Configure Single Sign-On with LDAP
You can configure Moogsoft Onprem so users from an external directory can log in by Single Sign-On (SSO) using Lightweight Directory Access Protocol (LDAP).
See LDAP version 3 for more information.
Before you begin
Before you start to set up LDAP, ensure you have met the following requirements:
You have the URL for your LDAP server.
If you want to use a "lookup" DN (Distinguished Name) resolution method, you have the credentials for the LDAP user who has rights to look up other users and determine their roles.
If you want to use SSL encryption, you have a valid SSL certificate.
Configure LDAP for Moogsoft Onprem
Edit the configuration file to configure and enable LDAP for Moogsoft Onprem. You can find the file at $MOOGSOFT_HOME/config/security.conf
.
See the Security Configuration Reference for a full description of all properties. Some properties in the file are commented out by default. Uncomment properties to enable them.
Configure the properties for the LDAP connection:
url: URL of your LDAP server. This is required.
connectionTimeout: Connection timeout in milliseconds.
readTimeout: Read timeout in milliseconds.
predefinedUser: Determines if user must exist in the local database or not.
Configure the user resolution and attribute search section:
resolutionType: Type of DN resolution method. Valid options are "direct" and "lookup".
attributeSearchFilter: Defines an optional attribute filter to retrieve all user attributes.
attributeMap: Defines an attribute map between the LDAP user attributes and the user attributes in the Moogsoft Onprem database.
Configure the LDAP group search section:
systemUser: Username of the system user to bind and search for user group information.
systemPassword: Password of the system user to bind and search for user group information.
groupBaseDn: Defines a group base DN to search for LDAP groups.
memberAttribute: Attribute used look for group members. Defaults to "member".
groupNameAttribute: Attribute used to look for group name.
roleMap: Defines the role mappings between the user directory and Moogsoft Onprem.
assignTeams: Sychronizes team assignment between the user directory and the teams in Moogsoft Onprem.
Optionally configure SSL if you want to enable TLS authentication:
ssl_protocol: Defines the SSL protocol you want to use. Defaults to TLSv1.2.
server_cert_file: SSL server certificate.
client_cert_file: Client certificate file.
client_key _file: Client key file.
Restart Apache Tomcat to activate the changes:
service apache-tomcat restart
See Control Moogsoft Onprem Processes for further details.
Example
An example LDAP configuration that uses direct DN resolution and SSL without client authentication:
"example_ldap": { "realmType": "LDAP", "url": "ldap://mysaml:389", "userDnResolution": { "resolutionType": "direct", "direct":{ "usernameAttribute": "uid", "userDnPostfix": "ou=People,dc=moogsoft,dc=com" } }, "attributeMap":{ "fullname": "cn", "email": "mail" }, "groupBaseDn": "ou=Group,dc=moogsoft,dc=com", "memberAttribute": "member", "groupNameAttribute": "cn", "roleMap":{ "role-admin": "Super User", "OperatorRole": "Operator" }, assignTeams:{ teamMap:{ CloudDevOps: "Cloud DevOps team", DBDevOps: "Database DevOps team" }, useGroupName: true, createNewTeams: true }, "ssl": { "server_cert_file": "/usr/share/moogsoft/config/example.crt" } }