Skip to main content
Version: 1.21.0 (latest)

Configure LDAP user access

note

You must have the admin role assigned to view the following Settings pages in the UI:

  • LDAP Authentication
  • Access Control
  • Activity Log

Manage user access using LDAP#

Use a Lightweight Directory Access Protocol (LDAP) service to manage which users can access Data Migrator. If your LDAP service has user groups, you can use them to manage different access levels for signed-in users. For more information, see Manage LDAP user access control.

note

We refer exclusively to LDAP for brevity, although Microsoft's Active Directory (AD) is also supported.

Configure LDAP sign-in credentials for Data Migrator users in the UI#

note

You may also configure LDAP authentication in the CLI. However, we recommend doing it in the UI as it lets you know if you've entered details incorrectly.

  1. Sign in to the UI with your registered user account.
  2. Select Settings from the left-side navigation menu.
  3. Select LDAP Authentication from the submenu.
  4. Select the Enable LDAP Authentication checkbox.
  5. Fill in the LDAP server Configuration section with the authentication details for your LDAP Server:
    1. Enter the LDAP Server Hostname. This is the URL or hostname of your LDAP/AD server. For example, "hostname.com".
    2. Select the Use SSL checkbox if connecting to the LDAP service using Secure Sockets Layer (SSL).
    3. Check the Port is correct. The default is 389, or 636 if using SSL.
    4. To connect to the LDAP server without providing credentials, check Connect Anonymously. Only use this option if your LDAP server doesn't have an admin account, such as those used for testing.
    5. To connect to the LDAP server with credentials, enter the Administrator Bind Username, the distinguished name (DN) used to authenticate. For example, cn=administrator,dc=example,dc=com. Enter the corresponding Administrator Bind Password.
  6. Select the Check Connection button to test your connection to the LDAP server. If valid, the following message will appear: "Your settings are valid and connection to the LDAP server was made." If you don't see this message, check your settings.

Add users to Data Migrator through LDAP#

The User Search Configuration forms the query that polls your LDAP service for the user accounts that match the LDAP criteria you entered.

  1. Enter the following:

    Base DN (Distinguished Name): This is the point in the LDAP tree where the search for users is performed. For example, dc=example,dc=com.

    note

    The Base DN is used for both Group and User searching. Consider the following structure: your groups are under ou=groups,dc=example,dc=com and your users are under ou=users,dc=example,dc=com. The Base DN needs to be dc=example,dc=com, the User Search Base should be ou=users, and the Group Search Base on the Access Control settings page should be ou=groups.

    User Search Base: (Optional) This is prepended onto the base DN to give the point in the LDAP tree where the user search will begin, for example, ou=engineering. Alternatively, you could leave the User Search Base empty and give ou=engineering,dc=example,dc=com or dc=example,dc=com as the Base DN.

    User Search Filter: This is the LDAP search filter used to match accounts. For example, (uid={0}).

    The {0} is replaced with the LDAP username that is used on the sign-in page. So (uid={0}) will search for a user where the uid matches the sign-in page username. A bind to the located user is then attempted using the corresponding sign-in password.

    You can give a User Search Filter specific enough to match the user, for example, (&(sAMAccountName={0})(objectClass=iNetOrgPerson)). The {0} is replaced for the value entered in the sign-in form. For the example LDAP users listed below, the sign-in value would need to match the sAMAccountName of john.smith and the object found would need to be iNetOrgPerson.

    Example LDAP User
    dn: cn=John Smith,ou=people,dc=example,dc=comobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: userobjectClass: inetOrgPersoncn: John Smithsn: SmithgivenName: Johninitials: JSdistinguishedName: CN=John Smith,OU=people,DC=example,DC=comdisplayName: John Smithname: John SmithsAMAccountName: john.smithuserPrincipalName: john.smith@example.commail: john.smith@example.com...

    Email Address Attribute: (Optional) This is the LDAP attribute for user email addresses. For example, "mail". This is used to display additional information in the UI.

    Full name attribute: (Optional) This is the LDAP attribute used for a user's full name. For example, "cn". This is used to display additional information in the UI.

  2. The number of LDAP users that match your criteria is reported at the bottom of the screen. If this number matches your expectation, submit the settings using the Apply button.

    note

    IMPORTANT: Once submitted, these settings apply immediately. All signed in users will be signed out.

  3. Sign back in to the UI with your original registered user account. Return to the LDAP Authentication screen and confirm that the Enable LDAP Authentication checkbox is selected. You can manage user access in the next section, Manage LDAP user access control.

Manage LDAP user access control#

Use the Access Control tab in the Settings submenu to manage the level of access for each LDAP user. Users must be assigned to LDAP groups in order to be given different privileges. These LDAP groups can then be mapped to the following Data Migrator role-based groups:

Role-based GroupDescription
Admin GroupUsers assigned to the Admin Group have full access to Data Migrator and may perform any configuration change.
Migration ManagerUsers assigned to a Migration Manager Group may only configure migrations. They have no access to any other product settings.
Read OnlyRead Only is an optional default role, enabled through the Default access to Read Only checkbox on the Access Control tab. If enabled, then all authenticate users that are not assigned to either an Admin Group or Migration Manager Group will automatically be added to the Read Only group.

When you sign in to the UI, your assigned role is listed on the Dashboard along with your Data Migrator username.

Example sign-in role label

Set up role-based access control#

Once LDAP is enabled and is successfully polling users, follow these steps to assign role-based access control:

  1. Sign in to the UI using an admin account.

  2. View the Access Control tab under Settings.

  3. The Default access to Read Only checkbox is automatically selected. This is not required but is good practice as it ensures that matched LDAP users may sign in but they cannot make changes to Data Migrator until they are explicitly assigned to the Admin Group or Migration Manager Group.

  4. Enter the LDAP Group Filter. This finds a group based on a user. Using (member={0}) will take the distinguished name (DN) of the signed-in user and search for a group containing that DN as one of the values of its "member" attribute. The located group is then evaluated against the rest of your settings to decide on the level of access for the user.

  5. Enter a Group Name Attribute. This is the group name attribute that gets matched against the values entered for the role-based groups (Admin Groups, Migration Manager Groups, and Read-only Groups).

    For example:
    If you use "cn" and have a group search filter of (member={0}) and a user of cn=John,ou=engineer,dc=example,dc=com, you'll first find a group which contains "cn=John,ou=engineer,dc=example,dc=com" as a value for the "member" attribute. Assuming success, you'd find the group, cn=mygroup,ou=groups,dc=example,dc=com. You then take the "cn" of the group, for example, "mygroup", and match it against the values you entered for the different group roles. For example, assigning "mygroup" as a migration manager group will set its members with migration manager permissions.

  6. Enter an LDAP Group Search Base (Optional). This sets the starting point in the directory tree for the search, for example, ou=admins,dc=example,dc=com.
    Assuming a Base DN of dc=example,dc=com, any of the following configurations would be permitted:

    • A Group Search Base of ou=subgroups,ou=groups and One Level Search or Subtree search selected.
    • A Group Search Base of ou=groups and Subtree Search selected.
    • A Group Search Base left empty and Subtree Search selected.
  7. Select either One Level Search or Subtree Search. A One-Level Search looks for groups in the immediate children of your base object. The Subtree Search looks for groups more deeply as it searches all child objects and the base object.

  8. Under Role Mapping, enter the attribute name for each LDAP group you want to map to the Data Migrator's admin groups or migration manager groups. You can enter multiple LDAP groups as a comma-separated list.

  9. Confirm that the expected number of users is retrieved for each group. If you get zero matches, check your filter settings. Once you confirm the correct numbers of users are matched, select + Add Admin Group and + Add Migration Manager Group, then select Apply.

Changes to a user's privileges will apply when they next sign in.

Example LDAP Group
cn=admins,ou=subgroups,ou=groups,dc=springframework,dc=org
Attributesobjectclass: topobjectclass: groupOfUniqueNamescn: adminsou: adminuniqueMember:uid=rob@test.com,ou=people,dc=springframework,dc=orguniqueMember:uid=joe,ou=otherpeople,dc=springframework,dc=org

Using LDAPS#

To use Lightweight Directory Access Protocol over SSL (LDAPS), you need a trusted certificate in the UI JVM truststore that matches the certificate presented by the LDAP server. By default, the Java virtual machine (JVM) running the UI uses a truststore called cacerts.

To use a self-issued LDAP server certificate, you must import the certificate for this private certificate authority into the cacerts file. See the Oracle documentation for steps to import a trusted certificate into a truststore.

LDAP/RBAC troubleshooting#

Use the following steps to identify common LDAP and role-based access control issues.

Check the activity log to confirm that a user is assigned the expected role#

  1. Sign in to the UI with an admin account.

  2. Go to Activity Log, under Settings.

  3. Search by Action Roles assigned to user and Role, selecting the role you want to confirm as assigned to users. Note that roles are assigned each time a user authenticates, so you may need to check the entry for the latest sign-in.

note

You can view UI activity in the log file /var/log/wandisco/audit/ui.

Check LDAP settings#

Verify the current LDAP settings by viewing /etc/wandisco/ui/application-prod.properties.

For example:

    _application.ldap.baseDn=OU\=ldap-base,DC\=ldap-tld,DC\=internal_    _application.ldap.baseUrl=ldap\://your-ldap.server.url_    _application.ldap.userSearchFilter=mail\=*@email-address.com_    _application.ldap.mappings.fullName=cn_    _application.ldap.managerPassword=ENcodedPassWord_    _application.ldap.managerDn=ldap-tld\\Administrator_    _application.ldap.mappings.email=mail_    _application.ldap.enabled=true_