Authentication: LDAP / Active Directory
If Linkurious Enterprise is connected to an LDAP service, users will be authenticated using the external service at each log-in.
If you have a LDAP service running in your network, you can use it to authenticate users in Linkurious Enterprise.
Contact your network administrator to ensure that the machine where Linkurious Enterprise is installed can connect to the LDAP service.
OpenLDAP
For OpenLDAP compatible providers, add or edit the existing ldap
section inside the access
configuration.
Allowed options in access.ldap
:
enabled
:true
to enable this authentication strategyurl
: URL of the LDAP serverbindDN
(optional): "Domain Name" of the LDAP account used to search other accountsbindPassword
(optional): Password of the LDAP account used to search other accountsbaseDN
: Base "Domain Name" in which users will be searched. It can be a string or a non-empty array of stringsusernameField
: Name of the LDAP attribute containing the user's nameemailField
: Name of the LDAP attribute containing the user's e-mailgroupField
(optional): Name of the LDAP attribute containing the user's group
The bindDN
and bindPassword
are optional. If specified they will be used to bind to the LDAP server.
Example LDAP configuration:
"access": {
// [...]
"ldap": {
"enabled": true,
"url": "ldap://ldap.forumsys.com:389",
"bindDN": "cn=read-only-admin,dc=example,dc=com",
"bindPassword": "password",
"baseDN": ["dc=example,dc=com"],
"usernameField": "uid",
"emailField": "mail",
"groupField": "group"
}
}
Connect to multiple LDAP services
You can configure Linkurious Enterprise to connect to multiple LDAP services.
During the authentication process, Linkurious Enterprise will validate the user credentials against each LDAP service and use the identity resolved by the first successful attempt, following the order in which they appear in the configuration.
Example with multiple LDAP configurations:
"access": {
// [...]
"ldap": [
{
"enabled": true,
"url": "ldap://linkurious.fr:389",
"bindDN": "cn=read-only-admin,dc=example,dc=com",
"bindPassword": "password",
"baseDN": ["dc=example,dc=com"],
"usernameField": "uid",
"emailField": "mail",
"groupField": "group"
},
{
"enabled": true,
"url": "ldap://linkurious.com:389",
"bindDN": "cn=read-only-admin,dc=example,dc=com",
"bindPassword": "password",
"baseDN": ["dc=example,dc=com"],
"usernameField": "uid",
"emailField": "mail",
"groupField": "group"
}
]
}
Active Directory
For Microsoft Active Directory, add a msActiveDirectory
section inside the access
configuration.
Allowed options in access.msActiveDirectory
:
enabled
:true
to enable this authentication strategyurl
: URL of the Active Directory serverbaseDN
: Base "Domain Name" in which users will be searcheddomain
: (optional) Domain of your Active Directory servernetbiosDomain
: (optional) NetBIOS domain of your Active Directory servertls.rejectUnauthorized
: (optional) Whether the SSL certificate of your Active Directory server will be checkedtls.enableTrace
: (optional) Enable TLS packet trace informationsupportNestedGroups
: (optional, default: true) Whether you want Linkurious to resolve nested hieararchy in parent groups
Users can authenticate with their userPrincipalName
or their sAMAccountName
.
Use the domain
configuration key to avoid your users to specify the domain part of their userPrincipalName
.
Use the netbiosDomain
configuration key to avoid your users to specify the NetBIOS domain part of their sAMAccountName
.
Example Active Directory configuration:
"access": {
// [...]
"msActiveDirectory": {
"enabled": true,
"url": "ldaps://ldap.lks.com:636",
"baseDN": "dc=ldap,dc=lks,dc=com",
"domain": "ldap.lks.com",
"netbiosDomain": "LINKURIO",
"tls": {
"rejectUnauthorized": true,
"enableTrace": false
}
}
}
In alternative is possible to use your on premises Active Directory in conjunction with Azure Active Directory to provide SSO to your users. Please refer to Prerequisites for Azure AD Connect for more information and to SSO with Azure AD to know how to setup Azure AD as an identity provider.
Connect to multiple Active Directory services
You can configure Linkurious Enterprise to connect to multiple Active Directory services.
During the authentication process, Linkurious Enterprise will validate the user credentials against each Active Directory service and use the identity resolved by the first successful attempt, following the order in which they appear in the configuration.
Example with multiple Active Directory configurations:
"access": {
// [...]
"msActiveDirectory": [
{
"enabled": true,
"url": "ldaps://ldap.lks.us:636",
"baseDN": "dc=ldap,dc=lks,dc=us",
"domain": "ldap.lks.us",
"netbiosDomain": "LINKURIOUS",
"tls": {
"rejectUnauthorized": true
}
},
{
"enabled": true,
"url": "ldaps://ldap.lks.fr:636",
"baseDN": "dc=ldap,dc=lks,dc=fr",
"domain": "ldap.lks.fr",
"netbiosDomain": "LINKURIOUS"
}
]
}