Skip to main content
Version: 2.2

Configure LDAP user access

note

You must have the admin role assigned to view the following Settings pages in the UI:

  • LDAP Authentication
  • Access Control
  • Activity Log

Manage user access using LDAP

Use a Lightweight Directory Access Protocol (LDAP) service to manage which users can access Data Migrator. If your LDAP service has user groups, you can use them to manage different access levels for signed-in users. For more information, see Manage LDAP user access control.

note

We refer exclusively to LDAP for brevity, although Microsoft's Active Directory (AD) is also supported.

Configure LDAP sign-in credentials for Data Migrator users in the UI

note

You may also configure LDAP authentication in the CLI. However, we recommend doing it in the UI as it lets you know if you've entered details incorrectly.

  1. Sign in to the UI with your registered user account.
  2. Select the settings cog on the upper-right to go to the Settings page.
  3. Select LDAP Authentication from the submenu.
  4. Select the Enable LDAP Authentication checkbox.
  5. Fill in the LDAP server Configuration section with the authentication details for your LDAP Server:
    1. Enter the LDAP Server Hostname. This is the URL or hostname of your LDAP/AD server. For example, "hostname.com".
    2. Select the Use SSL checkbox if connecting to the LDAP service using Secure Sockets Layer (SSL).
    3. Check the Port is correct. The default is 389, or 636 if using SSL.
    4. To connect to the LDAP server without providing credentials, check Connect Anonymously. Only use this option if your LDAP server doesn't have an admin account, such as those used for testing.
    5. To connect to the LDAP server with credentials, enter the Administrator Bind Username, the distinguished name (DN) used to authenticate. For example, cn=administrator,dc=example,dc=com. Enter the corresponding Administrator Bind Password.
  6. Select the Check Connection button to test your connection to the LDAP server. If valid, the following message will appear: "Your settings are valid and connection to the LDAP server was made." If you don't see this message, check your settings.

Add users to Data Migrator through LDAP

The User Search Configuration forms the query that polls your LDAP service for the user accounts that match the LDAP criteria you entered.

  1. Enter the following:

    Base DN (Distinguished Name): This is the point in the LDAP tree where the search for users is performed. For example, dc=example,dc=com.

    note

    The Base DN is used for both Group and User searching. Consider the following structure: your groups are under ou=groups,dc=example,dc=com and your users are under ou=users,dc=example,dc=com. The Base DN needs to be dc=example,dc=com, the User Search Base should be ou=users, and the Group Search Base on the Access Control settings page should be ou=groups.

    User Search Base: (Optional) This is prepended onto the base DN to give the point in the LDAP tree where the user search will begin, for example, ou=engineering. Alternatively, you could leave the User Search Base empty and give ou=engineering,dc=example,dc=com or dc=example,dc=com as the Base DN.

    User Search Filter: This is the LDAP search filter used to match accounts. For example, (uid={0}).

    The {0} is replaced with the LDAP username that is used on the sign-in page. So (uid={0}) searches for a user where the uid matches the sign-in page username. A bind to the located user is then attempted using the corresponding sign-in password.

    You can give a User Search Filter specific enough to match the user, for example, (&(sAMAccountName={0})(objectClass=iNetOrgPerson)). The {0} is replaced for the value entered in the sign-in form. For the example LDAP users listed below, the sign-in value needs to match the sAMAccountName of john.smith and the object found needs to be iNetOrgPerson.

    Example LDAP User
    dn: cn=John Smith,ou=people,dc=example,dc=com
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: user
    objectClass: inetOrgPerson
    cn: John Smith
    sn: Smith
    givenName: John
    initials: JS
    distinguishedName: CN=John Smith,OU=people,DC=example,DC=com
    displayName: John Smith
    name: John Smith
    sAMAccountName: john.smith
    userPrincipalName: john.smith@example.com
    mail: john.smith@example.com
    ...

    Email Address Attribute: (Optional) This is the LDAP attribute for user email addresses. For example, "mail". This is used to display additional information in the UI.

    Full name attribute: (Optional) This is the LDAP attribute used for a user's full name. For example, "cn". This is used to display additional information in the UI.

  2. The number of LDAP users that match your criteria is reported at the bottom of the screen. If this number matches your expectation, submit the settings using the Apply button.

    note

    IMPORTANT: Once submitted, these settings apply immediately. All signed in users will be signed out.

  3. Sign back in to the UI with your original registered user account. Return to the LDAP Authentication screen and confirm that the Enable LDAP Authentication checkbox is selected. You can manage user access in the next section, Manage LDAP user access control.

Manage LDAP user access control

Use the Access Control tab in the Settings submenu to manage the level of access for each LDAP user. Users must be assigned to LDAP groups in order to be given different privileges. These LDAP groups can then be mapped to the following Data Migrator role-based groups:

Role-based GroupDescription
Admin GroupUsers assigned to the Admin Group have full access to Data Migrator and may perform any configuration change.
Migration ManagerUsers assigned to a Migration Manager Group may only configure migrations. They have no access to any other product settings.
Read OnlyRead Only is an optional default role, enabled through the Default access to Read Only checkbox on the Access Control tab. If enabled, then all authenticate users that are not assigned to either an Admin Group or Migration Manager Group will automatically be added to the Read Only group.

When you sign in to the UI, your assigned role is listed on the upper-right side of the Dashboard along with your Data Migrator username.

Example sign in role label

Set up role-based access control

After LDAP is enabled and is successfully polling users, follow these steps to assign role-based access control:

  1. Sign in to the UI using an admin account.

  2. View the Access Control tab under Settings.

  3. The Default access to Read Only checkbox is automatically selected. This is not required but is good practice as it ensures that matched LDAP users may sign in but they cannot make changes to Data Migrator until they are explicitly assigned to the Admin Group or Migration Manager Group.

  4. Enter the LDAP Group Filter. This finds a group based on a user. Using (member={0}) will take the distinguished name (DN) of the signed-in user and search for a group containing that DN as one of the values of its "member" attribute. The located group is then evaluated against the rest of your settings to decide on the level of access for the user.

  5. Enter a Group Name Attribute. This is the group name attribute that gets matched against the values entered for the role-based groups (Admin Groups, Migration Manager Groups, and Read-only Groups).

    For example:
    If you use "cn" and have a group search filter of (member={0}) and a user of cn=John,ou=engineer,dc=example,dc=com, you'll first find a group which contains "cn=John,ou=engineer,dc=example,dc=com" as a value for the "member" attribute. Assuming success, you'd find the group, cn=mygroup,ou=groups,dc=example,dc=com. You then take the "cn" of the group, for example, "mygroup", and match it against the values you entered for the different group roles. For example, assigning "mygroup" as a migration manager group will set its members with migration manager permissions.

  6. Enter an LDAP Group Search Base (Optional). This sets the starting point in the directory tree for the search, for example, ou=admins,dc=example,dc=com.
    Assuming a Base DN of dc=example,dc=com, any of the following configurations would be permitted:

    • A Group Search Base of ou=subgroups,ou=groups and Base or Subtree search selected.
    • A Group Search Base of ou=groups and Subtree search selected.
    • A Group Search Base left empty and Subtree search selected.
  7. Select either a Base or Subtree search. A Base search looks for groups in the immediate children of your base object. The Subtree search looks for groups more deeply as it searches all child objects and the base object.

  8. Under Role Mapping, enter the attribute name for each LDAP group you want to map to the Data Migrator's admin groups or migration manager groups.

    note

    You must add attribute names one at a time.

  9. Confirm that the expected number of users is retrieved for each group. If you get zero matches, check your filter settings. Once you confirm the correct numbers of users are matched, select + Add Admin Group and + Add Migration Manager Group, then select Apply. You can remove an attribute from the LDAP group by clicking on the trash icon beside it.

Changes to a user's privileges will apply when they next sign in.

Example LDAP Group
cn=admins,ou=subgroups,ou=groups,dc=springframework,dc=org

Attributes
objectclass: top
objectclass: groupOfUniqueNames
cn: admins
ou: admin
uniqueMember:
uid=rob@test.com,ou=people,dc=springframework,dc=org
uniqueMember:
uid=joe,ou=otherpeople,dc=springframework,dc=org

Using LDAPS

To use Lightweight Directory Access Protocol over SSL (LDAPS), you need a trusted certificate in the UI JVM truststore that matches the certificate presented by the LDAP server. By default, the Java virtual machine (JVM) running the UI uses a truststore called cacerts.

To use a self-issued LDAP server certificate, you must import the certificate for this private certificate authority into the cacerts file. See the Oracle documentation for steps to import a trusted certificate into a truststore.

LDAP/RBAC troubleshooting

Use the following steps to identify common LDAP and role-based access control issues.

Check the activity log to confirm that a user is assigned the expected role

  1. Sign in to the UI with an admin account.

  2. Go to Activity Log, under Settings.

  3. Search by User, Role, or Action, selecting the role you want to confirm as assigned to users. Note that roles are assigned each time a user authenticates, so you may need to check the entry for the latest sign in.

note

You can view UI activity in the log file /var/log/wandisco/audit/ui.

Check LDAP settings

Verify the current LDAP settings by viewing /etc/wandisco/ui/application-prod.properties.

For example:

_application.ldap.baseDn=OU\=ldap-base,DC\=ldap-tld,DC\=internal_
_application.ldap.baseUrl=ldap\://your-ldap.server.url_
_application.ldap.userSearchFilter=mail\=*@email-address.com_
_application.ldap.mappings.fullName=cn_
_application.ldap.managerPassword=ENcodedPassWord_
_application.ldap.managerDn=ldap-tld\\Administrator_
_application.ldap.mappings.email=mail_
_application.ldap.enabled=true_