LDAP Authentication

There are two steps for LDAP Authentication:

Enable LDAP in settings:

This must currently be done using a monsterDB terminal, which can be reached as the admin user through the Monster Terminal on the settings menu.

The Script instructions to view your LDAP settings are:

monsterDB> use Master
monsterDB> set output pretty
monsterDB> db.Properties.find({"PropertyType": "Authentication"})
{

  "PropertyType": "Authentication",
  "Settings": {
    "allowSelfProvisioning": true,
    "host": "ldap://localhost:10389",
    "prefix": "cn\u003d",
    "suffix": ",ou\u003dusers,ou\u003dsystem",
    "systemPrinciple": "uid\u003dadmin,ou\u003dsystem",
    "systemCredential": "secret",
    "systemLoginPermitted": "true",
    "authenticationType": "simple",
    "passwordEncoding": "SHA",
    "externalLDAP": false
  }, "_id": "9760ad71-657e-4da1-bb03-8124056ce9db"
}

To update these settings first you must be sure on the settings meanings and then you can construct a new document to replace them. Please be aware that if you update the settings, you must not create a duplicate record in the database else either one of them could be used at the time of authentication. We would recommend deleting the current record or updating it directly using a updateOne statement:

monsterDB> db.Properties.updateOne({"PropertyType": "Authentication"}, {'$set': {'Settings.host': 'ldap://somehost:389'}})

Which produces the output:

{
"PropertyType": "Authentication",
"Settings": {
"allowSelfProvisioning": true,
"host": "ldap://somehost:389",
"prefix": "cn\u003d",
"suffix": ",ou\u003dusers,ou\u003dsystem",
"systemPrinciple": "uid\u003dadmin,ou\u003dsystem",
"systemCredential": "secret",
"systemLoginPermitted": "true",
"authenticationType": "simple",
"passwordEncoding": "SHA",
"externalLDAP": false
},
"_id": "9760ad71-657e-4da1-bb03-8124056ce9db",
}

Settings.host is the full path for the host variable, the other variables can also be updated, you provide them in a json object such as:

monsterDB> db.Properties.updateOne({"PropertyType": "Authentication"}, {'$set': {'Settings.host': 'ldap://somehost:389', 'Settings.externalLDAP': true}})

The meaning of the settings are:

Property Meaning
hostThe protocol://host:post of the server hosting the LDAP service, must be accessible
prefixThe characters that prefix the known part of the common name in the LDAP, for example in cn=myuser, ,ou=users,ou=system it would be the cn=
suffixThe suffix of the users common name in the above it would be ,ou=users,ou=system
systemPrinciple The system principle if needed to login to the LDAP server, needed if you wish Custodian to create users directly
systemCredential The associated password for the systemPrinciple, needed if you wish Custodian to create users directly
systemLoginPermitted Should the system principle and credential be used,
authenticationType The authentication to use
passwordEncoding The encryption on the password that should be used
externalLDAP To prevent Custodian trying to create users in the LDAP database, then this setting should be true
allowSelfProvisioning No longer used.

Once the settings are saved, the custodian service needs to be restarted.

Enable LDAP for the user:

The owner or admin user for the system can make changes to other team members roles using the Team option from the settings menu as shown.

Team members are listed in the dialog, click on the team member you which to change:

Team member details are shown, choose the options as follows:

Select remote for the user to login against the LDAP database.