Version: 1.3.15

LDAP Integration

Follow this process to setup LDAP integration in Cortex Certifai.

Prerequisites

LDAP Server has been setup.
A client certificate has been provided, if secure LDAP is configured.
Active Directory is accessible in the cluster where Certifai is being installed.
Users and groups have been added to Active Directory. (The groups should be the groups being used in role bindings in Certifai if there are RoleBindings.)
All the steps of installation of Certifai EXCEPT the certifai-cr have been completed.

NOTE

If the installation of Certifai is already complete, update the dex.connector section in the certifai-cr file and re-apply it.)

Integration

Fetch the Bind credentials to your LDAP server. For more information on Bind credentials, visit https://ldap.com/the-ldap-bind-operation/ .

Determine the user search query and group search query for LDAP.

User Search Query - User Search query maps a username and password entered by a user to a LDAP entry.

Format:

baseDN: <BaseDN to start the search from>
filter: <Optional filter to apply when searching the directory(Filter can be objectClasses)>
username: <username attribute used for comparing user entries. This will be unique for users>
idAttr: <String representation of the user>
emailAttr: <Attribute to map to unique identifier>
nameAttr: <Maps to display name of users>

Group Search Query - Group search queries for groups given a user entry.

Format:

baseDN: <BaseDN to start the search from>
filter: <Optional filter to apply when searching the directory(Filter can be objectClasses)>
userAttr: <Group Match Attribute. Used to Match User to Group (User end attribute)>
groupAttr: <Group Match Attribute. Used to Match User to Group (Group end attribute)>
nameAttr: <Represents Group Name>

For examples of user and group search queries for different LDAP servers, visit https://dexidp.io/docs/connectors/ldap/ .

If a client certificate is provided, base64 encode it by running:
```
cat <path to certificate> |base64 -w0
```

Update the certifai-cr.yaml fields under spec.dex. The required fields that need to be updated include:

dex.enabled
dex.create-ingress
dex.tls-secret
dex.dex-url
dex.replicas

dex.connector

Example dex.connector section for an Active Directory server:

connector:
type: ldap
name: ActiveDirectory
id: ActiveDirectory
add-config: |
  host: <Active Directory Host DNS> (The Host DNS should have been added in the cert)
  rootCAData: <base64 encoded cert string copied in above step>(Required for Secure LDAP Server)
  bindDN: cn=admin,cn=users,dc=certifai,dc=ldap,dc=insights,dc=ai (This is just an eg. These details can be procured from Active Directory)
  bindPW: <bindPW for the admin user>
  usernamePrompt: <Prompt required on the UI> (eg: sAMAccountName)
  userSearch:
    baseDN: cn=users,dc=certifai,dc=ldap,dc=insights,dc=ai
    filter: "(objectClass=person)"
    username: sAMAccountName
    idAttr: DN
    emailAttr: sAMAccountName
    nameAttr: cn
  groupSearch:
    baseDN: cn=users,dc=certifai,dc=ldap,dc=insights,dc=ai
    filter: "(objectClass=group)"
      # A user is a member of a group when their DN matches
      # the value of a "member" attribute on the group entity.
    userAttr: DN
    groupAttr: member
      # The group name should be the "cn" value.
    nameAttr: cn
client-id: tests
client-secret: test

Update the rest of the certifai-cr.yaml attributes and apply it (following the installation instructions linked to above).
Test that authentication is working with rolebindings that have been applied, as well as Users and Groups that have been added in Active Directory.

Notes for role bindings

For group binding, specify LDAP group.
For user binding, specify the LDAP field that is set as the emailAttr (sAMAccountName in the example above.)

#Prerequisites

NOTE

#Integration

Prerequisites

Integration