LDAP
Audience: Application Admins
Content Summary: Immuta integrates seamlessly with your enterprise LDAP identity manager. Immuta can leverage your LDAP IAM for authentication and authorizations or use LDAP only for authentication while maintaining all user attributes and groups within Immuta's built-in identity manager.
This page details configuration options, example configurations, and migration of LDAP users' Postgres accounts. For directions on completing an Active Directory integration, navigate to this Active Directory tutorial.
Configuration
The LDAP identity manager is configured in the Identity and Access Management section of the Application Settings page, but if you have contacted the Immuta Support team and they have instructed you to add advanced configuration options, those options can be managed in the Advanced Configuration section of the Application Settings page:
displayName
(string): The name of the IAM that will show in the Immuta UI.type
(string): The IAM type that is being configured. This value must beldap
for LDAP IAMs.credentials
(string): The credentials to use to connect to the LDAP interface.bind_dn
(string): The distinguished name to use to connect to the LDAP interface.bind_pw
(string): The password to use to connect to the LDAP interface.
supportedActions
(array): See Supported Actions for details.options
(object): Configuration options for the identity manger.useSSL
(string)host
(string)port
(string)userDNPattern
(string): DN pattern that is used to directly log in users to the LDAP database. This pattern creates a DN string for "direct" user authentication. The pattern argument%s
will be replaced with the username at run-time. This will work only if anonymous binding is allowed and a direct user DN can be used. Leaving this option empty will default to using theuserSearchBase
anduserSearchFilter
options.userSearchBase
(string): Context to use when searching for users.userSearchFilter
(string): Filter expression to be used for searching for users. This value is typicallysAMAccountName=%s
.groupSearchFilter
(string): Filter expression to be used for searching for groups. This value is typically(objectClass=group)
.userGroupSearchFilter
(string): Filter expression to be used for searching for groups that a user belongs to. The pattern argument<dn>
will be replaced with the distinguished name, and<user>
will be replaced with the username. This value is typically(member=<dn>)
.
schema
(object): Attributes to be used to map LDAP attributes to Immuta users and groups.profile
(object): Attributes to be used to map LDAP users to Immuta user profiles. See Example Configuration for common attributes.authorizations
(object): Attributes to be used to map LDAP groups to Immuta authorizations.groups
(object): Attributes to be used to map LDAP groups to Immuta groups. See Example Configuration for common attributes.
defaultPermissions
(array(string)): Default permissions to be given to users when they first log in. See Permissions for more information.
Authentication Only Example
config.yml:
plugins:
ldapIAM:
id: ldap
plugin: ldap
displayName: LDAP
type: ldap
credentials:
bind_dn: cn=bind_user,dc=yourcompany,dc=com
bind_pw: abcdefghijklmnopqrstuzwxyz
supportedActions: []
options:
useSSL: true
host: ldap.immuta.com
port: 636
debug: false
userSearchBase: dc=immuta,dc=com
userSearchFilter: uid=%s
rejectUnauthorized: true
sslRequestCert: true
sslKeyFile: /path/to/your/sslKey.key
sslCertFile: /path/to/your/sslCert.crt
sslCaFile: /path/to/your/sslCa.crt
schema:
profile:
name: cn
email: mail
phone: telephoneNumber
defaultPermissions:
- CREATE_DATA_SOURCE
Groups and Attributes Example
config.yml:
plugins:
ldapGroupsIAM:
id: ldap-groups
plugin: ldap
displayName: LDAPGroups
type: ldap
credentials:
bind_dn: cn=bind_user,dc=yourcompany,dc=com
bind_pw: abcdefghijklmnopqrstuzwxyz
supportedActions: ['syncGroups', 'syncAuthorizations']
options:
useSSL: true
host: your.host.com
port: 636
debug: false
userSearchBase: dc=immuta,dc=com
userSearchFilter: uid=%s
rejectUnauthorized: true
sslRequestCert: true
sslKeyFile: /path/to/your/sslKey.key
sslCertFile: /path/to/your/sslCert.crt
sslCaFile: /path/to/your/sslCa.crt
schema:
profile:
name: cn
email: mail
phone: telephoneNumber
group:
name: cn
description: description
attributes:
sn: sn
defaultPermissions:
- CREATE_DATA_SOURCE
Group Filtering
If you wish to only allow users of a specific LDAP group to log in to Immuta, you can add that group's dn
to the userSearchFilter
attribute.
In the example below, only the members of the Immuta
group will be authenticated.
plugins:
ldapGroupsIAM:
id: ldap
plugin: ldap
displayName: LDAP
type: ldap
credentials:
bind_dn: cn=bind_user,dc=yourcompany,dc=com
bind_pw: abcdefghijklmnopqrstuzwxyz
supportedActions: ['syncGroups', 'syncAuthorizations']
options:
useSSL: true
host: your.host.com
port: 636
debug: false
userSearchBase: dc=immuta,dc=com
userSearchFilter: (&(uid=%s)(memberOf=cn=Immuta,dc=yourcompany,dc=com))
rejectUnauthorized: true
sslRequestCert: true
sslKeyFile: /path/to/your/sslKey.key
sslCertFile: /path/to/your/sslCert.crt
sslCaFile: /path/to/your/sslCa.crt
schema:
profile:
name: cn
email: mail
phone: telephoneNumber
group:
name: cn
description: description
attributes:
sn: sn
defaultPermissions:
- CREATE_DATA_SOURCE
Note that in this example, the full dn
of the Immuta
group is cn=Immuta,dc=yourcompany,dc=com
. You will
need to specify the full dn
of your desired group in order for filtering to work.