LDAP

JFrog Platform Administration Documentation

ft:sourceType
Paligo

Overview

The JFrog Platform supports authenticating users against an LDAP server out-of-the-box.

When LDAP authentication is active, the JFrog Platform Unit (JPD) first attempts to authenticate the user against the LDAP server. If LDAP authentication fails, it then tries to authenticate via its internal database.System Architecture

For every LDAP authenticated user, a new user is created in the internal database (provided the user does not already exist), and automatically assigns that user to the default groups.

Managing Permissions for LDAP Groups

Your LDAP groups can be synchronised while leverage your existing organizational structure when managing group-based permissions. LDAP groups in the system use super-fast caching and support Static, Dynamic and Hierarchical mapping strategies.

Powerful management is accomplished with multiple, switchable LDAP settings and visual feedback about the up-to-date status of groups and users coming from LDAP.

For full details on how to synchronize your LDAP Groups with Artifactory, please refer to LDAP Groups.

Using Active Directory?

If you are using Active Directory to authenticate users, please refer to Active Directory.

WebUI Changes implemented in Artifactory 7.38.x and above

Security is now called Authentication Providers. All the relevant text and images on this page have been updated to reflect this change.

Configuration

WebUI Changes implemented in Artifactory 7.38.x and above

Security is now called Authentication Providers. All the relevant text and images on this page have been updated to reflect this change.

To configure LDAP authentication, in theAdministration module go to Authentication Providers | LDAP and click New LDAP Settings.

new ldap settings.png

The configuration parameters for LDAP connection settings are as follows:

LDAP Connection Setting

Description

Enabled

When set, these settings are enabled.

Settings Name

The unique ID of the LDAP setting.

LDAP URL

Location of the LDAP server in the following format: ldap://myserver:myport/dc=sampledomain,dc=com .

The URL should include the base DN used to search for and/or authenticate users.

Auto Create System Users

When set, the system will automatically create new users for those who have logged in using LDAP, and assign them to the default groups.

Allow Created Users Access To Profile Page

When set, users created after logging in using LDAP will be able to access their profile page.

Used Page Results

When set, supports paging results for the LDAP server. This feature requires that the LDAP Server supports a PagedResultsControl configuration.

User DN Pattern

A DN pattern used to log users directly in to the LDAP database. This pattern is used to create a DN string for "direct" user authentication, and is relative to the base DN in the LDAP URL.

The pattern argument {0} is replaced with the username at runtime. This only works if anonymous binding is allowed and a direct user DN can be used (which is not the default case for Active Directory).

For example:

uid={0},ou=People

Email Attribute

An attribute that can be used to map a user's email to a user created automatically by the system.

Search Filter

A filter expression used to search for the user DN that is used in LDAP authentication.

This is an LDAP search filter (as defined in 'RFC 2254') with optional arguments. In this case, the username is the only argument, denoted by '{0}'.

Possible examples are:

uid={0}) - this would search for a username match on the uid attribute.

Authentication using LDAP is performed from the DN found if successful.

Search Base

The Context name in which to search relative to the base DN in the LDAP URL. Multiple search bases may be specified separated by a pipe ( | ). This is parameter is optional.

Secure LDAP Search

Protects against LDAP poisoning by filtering out users exposed to vulnerabilities.

Search Sub Tree

When set, enables deep search through the sub-tree of the LDAP URL + Search Base. True by default.

Manager DN

The full DN of a user with permissions that allow querying the LDAP server. When working with LDAP Groups, the user should have permissions for any extra group attributes such as memberOf.

Manager Password

The password of the user binding to the LDAP server when using "search" authentication.

Test LDAP Connection

Run a LDAP test to validate your settings are correct.

LDAP Groups

The LDAP Groups Add-on allows you to synchronize your LDAP groups with the system and leverage your existing organizational structure for managing group-based permissions.

Unlike many LDAP integrations, LDAP groups use super-fast caching, and has support for both Static, Dynamic and Hierarchical mapping strategies. Powerful management is accomplished with multiple switchable LDAP settings and visual feedback about the up-to-date status of groups and users coming from LDAP.

LDAP groups synchronization works by instructing the system about the external groups authenticated users belong to. Once logged-in, you are automatically associated with your LDAP groups and inherit group-based permission managed in the system.

Make sure users log in

Synchronizing LDAP groups does not automatically create users that are members of those groups. Once the LDAP connection is configured, the LDAP users are only created in the system after they log in to the system for the first time. Automatic creation of users can be controlled by the Auto Create Users checkbox in the LDAP Settings screen.

Usage

WebUI Changes implemented in Artifactory 7.38.x and above

Security is now called Authentication Providers. All the relevant text and images on this page have been updated to reflect this change.

LDAP Groups settings are available in the Administration module under Authentication Providers | LDAP.

To use LDAP groups you must first set up an LDAP server for authentication from the LDAP Settings screen. You must also alert the system about the correct LDAP group settings to use with your existing LDAP schema.

Active Directory Users

For specific help with setting up LDAP groups for an Active Directory installation please see Active Directory.

new_ldap_group_settings.png
Group Synchronization Strategies

The JFrog Platform Deployment (JPD) supports three ways of mapping groups to LDAP schemas:

  • Static: Group objects are aware of their members, however, the users are not aware of the groups they belong to.

    Each group object such as groupOfNames or groupOfUniqueNames holds its respective member attributes, typically member or uniqueMember, which is a user DN.

  • Dynamic: User objects are aware of what groups they belong to, but the group objects are not aware of their members.

    Each user object contains a custom attribute, such as group, that holds the group DNs or group names of which the user is a member.

  • Hierarchy: The user's DN is indicative of the groups the user belongs to by using group names as part of user DN hierarchy.

    Each user DN contains a list of ou's or custom attributes that make up the group association.

    For example,

    uid=user1,ou=developers,ou=uk,dc=jfrog,dc=org indicates that user1 belongs to two groups: uk and developers.

Using OpenLDAP

When using OpenLDAP, you can't apply the Dynamic strategy because the memberOf attribute is not defined by default (memberOf is an overlay), so JPD would not be able to fetch it from the LDAP server.

Synchronizing LDAP Groups with the JPD

WebUI Changes implemented in Artifactory 7.38.x and above

Security is now called Authentication Providers. All the relevant text and images on this page have been updated to reflect this change.

Importing Groups Through the UI

Once you have configured how groups should be retrieved from your LDAP server, you can verify your set up by clicking the Refresh button on the Synchronize LDAP Groups sub-panel. A list of available LDAP groups is displayed according to your settings.

You are now ready to synchronize/import groups into the system. The groups table allows you to select which groups to import and displays the sync-state for each group:

A group can either be completely new or already existing in JPD. If a group already exists in the system it can become outdated (for example, if the group DN has changed) - this is indicated in the table so you can select to re-import it.

Once a group is imported (synced) a new external LDAP group is created in the system with the name of the group.

Once you have imported LDAP groups, you can Manage Permissions on them as with regular the JPD groups. Users association to these groups is external and controlled strictly by LDAP.

Note

Make sure that LDAP group settings is enabled (in the LDAP Groups Settings panel) in order for your settings to become effective.

To synchronize a group through the UI, in the Administration module, under Authentication Providers | LDAP, select the group you want to synchronize, and search for groups that have been defined under the corresponding group settings. Once groups have been found, select Import.

ldap_group_settings.png

Once the groups are synchronized, you should see them in your list of groups (Administration module under Authentication Providers | Groups) indicated as External.

groups.png
Using the REST API

You may also synchronize LDAP groups by using the Create or Replace Group to create groups with the ‘ldap’ realm and full DN path to the group object under your LDAP server.Create or Replace Group

Limitation

Make sure to use lower case only when creating LDAP groups through the REST API.Using upper or mixed case will prevent synchronization of groups.

When using the REST API to synchronize LDAP groups, you need to specify the exact and full Group DN path to the group on your LDAP server. The example below shows the JSON payload you would use to synchronize the "testgroup" group displayed in the below LDAP server:

LDAPServerSchema.jpg
Sample JSON:
{
        "name": "testgroup",
        "description" : "This groups already exists in ldap",
        "autoJoin" : false,
        "realm": "ldap",
        "realmAttributes": "ldapGroupName=testgroup;groupsStrategy=STATIC;groupDn=cn=testgroup,ou=support,ou=UserGroups,dc=openstack,dc=org"
}
Customizing the LDAP Timeout / LDAP Referral Strategy

Currently, to customize the LDAP timeout/ LDAP referral strategy in Artifactory, you will need to add the properties below to artifactory.system.property.

'artifactory.security.ldap.connect.timeoutMillis' for connect. Default value: 10000ms
'artifactory.security.ldap.socket.timeoutMillis' for readRepy timeout. Default value: 15000ms
'artifactory.security.ldap.referralStrategy' for the referral strategy (value can be either 'follow', 'ignore', 'throw'). Default value: follow
Enforcing Dynamic Search of Attributes for LDAP Groups

From Artifactory 7.37.9, you can enforce dynamic internal search of attributes in a group by setting the <forceAttributeSearch>true</forceAttributeSearch> in the Config descriptor.

</ldapSettings>    
   <ldapGroupSetttings>
        <name>demo</name>
        <forceAttributeSearch>true</forceAttributeSearch>
</ldapSettings>   

Non-UI Authentication Cache

You can configure the system to cache data about authentication against external systems such as LDAP for REST API requests. This means that the first time a user needs to be authenticated, the system will query the external system for the user's permissions, group settings etc. The information received from the external system is cached for a period of time which you can configure in the $JFROG_HOME/artifactory/var/etc/artifactory/artifactory.system.propertiesfile by setting the artifactory.security.authentication.cache.idleTimeSecs property. This means that once a user is authenticated, while the authentication data is cached, Artifactory will use the cached data rather than querying the external system, resulting is faster authentication. The default is set to 300 sec.

REST API Only

The cache is only relevant for REST API requests, and is not relevant when using the UI.

Docker Caching Requests Require Docker v2 Tokens

Caching for Docker requests requires using a Docker v2 token. The Docker client or a Smart Remote repository with token-based authentication enabled, always refers to v2 token in the initial request and applies to all Docker command types (Pull, Push, etc.). The retrieved token is then used for all the subsequent requests to Artifactory. For example, when pulling Docker layers using the same Docker Pull request.

Avoiding Clear Text Passwords

Storing your LDAP password in clear text in settings.xml on your disk is a big security threat, since this password is very sensitive and is used in SSO to other resources in the domain.

When using LDAP, we strongly recommend, using the JPD's Encrypted Passwords in your local settings.

Preventing Authentication Fallback to the Local Artifactory Realm

In some cases, as an administrator you may want to require users to authenticate themselves through LDAP with their LDAP password.

However, if a user already has an internal account with a password in the system, you can set the system to fallback to use their internal password if LDAP authentication fails.

You can prevent this fallback authentication by ensuring that the Disable Internal Password checkbox in the Edit User dialog is set.

Using LDAPS (Secure LDAP)

To use LDAPS with a valid certificate from a CA trusted by Java, all you need to do is use a secure LDAP URL in your settings, for example, ldaps://secure_ldap_host:636/dc=sampledomain,dc=com.

If you want to use LDAPS with a non-trusted (self-signed) certificate, follow the steps described in Link text.Communication Between Services

Note

Secure LDAP for SaaS customers, self-signed certificates are not supported.