All versions of this manual
X
Welcome to Linkurious administration manual v2.10.18. Use the menu to access other documentations.
  1. Introduction
  2. FAQ
  3. Getting started
    1. Technical requirements
    2. Downloading
    3. Installing
    4. Starting Linkurious
    5. Stopping Linkurious
    6. Configure Linkurious
    7. Release notes
    8. Graph DB Feature Map
  4. Troubleshooting
    1. Checking Linkurious status
    2. Reading the logs
    3. Getting support
    4. Manage license
  5. Importing graph data
    1. Neo4j
    2. JanusGraph
    3. Cosmos db
  6. Updating Linkurious
    1. Checking for updates
    2. Backing up your data
    3. Update procedure
  7. Configuring data-sources
    1. Neo4j
    2. JanusGraph
    3. Cosmos DB
    4. Alternative IDs
    5. Merging data-sources
    6. Advanced settings
  8. Search index
    1. Search Option Comparison
    2. Neo4j
    3. Neo4j to Elasticsearch
    4. Azure search
    5. Configuring Elasticsearch
    6. Using Elasticsearch on AWS
    7. Incremental Indexing
  9. User-data store
    1. Migrating to an external database
    2. Backing-up your store
  10. Web server
  11. Authentication
    1. Getting started
    2. LDAP / Active Directory
    3. SSO with Azure AD
    4. SSO with Google
    5. SSO with OpenID Connect
    6. SSO with SAML2 / ADFS
    7. Configuration
  12. Access control
    1. Managing users
    2. Managing groups
    3. Standard access-rights
    4. Property-key access-rights
  13. Guest mode
    1. Guest mode
  14. Data Schema
    1. Property types
    2. Hiding data
    3. Strict mode
  15. Alerts
    1. Configuration
  16. Visualizations appearance
    1. Default styles
    2. Default captions
    3. Geographic tiles
  17. Audit trail
    1. Log format
  18. Plugins
 

Authentication: LDAP / Active Directory

If Linkurious Enterprise is connected to an LDAP service, users will be authenticated using the external service at each log-in.

If you have a LDAP service running in your network, you can use it to authenticate users in Linkurious Enterprise.

Contact your network administrator to ensure that the machine where Linkurious Enterprise is installed can connect to the LDAP service.

OpenLDAP

For OpenLDAP compatible providers, add or edit the existing ldap section inside the access configuration.

Allowed options in access.ldap:

  • enabled: true to enable this authentication strategy
  • url: URL of the LDAP server
  • bindDN (optional): "Domain Name" of the LDAP account used to search other accounts
  • bindPassword (optional): Password of the LDAP account used to search other accounts
  • baseDN: Base "Domain Name" in which users will be searched. It can be a string or a non-empty array of strings
  • usernameField: Name of the LDAP attribute containing the user's name
  • emailField: Name of the LDAP attribute containing the user's e-mail
  • groupField (optional): Name of the LDAP attribute containing the user's group

The bindDN and bindPassword are optional. If specified they will be used to bind to the LDAP server.

Example LDAP configuration:

"access": {
  // [...] 
  "ldap": {
    "enabled": true,
    "url": "ldap://ldap.forumsys.com:389",
    "bindDN": "cn=read-only-admin,dc=example,dc=com",
    "bindPassword": "password",
    "baseDN": ["dc=example,dc=com"],
    "usernameField": "uid",
    "emailField": "mail",
    "groupField": "group"
  }
}

Active Directory

For Microsoft Active Directory, add a msActiveDirectory section inside the access configuration.

Allowed options in access.msActiveDirectory:

  • enabled: true to enable this authentication strategy
  • url: URL of the Active Directory server
  • baseDN: Base "Domain Name" in which users will be searched
  • domain: (optional) Domain of your Active Directory server
  • netbiosDomain: (optional) NetBIOS domain of your Active Directory server
  • tls.rejectUnauthorized: (optional) Whether the SSL certificate of your Active Directory server will be checked
  • supportNestedGroups: (optional, default: true) Whether you want Linkurious to resolve nested hieararchy in parent groups

Users can authenticate with their userPrincipalName or their sAMAccountName.

Use the domain configuration key to avoid your users to specify the domain part of their userPrincipalName. Use the netbiosDomain configuration key to avoid your users to specify the NetBIOS domain part of their sAMAccountName.

Example Active Directory configuration:

"access": {
  // [...] 
  "msActiveDirectory": {
    "enabled": true,
    "url": "ldaps://ldap.lks.com:636",
    "baseDN": "dc=ldap,dc=lks,dc=com",
    "domain": "ldap.lks.com",
    "netbiosDomain": "LINKURIO",
    "tls": {
      "rejectUnauthorized": true
    }
  }
}

In alternative is possible to use your on premises Active Directory in conjunction with Azure Active Directory to provide SSO to your users. Please refer to Prerequisites for Azure AD Connect for more information and to SSO with Azure AD to know how to setup Azure AD as an identity provider.