Skip to main content

Configure Single Sign-On with LDAP

You can configure Moogsoft Onprem so users from an external directory can log in by Single Sign-On (SSO) using Lightweight Directory Access Protocol (LDAP).

See LDAP version 3 for more information.

Before you begin

Before you start to set up LDAP, ensure you have met the following requirements:

  • You have the URL for your LDAP server.

  • If you want to use a "lookup" DN (Distinguished Name) resolution method, you have the credentials for the LDAP user who has rights to look up other users and determine their roles.

  • If you want to use SSL encryption, you have a valid SSL certificate.

Configure LDAP for Moogsoft Onprem

Edit the configuration file to configure and enable LDAP for Moogsoft Onprem. You can find the file at $MOOGSOFT_HOME/config/security.conf.

See the Security Configuration Reference for a full description of all properties. Some properties in the file are commented out by default. Uncomment properties to enable them.

  1. Configure the properties for the LDAP connection:

    • url: URL of your LDAP server. This is required.

    • connectionTimeout: Connection timeout in milliseconds.

    • readTimeout: Read timeout in milliseconds.

    • predefinedUser: Determines if user must exist in the local database or not.

  2. Configure the user resolution and attribute search section:

    • resolutionType: Type of DN resolution method. Valid options are "direct" and "lookup".

    • attributeSearchFilter: Defines an optional attribute filter to retrieve all user attributes.

    • attributeMap: Defines an attribute map between the LDAP user attributes and the user attributes in the Moogsoft Onprem database.

  3. Configure the LDAP group search section:

    • systemUser: Username of the system user to bind and search for user group information.

    • systemPassword: Password of the system user to bind and search for user group information.

    • groupBaseDn: Defines a group base DN to search for LDAP groups.

    • memberAttribute: Attribute used look for group members. Defaults to "member".

    • groupNameAttribute: Attribute used to look for group name.

    • roleMap: Defines the role mappings between the user directory and Moogsoft Onprem.

    • assignTeams: Sychronizes team assignment between the user directory and the teams in Moogsoft Onprem.

  4. Optionally configure SSL if you want to enable TLS authentication:

    • ssl_protocol: Defines the SSL protocol you want to use. Defaults to TLSv1.2.

    • server_cert_file: SSL server certificate.

    • client_cert_file: Client certificate file.

    • client_key _file: Client key file.

  5. Restart Apache Tomcat to activate the changes:

    service apache-tomcat restart

    See Control Moogsoft Onprem Processes for further details.

Example

An example LDAP configuration that uses direct DN resolution and SSL without client authentication:

"example_ldap": 
{
    "realmType": "LDAP",
    "url": "ldap://mysaml:389",
    "userDnResolution":
    {
    "resolutionType": "direct",
    "direct":{
        "usernameAttribute": "uid",
        "userDnPostfix": "ou=People,dc=moogsoft,dc=com"
    }
    },
    "attributeMap":{
        "fullname": "cn",
        "email": "mail"
    },
    "groupBaseDn": "ou=Group,dc=moogsoft,dc=com",
    "memberAttribute": "member",
    "groupNameAttribute": "cn",
    "roleMap":{
        "role-admin": "Super User",
        "OperatorRole": "Operator"
    },
    assignTeams:{
        teamMap:{
            CloudDevOps: "Cloud DevOps team",
            DBDevOps: "Database DevOps team"
        },
        useGroupName: true,
        createNewTeams: true
    },
    "ssl":
    {
        "server_cert_file": "/usr/share/moogsoft/config/example.crt"
    }
}