Authenticating with LDAP¶
The Solution Manager Server supports LDAP authentication that delegates the authentication of users to an LDAP server. To enable LDAP authentication in the Solution Manager, login with the Solution Manager Web Tool as an administrator user, click the menu Configuration > Authentication and then, open the LDAP configuration.
LDAP authentication enabled: Check for enable LDAP authentication. Allow to retrieve users from a LDAP server and authenticate them with their credentials.
Global LDAP configuration: Configure the LDAP source and the required search to retrieve users and roles.
This configuration will be used for LDAP authentication and also when you choose certain Single Sign On configuration as Kerberos and external Identity Provider without role extraction by assertions.
Server URI: Path to the LDAP server.
Login and Password: Credentials to access the LDAP server
Use GSSAPI SASL: Authentication mechanism to connect to the LDAP server with SASL binding with GSSAPI authentication mechanism, instead of “simple binding”. If the organization adopted a multi-domain environment, you have to select this check box. Also, the administrator of the LDAP server (usually, Active Directory) has to establish a trust relationship between the domains, to allow authentication of users from all domains.
Use paging: select this if the LDAP server limits the number of results per query. If selected, Solution Manger will do paged searches to obtain all the results of the queries.
Max Page Size: number of results per page.
User base: node of the LDAP server that is used as scope to search nodes that represent users. You can enter more than one “User base” expression.
Attribute with user name: name of the attribute that contains the user name of users, in the nodes that represent users.
User search pattern: pattern used to generate the LDAP queries that will be executed to obtain the nodes that represent the users that try to connect to the Server.
Role base: node of the LDAP server that is used as the scope to search the nodes that represent roles that users of this database can have. You can enter more than one “Role base” expression.
Attribute with role name: name of the attribute that contains the name of the role, in the nodes that represent roles.
Role search pattern: pattern used to generate the LDAP queries that will be executed to obtain the nodes that represent the roles of a user. This pattern has to contain the token
@{USERDN}
or@{USERLOGIN}
(it cannot contain both) and optionally, it can also contain@{OBJECT_SID}
:@{USERDN}
will be replaced with the Distinguished Name of the user that tries to connect to this database. For example, “CN=john,CN=Users,DC=acme,DC=loc”.@{USERLOGIN}
will be replaced with the login name of the user that tries to connect to this database. For example, “john”.
Note
Virtual DataPort would avoid querying the LDAP server when the LDAP Roles Cache is configured. See section Enabling the LDAP Roles Cache in Solution Manager for more information.
@{OBJECT_SID}
will be replaced with the object security identifier of the user in the Active Directory server. For example, “S-1-5-21-1111111111-2222222222-3333333333-4444”. This value can be useful to retrieve the groups the user that belongs to other domains (Only applicable for multi-domain architectures).
Important
Create the specific roles that may be retrieved by LDAP and assign them the corresponding privileges. See privileges system for more information.
After enable LDAP authentication in this configuration, when the users go to the Solution Manager, they will be logged used user and password located on the relying LDAP source.
Enabling the LDAP Roles Cache in Solution Manager¶
When enabling the “LDAP Roles Cache”, the Virtual DataPort server included in the Solution Manager stores in memory - for a limited time - the roles of each user that logs in to Virtual DataPort, when the roles of said user are obtained from an LDAP server (e.g. Active Directory). That is, users with Kerberos authentication, OAuth and SAML with the option to retrieve the roles from an LDAP server or with user and password, retrieving the roles from an LDAP server. This reduces the connection time the next time the same user logs in because Virtual DataPort only has to retrieve the roles of the user from the LDAP server (e.g. Active Directory) the first time this user logs in. When the feature is disabled, Virtual DataPort queries the LDAP server for every log in attempt.
This feature is disabled by default. To enable it, log in with an administrator account in to the Virtual DataPort of the Solution Manager (the default URL is //denodo-solution-manager.acme.com:19999/
and execute this command:
SET 'com.denodo.vdb.security.LDAPRolesCache.UseCache' = 'true';
You do not need to restart Virtual DataPort to apply the change. To disable this feature, execute this command but setting the property to “false”.
The roles of a user are stored in memory for a period of time (by default, 10 minutes). After 10 minutes since the roles of this user were stored in memory, they are removed. The next time this user opens a connection, the roles of this user will be retrieved from the LDAP server again and stored in memory.
To modify the settings of the LDAP Roles Cache, execute the following statements on the VQL Shell:
-- To modify for how long the roles of a user are stored in memory.
-- Default value: 10 minutes
SET 'com.denodo.vdb.security.LDAPRolesCache.ExpirationTimeMinutes' = '5';
-- To modify the time, in milliseconds, how often the tasks that removes the expired entries from this cache runs.
-- Default value: 60000 (1 minute)
SET 'com.denodo.vdb.security.LDAPRolesCache.CacheMaintenancePeriodMilliseconds' = '120000';