LDAP Authentication
This section describes how to use the EDG server with LDAP authentication. Currently, only Microsoft Active Directory (AD) on Windows Server is supported.
Note
LDAP authentication is only for use with form or basic authentication. Thus TopQuadrant recommends only using LDAP in test environments. For interactive end-user login in production environments, use Authentication with OpenID Connect (OIDC) or SAML Authentication, and for programmatic API users, use Authentication with OAuth 2.0.
Enabling LDAP
To enable LDAP authentication, create a configuration file for LDAP. EDG
will use LDAP authentication if this file exists. By default, this file
should be named ldap.yaml, and would be located in the same folder as
The Setup File. You can customize the name or location of the
configuration file using the ldapConfigFile setting in the setup file:
ldapConfigFile = /my/folder/myldap.yaml
The ldap.yaml file
The file uses YAML syntax. It consists of an LDAP configuration record of the following form:
domain: your.example.com
ldapUrl: ldaps://192.168.1.42
rootDn: dc=your,dc=example,dc=com
searchFilter: (&(objectClass=user)(userPrincipalName={0}))
A record consists of these elements:
domain(required)Your Active Directory domain name. If you are unsure what your domain name is, contact your AD administrator.
ldapUrl(required)The URL of your LDAP server.
rootDn(required)The Distinguished Name of your root LDAP domain. It should be a comma-separated list of attributes in X.500 syntax.
searchFilter(optional)An LDAP search filter to use to look up AD accounts. If not specified,
(&(objectClass=user)(userPrincipalName={0}))will be used, which should work in most situations. User IDs are typically of the formuser@domain. To match the entire user ID, including the domain, use{0}. To match only the user portion, use{1}. For example:searchFilter: (sAMAccountName={1}).
Note
Changes made at the LDAP server will not be visible immediately in EDG. The user must logout (or the session expires), and then login again. Alternately, the session could be ended by an administrator.