Configure a LDAP directory

Go to Administration > Identity Provider > LDAP.

Basic elements

  • Host: Address of the LDAP server
  • Port: Port used by the LDAP server
  • TLS: Check if the LDAP connection uses the TLS protocol
  • Basename: Base DN used to search in the directory

LDAP Consultation account

This element lets Cyberwatch request the LDAP directory to check the groups of the users

  • dn: DinstiguishedName of the consultation account

    For Microsoft Active Directory, the dn of the user username can be found with these commands:

     Import-Module ActiveDirectory
     Get-ADUser username | Select-Object DistinguishedName
    
  • Password: Password of the consultation account

Login settings

  • Login field: LDAP field used to create the logins of Cyberwatch users (by default, this field is set to uid)

Restrict the access to Cyberwatch to specific LDAP groups

For Microsoft Active Directory the groups of the user username can be found with these commands:

Import-Module ActiveDirectory
(Get-ADUser username Properties MemberOf | Select-Object MemberOf).MemberOf
  • Groups: List of the groups from the directory that will generate standard users accounts.
  • Admin groups: List of the groups from the directory that will generate administrator users accounts.

Filling at least one of these settings is mandatory in order to be able to use Cyberwatch with an LDAP directory.

Debugging the LDAP configuration

To display the logs of the LDAP connection:

  1. Use the procedure to Consult Cyberwatch logs
  2. Filter the logs to get only LDAP related errors:

    sudo cyberwatch logs web 2>&1 | grep ERROR | grep LDAP