Skip to content

LDAP

Audience: Application Admins

Content Summary: Immuta integrates seamlessly with your enterprise LDAP identity manager. Immuta can leverage your LDAP IAM for authentication and authorizations or use LDAP only for authentication while maintaining all user attributes (authorizations and groups) within Immuta's built-in identity manager.

This page details configuration options, example configurations, and migration of LDAP users' Postgres accounts. For directions on completing an Active Directory integration, navigate to this Active Directory tutorial.

Implementation will vary based on your LDAP provider. Visit the custom IAM integrations page for a detailed tutorial for implementing your own IAM in Immuta. For more details about implementing your custom IAM, please contact your Immuta support professional.

Configuration

The LDAP identity manager is configured in the Identity and Access Management section of the Application Settings page, but if you have contacted the Immuta Support team and they have instructed you to add advanced configuration options, those options can be managed in the Advanced Configuration section of the Application Settings page:

  • displayName (string): The name of the IAM that will show in the Immuta UI.
  • type (string): The IAM type that is being configured. This value must be ldap for LDAP IAMs.
  • credentials (string): The credentials to use to connect to the LDAP interface.
    • bind_dn (string): The distinguished name to use to connect to the LDAP interface.
    • bind_pw (string): The password to use to connect to the LDAP interface.
  • supportedActions (array): See Supported Actions for details.
  • options (object): Configuration options for the identity manger.
    • useSSL (string)
    • host (string)
    • port (string)
    • userDNPattern (string): DN pattern that is used to directly log in users to the LDAP database. This pattern creates a DN string for "direct" user authentication. The pattern argument %s will be replaced with the username at run-time. This will work only if anonymous binding is allowed and a direct user DN can be used. Leaving this option empty will default to using the userSearchBase and userSearchFilter options.
    • userSearchBase (string): Context to use when searching for users.
    • userSearchFilter(string): Filter expression to be used for searching for users. This value is typically sAMAccountName=%s.
    • groupSearchFilter (string): Filter expression to be used for searching for groups. This value is typically (&(objectClass=group)(cn=%s*)).
    • userGroupSearchFilter (string): Filter expression to be used for searching for groups that a user belongs to. The pattern argument <dn> will be replaced with the distinguished name, and <user> will be replaced with the username. This value is typically (member=<dn>).
  • schema (object): Attributes to be used to map LDAP attributes to Immuta users and groups.
    • profile (object): Attributes to be used to map LDAP users to Immuta user profiles. See Example Configuration for common attributes.
    • authorizations (object): Attributes to be used to LDAP groups to Immuta authorizations. See Example Configuration for common attributes.
    • groups (object): Attributes to be used to map LDAP groups to Immuta groups. See Example Configuration for common attributes.
  • defaultPermissions (array(string)): Default permissions to be given to users when they first log in. See Permissions for more information.

Authentication Only Example

config.yml:

plugins:
  ldapIAM:
    id: ldap
    plugin: ldap
    displayName: LDAP
    type: ldap
    credentials:
      bind_dn: cn=bind_user,dc=yourcompany,dc=com
      bind_pw: abcdefghijklmnopqrstuzwxyz
    supportedActions: []
    options:
      useSSL: true
      host: ldap.immuta.com
      port: 636
      debug: false
      userSearchBase: dc=immuta,dc=com
      userSearchFilter: uid=%s
      rejectUnauthorized: true
      sslRequestCert: true
      sslKeyFile: /path/to/your/sslKey.key
      sslCertFile: /path/to/your/sslCert.crt
      sslCaFile: /path/to/your/sslCa.crt
    schema:
      profile:
        name: cn
        email: mail
        phone: telephoneNumber
    defaultPermissions:
    - CREATE_DATA_SOURCE

Groups and Authorizations Example

config.yml:

plugins:
  ldapGroupsIAM:
    id: ldap-groups
    plugin: ldap
    displayName: LDAPGroups
    type: ldap
    credentials:
      bind_dn: cn=bind_user,dc=yourcompany,dc=com
      bind_pw: abcdefghijklmnopqrstuzwxyz
    supportedActions: ['syncGroups', 'syncAuthorizations']
    options:
      useSSL: true
      host: your.host.com
      port: 636
      debug: false
      userSearchBase: dc=immuta,dc=com
      userSearchFilter: uid=%s
      rejectUnauthorized: true
      sslRequestCert: true
      sslKeyFile: /path/to/your/sslKey.key
      sslCertFile: /path/to/your/sslCert.crt
      sslCaFile: /path/to/your/sslCa.crt
    schema:
      profile:
        name: cn
        email: mail
        phone: telephoneNumber
      group:
        name: cn
        gid: gidNumber
        description: description
      authorizations:
        sn: sn
    defaultPermissions:
    - CREATE_DATA_SOURCE

Group Filtering

If you wish to only allow users of a specific LDAP group to log in to Immuta, you can add that group's dn to the userSearchFilter attribute. In the example below, only the members of the Immuta group will be authenticated.

plugins:
  ldapGroupsIAM:
    id: ldap
    plugin: ldap
    displayName: LDAP
    type: ldap
    credentials:
      bind_dn: cn=bind_user,dc=yourcompany,dc=com
      bind_pw: abcdefghijklmnopqrstuzwxyz
    supportedActions: ['syncGroups', 'syncAuthorizations']
    options:
      useSSL: true
      host: your.host.com
      port: 636
      debug: false
      userSearchBase: dc=immuta,dc=com
      userSearchFilter: (&(uid=%s)(memberOf=cn=Immuta,dc=yourcompany,dc=com))
      rejectUnauthorized: true
      sslRequestCert: true
      sslKeyFile: /path/to/your/sslKey.key
      sslCertFile: /path/to/your/sslCert.crt
      sslCaFile: /path/to/your/sslCa.crt
    schema:
      profile:
        name: cn
        email: mail
        phone: telephoneNumber
      group:
        name: cn
        gid: gidNumber
        description: description
      authorizations:
        sn: sn
    defaultPermissions:
    - CREATE_DATA_SOURCE

Note that in this example, the full dn of the Immuta group is cn=Immuta,dc=yourcompany,dc=com. You will need to specify the full dn of your desired group in order for filtering to work.

Migrating LDAP Users' Postgres Accounts

To link users' IAM and Postgres accounts,

  1. Click the Admin icon in the left sidebar, and select the Users tab.
  2. Click the Migrate LDAP Users' Postgres Accounts button in the top left corner.

    Migrate LDAP Users' Postgres Accounts

    Note: For this button to appear, you must specify link_postgres in the IAM configuration.

  3. Click Confirm to execute the change.

    Confirm Postgres User Account Deletion

After this process completes, users' Postgres credentials will be replaced by their LDAP credentials, which they can then use to log in to Postgres.