn=admin, ou=technical department, dc=example, dc=com.
Administrator Password: the logon password of the administrator account.
Step 2: Select features based on your scenario
Select the features you want to use when IDaaS interacts with LDAP.
Features
Synchronization Direction: The data of the LDAP user or organization selected as the source node is imported to the IDaaS destination node. Enter the DN of the LDAP node as the source node. The DN of the LDAP root node is dc=example, dc=com (your domain).
Only synchronization from LDAP to IDaaS is supported. Synchronization from IDaaS to LDAP is not supported.
Scheduled Verification: LDAP does not support queries of incremental data. IDaaS automatically synchronizes full data within the LDAP source node every morning.
You can set mapping identifiers in the Field Mapping step to match a field of the IDaaS account, such as Mobile Phone Number, to the same field of the LDAP user. If the matching is successful, the existing IDaaS account is updated. Otherwise, an IDaaS account is created.
To synchronize the latest data, you must manually trigger full data synchronization.
IDaaS supports synchronization protection. If more than 30 accounts or more than 10 organizations need to be deleted, the synchronization task is automatically canceled to prevent data from being deleted by mistake. We recommend that you adjust the synchronization protection settings based on the enterprise size.
Failure to import a single data entry does not affect the import of other data entries.
You can view the failure information in synchronization logs.
Delegated Authentication: If this feature is enabled, a user can log on to IDaaS by using an LDAP username and password.
Automatic Password Update: When a user attempts to log on to IDaaS by using LDAP delegated authentication, if the password of the IDaaS account is empty, the password is automatically updated to the password of the LDAP user. The LDAP password must meet the requirements specified in the password policies of IDaaS. Otherwise, the IDaaS password cannot be automatically updated to the LDAP password.
Advanced Settings
User/Organization ObjectClass: You can use ObjectClass to define a type of object as a user or organization. For example, the object whose ObjectClass is user in the query result is considered a user.
LDAP allows flexible customization. If you define the ObjectClass of a user or organization, make sure that the ObjectClass in LDAP is consistent with that in IDaaS. This ensures that the data synchronized to IDaaS meets your expectations.
User Sign-in ID: When a user attempts to log on to IDaaS by using LDAP delegated authentication, IDaaS uses the attributes to query the user in LDAP and matches the password. If the password is correct, the user is allowed to log on to IDaaS. You can separate multiple attributes with commas (,). In this case, these attributes are in the OR relationship. This means that a user can use one of them to log on to IDaaS. Make sure that multiple attributes correspond to the same LDAP user. Otherwise, the user cannot log on to IDaaS.
FILTER Statement for Filtering Users: If you want to synchronize specific users from different organizations to IDaaS, you can use a custom filter statement to filter users. Only users that meet the filter conditions can be synchronized to IDaaS. By default, the filter statement contains ObjectClass conditions in the AND relationship. You can click View Details to view the complete statement. For more information, see the Filter section of this topic.
Step 3: Configure field mapping
If you already have data in IDaaS and need to bind an LDAP user or organization to an IDaaS account or organization, or if you want to use the data of some fields of the LDAP user as the data of the IDaaS account, you must configure field mapping in this step. For example, you must configure the field mapping if you want to use the mobile phone number of an LDAP user as the name of an IDaaS account.
For more information, see the Field mapping section of this topic.
LDAP security configuration
By default, data is transmitted in plaintext without encryption or protection in LDAP. This may cause data theft. You can use LDAPS or StartTLS to improve the security of data transmission. After you configure a certificate in LDAP, you can use LDAPS or StartTLS in IDaaS. We recommend that you enable LDAPS or StartTLS.
After you configure the certificate, you can obtain the certificate fingerprint in IDaaS to build the trust of IDaaS for the LDAP certificate. This reduces the risk of fake certificates.
LDAP custom configuration
ObjectClass
ObjectClass in LDAP is a set of attributes. Each object must have an ObjectClass. You can use ObjectClass to define an object as a user, organization, or computer. For example, if you set User ObjectClass to "inetOrgPerson,posixAccount,top" in IDaaS, IDaaS takes the object as a user. ObjectClass is displayed when you edit an object in LDAP.
LDAP allows flexible customization. If you define the ObjectClass of a user or organization, make sure that the ObjectClass in LDAP is consistent with that in IDaaS. This ensures that the data synchronized to IDaaS meets your expectation.
User Sign-in ID
When a user attempts to log on to IDaaS by using LDAP delegated authentication, IDaaS uses the attributes to query the user in LDAP and matches the password. If the password is correct, the user is allowed to log on to IDaaS.
You can use one of the attributes such as UID, mobile phone number, email address, and employee number to log on to IDaaS. You can define the attributes when you create the identity provider or on the Delegated Authentication page. If you use multiple attributes, make sure that the attributes are unique and correspond to the same LDAP user. Otherwise, the user cannot use delegated authentication.
Filter
The modifications of the ObjectClass conditions and the filter statement affect the filter conditions of the LDAP node. During full data synchronization, IDaaS accounts and organizations that do not meet the filter conditions are deleted. We recommend that you adjust the synchronization protection settings and fully test whether the filtered results meet your expectations before you modify the ObjectClass conditions and the filter statement. For example, you can use another IDaaS instance to perform a test.
Overview
If you want to synchronize specific users from different organizations to IDaaS, you can use a custom filter statement to filter users. Only users that meet the filter conditions can be synchronized to IDaaS. By default, the filter statement contains ObjectClass conditions in the AND relationship. You can click View Details to view the complete statement.
You can enter the filter statement in LDAP Admin to check the filtered results.
The following sections describe the common operators and filter statements for LDAP.
Common operators
Operator | Description | Example |
= | Equal to | (cn=Alice) |
>= | Greater than or equal to | (pwdLastSet>=1319563845000000000) |
<= | Less than or equal | (employeeNumber<=1000) |
& | AND relationship, which indicates that all conditions must be met | (&(cn=CN*)(title=RD)) |
| | OR relationship, which indicates that at least one condition must be met | (|(cn=Test*)(cn=Admin*)) |
! | NOT relationship, which indicates that all conditions must not be met | (!(cn=Test*)(cn=Admin*)) |
Common statements
Scenario | Example |
Select users whose usernames start with CN | (cn=CN*) |
Select the user with the specified email address | (mail=alice@example.com) |
LDAP synchronization configuration
Obtain Base DN
Base DN is the path identifier of a node in LDAP. IDaaS performs operations such as queries and data synchronization only within this node. You can set the Base DN of the source node in Synchronization Direction.
The format of DN is ou=organization, dc=example, dc=com. The DN of the root node is dc=example, dc=com (your domain). You can also view the DN of the node in LDAP.
If the path of a node changes, the Base DN of the node also changes. To prevent LDAP data synchronization errors caused by node path changes, IDaaS uses the ObjectGuid of the node as the node fingerprint when you configure the Base DN of the source node in IDaaS. If the changed Base DN of the node does not match the node fingerprint, data synchronization is stopped. You can synchronize data after you reconfigure the source node.
Scheduled verification
LDAP does not support queries of incremental data. IDaaS automatically synchronizes full data within the LDAP source node every morning. To synchronize the latest data, you must manually trigger full data synchronization.
IDaaS supports synchronization protection. If more than 30 accounts or more than 10 organizations need to be deleted, the synchronization task is automatically canceled to prevent data from being deleted by mistake. We recommend that you adjust the synchronization protection settings based on the enterprise size.