Please refer "Installing Hygieia Dashboard on Ubuntu 16.04" blog entry to setup hygieia , before you setup LDAP aunthentication.
LDAP stands for “Lightweight Directory Access Protocol”. It is a simplification of the X.500 Directory Access Protocol (DAP) used to access directory information. A directory is essentially a special-purpose database optimized to handle identity-related information. The LDAP standard also defines a data model based on the X.500 data model. It is a hierarchical data model, with objects arranged in a hierarchical structure, and each object containing a collection of attributes. The overall structure of any particular directory is defined by its schema, much like a database schema defines the tables and columns.
LDAP will access data that are read frequently but updated rarely. One of the main application of LDAP is authentication because user authentication data is updated rarely but read very frequently each time the user logs in. Authentication request could generate from a Linux/Windows client machine or from applications like Jenkins and it authenticates to a remote LDAP server, where authentication data is stored.
LDAP defines a “Bind” operation that authenticates the LDAP connection and establishes a security context for subsequent operations on that connection. There are two authentication methods defined in RFC 4513, simple and SASL. The simple authentication method has the LDAP client send the username (as a LDAP distinguished name) and password (in clear text) to the LDAP server. The LDAP server looks up the object with that username in the directory, compares the password provided to the password(s) stored with the object, and authenticates the connection if they match. Because the password is provided in clear text, LDAP simple Binds should only be done over a secure TLS connection.
LDAP with Hygieia .
You can set up your own LDAP server, which is time-consuming. For testing purpose, we have an Online LDAP Test Server available which we will use in this tutorial.
1. First install Apache Directory Studio and test if this online ldap server is in working condition.
Create a new ldap connection.
host : ldap.forumsys.com
port: 389
Bind DN : uid=euclid,dc=example,dc=com
password : password
2. Once you are able to successfully connect to the Test LDAP server, you can update the dashboard.properties in api folder and restart API .
$ cd Hygieia/api
~/Hygieia/api$ vi dashboard.properties
----------------------------------------------------------------------------------------
# dashboard.properties
dbname=dashboarddb
dbusername=dashboarduser
dbpassword=dbpassword
auth.authenticationProviders=LDAP,STANDARD
auth.ldapServerUrl=ldap://ldap.forumsys.com:389/dc=example,dc=com
auth.ldapUserDnPattern=uid={0}
----------------------------------------------------------------------------------------
~/Hygieia/api$ java -jar target/api.jar --spring.config.location=dashboard.properties -Djasypt.encryptor.password=hygieiasecret
Now Here is how your Hygieia login screen looks like
you can use LDAP entry euclid/password for logging into Hygieia.
You can create a Test Dashboard in Hygieia with this LDAP user and check the mongo entry for the dashboard. You can see that there is flag added to identify the user as LDAP user.
$mongo
> use dashboarddb
> db.getCollection('dashboards').find({})
{
"_id":ObjectId("59e324cf178d2f23ccac05b0"),
"_class":"com.capitalone.dashboard.model.Dashboard",
"template":"splitview",
"title":"TEstApp",
"widgets":[
],
"owners":[
{
"username":"euclid",
"authType":"LDAP"
}
],
"type":"Team",
"application":{
"name":"TEstApp",
"components":[
DBRef("components",
ObjectId("59e324cf178d2f23ccac05af"))
]
},
"validServiceName":false,
"validAppName":false,
"remoteCreated":false
}
LDAP stands for “Lightweight Directory Access Protocol”. It is a simplification of the X.500 Directory Access Protocol (DAP) used to access directory information. A directory is essentially a special-purpose database optimized to handle identity-related information. The LDAP standard also defines a data model based on the X.500 data model. It is a hierarchical data model, with objects arranged in a hierarchical structure, and each object containing a collection of attributes. The overall structure of any particular directory is defined by its schema, much like a database schema defines the tables and columns.
LDAP defines a “Bind” operation that authenticates the LDAP connection and establishes a security context for subsequent operations on that connection. There are two authentication methods defined in RFC 4513, simple and SASL. The simple authentication method has the LDAP client send the username (as a LDAP distinguished name) and password (in clear text) to the LDAP server. The LDAP server looks up the object with that username in the directory, compares the password provided to the password(s) stored with the object, and authenticates the connection if they match. Because the password is provided in clear text, LDAP simple Binds should only be done over a secure TLS connection.
LDAP with Hygieia .
You can set up your own LDAP server, which is time-consuming. For testing purpose, we have an Online LDAP Test Server available which we will use in this tutorial.
1. First install Apache Directory Studio and test if this online ldap server is in working condition.
Create a new ldap connection.
host : ldap.forumsys.com
port: 389
Bind DN : uid=euclid,dc=example,dc=com
password : password
2. Once you are able to successfully connect to the Test LDAP server, you can update the dashboard.properties in api folder and restart API .
$ cd Hygieia/api
~/Hygieia/api$ vi dashboard.properties
----------------------------------------------------------------------------------------
# dashboard.properties
dbname=dashboarddb
dbusername=dashboarduser
dbpassword=dbpassword
auth.authenticationProviders=LDAP,STANDARD
auth.ldapServerUrl=ldap://ldap.forumsys.com:389/dc=example,dc=com
auth.ldapUserDnPattern=uid={0}
----------------------------------------------------------------------------------------
~/Hygieia/api$ java -jar target/api.jar --spring.config.location=dashboard.properties -Djasypt.encryptor.password=hygieiasecret
Now Here is how your Hygieia login screen looks like
you can use LDAP entry euclid/password for logging into Hygieia.
You can create a Test Dashboard in Hygieia with this LDAP user and check the mongo entry for the dashboard. You can see that there is flag added to identify the user as LDAP user.
Nice article i was reached for a good tips.thanks for sharing your blog.
ReplyDeleteData Destruction
Has anyone had any success integrating Hygieia with SAML in the Cloud?
ReplyDelete