This topic describes how to connect Identity as a Service (IDaaS) to OpenLDAP and the common operations that you can perform.
About OpenLDAP
Overview
OpenLDAP is an open source implementation of Lightweight Directory Access Protocol (LDAP). OpenLDAP is widely used to manage resources such as users, computers, and networks within an enterprise. OpenLDAP is referred to as LDAP.
The network endpoint feature allows you to synchronize data from LDAP and delegate authentication to LDAP without the need to open public ports.
Procedure
Log on to the IDaaS console. On the EIAM page, click the required instance. In the left-side navigation pane, click IdPs. On the page that appears, click Bind OpenLDAP.
Step 1: Configure parameters in the Connect to LDAP step
Configure the following parameters in IDaaS:
Nickname: the name that is displayed to a user when the user logs on to and uses IDaaS.
Network Access Endpoint: the network endpoint of the IDaaS instance. If you want to allow only IDaaS to access the LDAP server, add the network endpoint to the IP address whitelist of the LDAP server. If an IDaaS instance uses a shared endpoint, the IDaaS instance is provided with a shared and fixed public outbound IP address. If an IDaaS instance uses a dedicated endpoint, the IDaaS instance is provided with a dedicated and custom private outbound IP address and a public outbound IP address. An IDaaS instance that is configured with a dedicated endpoint can access an Alibaba Cloud virtual private cloud (VPC) by using the dedicated endpoint. This way, you can allow the IDaaS instance to access your LDAP without the need to open public ports. For more information, see Endpoints.
Server Address: the address of the server where LDAP resides. Example: 127.0.0.1:389. By default, port 389 is used for LDAP. If LDAPS or StartTLS is enabled, port 636 is used.
Enable StartTLS: specifies whether to enable StartTLS. We recommend that you enable LDAPS or StartTLS to improve the security of the connection. For more information about how to enable LDAPS or StartTLS, see the LDAP security configuration section of this topic.
Administrator Account: the LDAP administrator account used by IDaaS to read LDAP information for data synchronization or delegated authentication. The account must have read permissions at a minimum. Enter the value in the Distinguished Name (DN) format such as cn=admin, ou=technical department, dc=example, dc=com.
Administrator Password: the logon password of the administrator account.
Step 2: Configure parameters in the Select Scenario step
In this step, configure the features that you want to use.
Features
Synchronization Direction: The data of the LDAP user or organization selected as the source code is imported to the IDaaS destination node. Enter the DN of the LDAP node as the source node. The DN of the LDAP root node is dc=example, dc=com (your domain).
Only synchronization from LDAP to IDaaS is supported. Synchronization from IDaaS to LDAP is not supported.
Scheduled Verification: LDAP does not support queries of incremental data. IDaaS automatically synchronizes full data under the LDAP source node every morning.
You can configure mapping identifiers in the Field Mapping step of an IDaaS account to a field of an LDAP user. For example, you can match the Mobile Phone Number field of an IDaaS account against the Mobile Phone Number field of an LDAP user. If the matching is successful and the LDAP user is updated, the IDaaS account is also updated from the LDAP user. If the matching fails, an IDaaS account is created by using the information about the LDAP user.
To synchronize the latest data, you must manually trigger full data synchronization.
IDaaS provides synchronization protection. When more than 30 accounts or more than 10 organizations need to be deleted, the synchronization task is automatically canceled to prevent data from being accidentally deleted. We recommend that you adjust the synchronization protection settings based on the size of your enterprise.
Failure to import a single data entry does not affect the import of other data entries.
You can view the failure information in synchronization logs.
Delegated Authentication: If this feature is enabled, a user can log on to IDaaS by using an LDAP user account and password.
Automatic Password Update: When a user attempts to log on to IDaaS by using LDAP delegated authentication, if the password of the IDaaS account is empty, the password is automatically updated as the password of the LDAP user. The LDAP password must meet the requirements specified in the password policies of IDaaS. Otherwise, the IDaaS password cannot be automatically updated to the LDAP password.
Advanced Settings
User/Organization
ObjectClass: You can useObjectClassto define a type of object as a user or organization. For example, the object whoseObjectClass is userin the query result is considered a user.
LDAP allows flexible customization. If you define the ObjectClass of a user or organization, make sure that the ObjectClass in LDAP is consistent with that in IDaaS. This ensures that the data synchronized to IDaaS meets your expectations.
User Sign-in ID: When a user attempts to log on to IDaaS by using LDAP delegated authentication, IDaaS uses the attributes to query the user in LDAP and matches the password. If the password is correct, the user is allowed to log on to IDaaS. You can separate multiple attributes with commas (,). In this case, these attributes are in the OR relationship. This means that a user can use one of them to log on to IDaaS. Make sure that multiple attributes correspond to the same LDAP user. Otherwise, the user cannot log on to IDaaS.
FILTERStatement for Filtering Users: If you want to synchronize specific users from different organizations to IDaaS, you can use a customfilterstatement to filter users. Only users that meet the filter conditions can be synchronized to IDaaS. By default, thefilterstatement containsObjectClassconditions in the AND relationship. You can click View Details to view the complete statement. For more information, see the Filter section of this topic.
Step 3: Configure parameters in the Field Mapping step
If you already have accounts or organizations in IDaaS and you want to map them to the LDAP users or organizations, or if you want to use specific fields of an IDaaS account as the fields of an LDAP user, you must configure field mappings. For example, if you want to use the name of an IDaaS account as the mobile phone number of an LDAP user, you must configure a field mapping.
For more information, see Field mappings.
LDAP security configuration
By default, data is transmitted in plaintext without encryption or protection in LDAP. This may cause data theft. You can use LDAPS or StartTLS to improve the security of data transmission. After you configure a certificate in LDAP, you can use LDAPS or StartTLS in IDaaS. We recommend that you enable LDAPS or StartTLS.
After you configure the certificate, you can obtain the certificate fingerprint in IDaaS to build the trust of IDaaS for the LDAP certificate. This reduces the risk of fake certificates.
LDAP custom configuration
ObjectClass
ObjectClass in LDAP is a set of attributes. Each object must have an ObjectClass. You can use ObjectClass to define an object as a user, organization, or computer. For example, as shown in the following figure, if you set User ObjectClass to "inetOrgPerson,posixAccount,top" in IDaaS, IDaaS takes the object as a user. ObjectClass is displayed when you edit an object in LDAP.
LDAP allows flexible customization. If you define the ObjectClass of a user or organization, make sure that the ObjectClass in LDAP is consistent with that in IDaaS. This ensures that the data synchronized to IDaaS meets your expectations.
User Sign-in ID
When a user attempts to log on to IDaaS by using LDAP delegated authentication, IDaaS uses the attributes to query the user in LDAP and matches the password. If the password is correct, the user is allowed to log on to IDaaS.
You can use one of the attributes such as UID, mobile phone number, email address, and employee number to log on to IDaaS. You can define the attributes when you create identity providers (IdPs) or on the Delegated Authentication page. If you use multiple attributes, make sure that the attributes are unique and correspond to the same LDAP user. Otherwise, the user cannot use delegated authentication.
Filter
The modifications of the ObjectClass conditions and the filter statement affect the filter conditions of the LDAP node. During full data synchronization, IDaaS accounts and organizations that do not meet the filter conditions are deleted. We recommend that you adjust the synchronization protection settings and fully test whether the filtered results meet your expectations before you modify the ObjectClass conditions and the filter statement. For example, you can use another IDaaS instance to perform a test.
Overview
If you want to synchronize specific users from different organizations to IDaaS, you can use a custom filter statement to filter users. Only users that meet the filter conditions can be synchronized to IDaaS. By default, the filter statement contains ObjectClass conditions in the AND relationship. You can click View Details to view the complete statement.
You can enter the filter statement in LDAP Admin to check the filtered results.
The following sections describe the common operators and filter statements for LDAP.
Common operators
Operator | Description | Example |
Operator | Description | Example |
= | Equal to | (cn=Alice) |
>= | Greater than or equal to | (pwdLastSet>=1319563845000000000) |
<= | Less than or equal | (employeeNumber<=1000) |
& | AND relationship, which indicates that all conditions must be met | (&(cn=CN*)(title=RD)) |
| | OR relationship, which indicates that at least one condition must be met | (|(cn=Test*)(cn=Admin*)) |
! | NOT relationship, which indicates that all conditions must not be met | (!(cn=Test*)(cn=Admin*)) |
Common statements
Scenario | Example |
Scenario | Example |
Select users whose usernames start with CN | (cn=CN*) |
Select the user with the specified email address | (mail=alice@example.com) |
LDAP synchronization configuration
Obtain Base DN
Base DN is the path identifier of a node in LDAP. IDaaS performs operations such as queries and data synchronization only within this node. You can set the Base DN of the source node in Synchronization Direction.
The format of DN is ou=organization, dc=example, dc=com. The DN of the root node is dc=example, dc=com (your domain). You can also view the DN of the node in LDAP, as shown in the following figure.
If the path of a node changes, the Base DN of the node also changes. To prevent LDAP data synchronization errors caused by node path changes, IDaaS uses the ObjectGuid of the node as the node fingerprint when you configure the Base DN of the source node in IDaaS. If the changed Base DN of the node does not match the node fingerprint, data synchronization is stopped. You can synchronize data after you reconfigure the source node.
Scheduled verification
LDAP does not support queries of incremental data. IDaaS automatically synchronizes full data within the LDAP source node every morning. To synchronize the latest data, you must manually trigger full data synchronization.
IDaaS provides synchronization protection. When more than 30 accounts or more than 10 organizations need to be deleted, the synchronization task is automatically canceled to prevent data from being accidentally deleted. We recommend that you adjust the synchronization protection settings based on the size of your enterprise.
