Skip to content

You are viewing documentation for Immuta version 2.8.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

LDAP

Audience: Application Admins

Content Summary: Immuta integrates seamlessly with your enterprise LDAP identity manager. Immuta can leverage your LDAP IAM for authentication and authorizations or use LDAP only for authentication while maintaining all user attributes and groups within Immuta's built-in identity manager.

This page details configuration options, example configurations, and migration of LDAP users' Postgres accounts. For directions on completing an Active Directory integration, navigate to this Active Directory tutorial.

Configuration

The LDAP identity manager is configured in the Identity and Access Management section of the Application Settings page, but if you have contacted the Immuta Support team and they have instructed you to add advanced configuration options, those options can be managed in the Advanced Configuration section of the Application Settings page:

  • displayName (string): The name of the IAM that will show in the Immuta UI.
  • type (string): The IAM type that is being configured. This value must be ldap for LDAP IAMs.
  • credentials (string): The credentials to use to connect to the LDAP interface.
    • bind_dn (string): The distinguished name to use to connect to the LDAP interface.
    • bind_pw (string): The password to use to connect to the LDAP interface.
  • supportedActions (array): See Supported Actions for details.
  • options (object): Configuration options for the identity manger.
    • useSSL (string)
    • host (string)
    • port (string)
    • userDNPattern (string): DN pattern that is used to directly log in users to the LDAP database. This pattern creates a DN string for "direct" user authentication. The pattern argument %s will be replaced with the username at run-time. This will work only if anonymous binding is allowed and a direct user DN can be used. Leaving this option empty will default to using the userSearchBase and userSearchFilter options.
    • userSearchBase (string): Context to use when searching for users.
    • userSearchFilter(string): Filter expression to be used for searching for users. This value is typically sAMAccountName=%s.
    • groupSearchFilter (string): Filter expression to be used for searching for groups. This value is typically (objectClass=group).
    • userGroupSearchFilter (string): Filter expression to be used for searching for groups that a user belongs to. The pattern argument <dn> will be replaced with the distinguished name, and <user> will be replaced with the username. This value is typically (member=<dn>).
  • schema (object): Attributes to be used to map LDAP attributes to Immuta users and groups.
    • profile (object): Attributes to be used to map LDAP users to Immuta user profiles. See Example Configuration for common attributes.
    • authorizations (object): Attributes to be used to map LDAP groups to Immuta authorizations.
    • groups (object): Attributes to be used to map LDAP groups to Immuta groups. See Example Configuration for common attributes.
  • defaultPermissions (array(string)): Default permissions to be given to users when they first log in. See Permissions for more information.

Authentication Only Example

config.yml:

plugins:
  ldapIAM:
    id: ldap
    plugin: ldap
    displayName: LDAP
    type: ldap
    credentials:
      bind_dn: cn=bind_user,dc=yourcompany,dc=com
      bind_pw: abcdefghijklmnopqrstuzwxyz
    supportedActions: []
    options:
      useSSL: true
      host: ldap.immuta.com
      port: 636
      debug: false
      userSearchBase: dc=immuta,dc=com
      userSearchFilter: uid=%s
      rejectUnauthorized: true
      sslRequestCert: true
      sslKeyFile: /path/to/your/sslKey.key
      sslCertFile: /path/to/your/sslCert.crt
      sslCaFile: /path/to/your/sslCa.crt
    schema:
      profile:
        name: cn
        email: mail
        phone: telephoneNumber
    defaultPermissions:
    - CREATE_DATA_SOURCE

Groups and Attributes Example

config.yml:

plugins:
  ldapGroupsIAM:
    id: ldap-groups
    plugin: ldap
    displayName: LDAPGroups
    type: ldap
    credentials:
      bind_dn: cn=bind_user,dc=yourcompany,dc=com
      bind_pw: abcdefghijklmnopqrstuzwxyz
    supportedActions: ['syncGroups', 'syncAuthorizations']
    options:
      useSSL: true
      host: your.host.com
      port: 636
      debug: false
      userSearchBase: dc=immuta,dc=com
      userSearchFilter: uid=%s
      rejectUnauthorized: true
      sslRequestCert: true
      sslKeyFile: /path/to/your/sslKey.key
      sslCertFile: /path/to/your/sslCert.crt
      sslCaFile: /path/to/your/sslCa.crt
    schema:
      profile:
        name: cn
        email: mail
        phone: telephoneNumber
      group:
        name: cn
        description: description
      attributes:
        sn: sn
    defaultPermissions:
    - CREATE_DATA_SOURCE

Group Filtering

If you wish to only allow users of a specific LDAP group to log in to Immuta, you can add that group's dn to the userSearchFilter attribute. In the example below, only the members of the Immuta group will be authenticated.

plugins:
  ldapGroupsIAM:
    id: ldap
    plugin: ldap
    displayName: LDAP
    type: ldap
    credentials:
      bind_dn: cn=bind_user,dc=yourcompany,dc=com
      bind_pw: abcdefghijklmnopqrstuzwxyz
    supportedActions: ['syncGroups', 'syncAuthorizations']
    options:
      useSSL: true
      host: your.host.com
      port: 636
      debug: false
      userSearchBase: dc=immuta,dc=com
      userSearchFilter: (&(uid=%s)(memberOf=cn=Immuta,dc=yourcompany,dc=com))
      rejectUnauthorized: true
      sslRequestCert: true
      sslKeyFile: /path/to/your/sslKey.key
      sslCertFile: /path/to/your/sslCert.crt
      sslCaFile: /path/to/your/sslCa.crt
    schema:
      profile:
        name: cn
        email: mail
        phone: telephoneNumber
      group:
        name: cn
        description: description
      attributes:
        sn: sn
    defaultPermissions:
    - CREATE_DATA_SOURCE

Note that in this example, the full dn of the Immuta group is cn=Immuta,dc=yourcompany,dc=com. You will need to specify the full dn of your desired group in order for filtering to work.