LDAP
Generate the LDAP configuration file
- Run the configure command
accelo config ldap- Expected output:
1. There is no ldap config file available2. Generating a new ldap config file3. Please edit '$AcceloHome/config/ldap/ldap.conf' and rerun this command- If the file is already generated it will ask for the
LDAPcredentials to validate the connectivity and configurations. Which is mentioned in the below steps.
Edit the LDAP configuration
- Edit the file in path:
<$AcceloHome>/config/ldap/ldap.confConfigure file for below properties:
LDAP FQDN : FQDN where LDAP server is running
- host = [FQDN]
If port 389 is being used then
- insecureNoSSL = true
SSL root CA Certificate:__rootCA = [CERTIFICATE_FILE_PATH]
bindDN : to be used for
ldapsearch need to be member of admin groupbindPW :
passwordfor entering in database, can be removed later onceldapgets enabledbaseDN used for user search: Eg:
(cn=users, cn=accounts, dc=accedata, dc=io)Filter used for the user search : Eg:
(objectClass=person)baseDN used for group search: Eg:
(cn= groups, cn=accounts, dc=acceldata, dc=io)Group Search: Object class used for group search: Eg:
(objectClass= posixgroup)
Here is the command to check if user has search entry access and group access in LDAP directory:
ldapsearch -x -h <hostname> -p 389 -D "uid=admins,cn=users,dc=acceldata,dc=io" -W -b "cn=accounts,dc=acceldata,dc=io" "(&(objectClass=person)(uid=admins))"Validate the LDAP User Credential and Configurations
- Run the configure command
accelo config ldap- It will ask for the LDAP user credentials:
Checking LDAP connection2 Enter LDAP username: gs3 Enter LDAP password: *******- If things went well, it will show the below confirmation message:
performing ldap search ou=users,dc=acceldata,dc=io sub (&(objectClass=inetOrgPerson)(uid=gs))username "gs" mapped to entry cn=gs,ou=users,dc=acceldata,dc=io✗ Do you want to use this configuration: y- Press ‘y' and press 'Enter’
- Expected output:
Ok, Updating login properties.✓ Done, You can now login using LDAP.Deploy the Pulse LDAP addon
- Run the deploy addon command
accelo deploy addons- Select the LDAP from the list shown and press 'Enter':
[x] Job Runner [ ] Kafka 0.10.2 Connector [x] Kafka Connector> [x] LDAP [ ] Log Reduce [x] LogSearch [x] Memsql Connector- Expected output:
Starting the deployment ..Completed [==================================================================================================] 100.00% 0s✓ Done, Addons deployment completed.Push the updated “acceldata.conf“ to Pulse DB
- Run the deploy command
accelo deploy core- It will ask for confirmations:
Have you verified the acceldata config file at '/root/acceldata/config/acceldata_accelcluster.conf' ? [y/n]: : yINFO: Existing AccelData networks foundINFO: The AccelData stack 'default' is already up and running.✔ Would you like to reinitiate DB with the config file '/root/acceldata/config/acceldata_accelcluster.conf'? [y/n]: : y- Expected output:
Trying to reconfigure the DB with supplied config file...Deployment Completed [======================================================================================] 100.00% 39s✓ Done, Core services deployment completed.-----------------------------IMPORTANT--------------------------------------You have requested LDAP, Run './accelo config ldap' to configure LDAP for AccelData UI Login.Now, you can access the AccelData APM Server at the configured port of this node.To deploy the AccelData addons, Run './accelo deploy addons'Restart the Pulse Web UI service
- Run the restart command
accelo restart ad-graphql- Open Pulse Web UI and create default roles.
- The “ops” role must be created and configured with the necessary access, as it will be automatically assigned to all incoming users with LDAP login. If you prefer more control over LDAP group mappings and permissions, you can create custom roles, assign the required permissions, and associate LDAP groups with those roles. Users belonging to these groups will automatically inherit the permissions assigned to their respective roles.
Adding Additional Flag for Custom Filter in Group Search
Configurations to Enable the Special Search
ldap { configuration { # The Ldap host host = "<IP>:<PORT>", # The following field is required if using port 389. insecureNoSSL = true, # insecureSkipVerify = true #rootCA = "/etc/dex/ldap.ca", bindDN = "uid=admin,ou=people,dc=hadoop,dc=apache,dc=org", bindPW = "admin-password", specialSearch = true, prefix = "uid=", suffix = ",ou=people,dc=hadoop,dc=apache,dc=org", userSearch { # Would translate to the query "(&(objectClass=person)(uid=<username>))" baseDN = "ou=people,dc=hadoop,dc=apache,dc=org", filter = "(objectClass=person)", username = "uid", idAttr = "uid" #emailAttr = "mail", #nameAttr = "name" # Can be 'sub' or 'one' scope = "sub" } groupSearch { # Would translate to the query "(&(objectClass=group)(member=<user uid>))" baseDN = "ou=groups,dc=hadoop,dc=apache,dc=org", filter = "(objectClass=groupofnames)", # Use if full DN is needed and not available as any other attribute # Will only work if "DN" attribute does not exist in the record # userAttr: DN userAttr = "uid", groupAttr = "member", nameAttr = "name" # Can be 'sub' or 'one' scope = "sub" } }}Following three new fields were added to the configuration:
specialSearch = true,prefix = "uid=",suffix = ",ou=people,dc=hadoop,dc=apache,dc=org",This must be customized by the user based on their specific use case.
Enable SSL/TLS for LDAPS
For SSL setup in LDAPS, add the following code snippet to the configuration file.
- Fetch the root CA (PEM) file and place it in the following directory.
<ACCELOHOME>/config/security/- Generate the
ad-ldap containeryaml file if it does not exist, by executing the following command.
$ accelo admin makeconfig ad-ldap- Please update the following properties.
<ldap.conf>insecureNoSSL = falseinsecureSkipVerify = falserootCA = “/etc/ssl/cert.pemMount the root-ca file into the ad-ldap conf Volumes section.
x
<ACCELOHOME>/config/security/ldap.ca:/etc/ssl/cert.pemvolumes:- <ACCELOHOME>/config/security/ldap.ca:/etc/ssl/cert.pemMount the root CA file in the ldap container by adding the following line to the Volumes section of the container.
Custom LDAP Configuration File
This section displays a sample active directory LDAP file.
ldap { configuration { # The Ldap host host = "<IP>:<PORT>", # The following field is required if using port 389. insecureNoSSL = false insecureSkipVerify = true #rootCA = "/etc/dex/ldap.ca", bindDN = "Administrator@ADSRE.COM", bindPW = "PASSWORD", specialSearch = false, prefix = "", suffix = "", userSearch { # Would translate to the query "(&(objectClass=person)(uid=<username>))" baseDN = "OU=users,OU=hadoop,DC=adsre,DC=com", filter = "(objectClass=person)", username = "sAMAccountName", idAttr = "sAMAccountName", emailAttr = "mail", nameAttr = "name" # Can be 'sub' or 'one' scope = "sub" } groupSearch { # Would translate to the query "(&(objectClass=group)(member=<user DN>))" baseDN = "OU=groups,OU=hadoop,DC=adsre,DC=com", filter = "(objectClass=group)", # Use if full DN is needed and not available as any other attribute # Will only work if "DN" attribute does not exist in the record # userAttr: DN userAttr = "DN", groupAttr = "member", nameAttr = "name" # Can be 'sub' or 'one' scope = "sub" } }}Logs from ad-ldap container
INFO: Config from DB: {<IP>:<PORT> true false false uid=admin,ou=people,dc=hadoop,dc=apache,dc=org admin-password true uid= ,ou=people,dc=hadoop,dc=apache,dc=org {ou=people,dc=hadoop,dc=apache,dc=org (objectClass=person) uid sub uid mail name} {ou=groups,dc=hadoop,dc=apache,dc=org (objectClass=groupofnames) sub uid member name }} INFO: Special Search EnabledINFO: Search Filter Updated to: '(member=uid=sam,ou=people,dc=hadoop,dc=apache,dc=org)'2022-04-12 12:42:39,407 DEBG 'ad-ldap' stdout output:INFO: Config from DB: {10.90.6.96:33389 true false false uid=admin,ou=people,dc=hadoop,dc=apache,dc=org admin-password true uid= ,ou=people,dc=hadoop,dc=apache,dc=org {ou=people,dc=hadoop,dc=apache,dc=org (objectClass=person) uid sub uid mail name} {ou=groups,dc=hadoop,dc=apache,dc=org (objectClass=groupofnames) sub uid member name }} INFO: Special Search EnabledINFO: Search Filter Updated to: '(member=uid=sam,ou=people,dc=hadoop,dc=apache,dc=org)'2022-04-12 12:42:39,407 DEBG 'ad-ldap' stdout output:INFO: Config from DB: {10.90.6.96:33389 true false false uid=admin,ou=people,dc=hadoop,dc=apache,dc=org admin-password true uid= ,ou=people,dc=hadoop,dc=apache,dc=org {ou=people,dc=hadoop,dc=apache,dc=org (objectClass=person) uid sub uid mail name} {ou=groups,dc=hadoop,dc=apache,dc=org (objectClass=groupofnames) sub uid member name }} INFO: Special Search EnabledINFO: Search Filter Updated to: '(member=uid=sam,ou=people,dc=hadoop,dc=apache,dc=org)'performing ldap search ou=groups,dc=hadoop,dc=apache,dc=org sub (&(objectClass=groupofnames)(member=uid=sam,ou=people,dc=hadoop,dc=apache,dc=org))2022-04-12 12:42:39,441 DEBG 'ad-ldap' stdout output:performing ldap search ou=groups,dc=hadoop,dc=apache,dc=org sub (&(objectClass=groupofnames)(member=uid=sam,ou=people,dc=hadoop,dc=apache,dc=org))2022-04-12 12:42:39,441 DEBG 'ad-ldap' stdout output:performing ldap search ou=groups,dc=hadoop,dc=apache,dc=org sub (&(objectClass=groupofnames)(member=uid=sam,ou=people,dc=hadoop,dc=apache,dc=org))Was this page helpful?
On This Page
LDAPGenerate the LDAP configuration fileEdit the LDAP configurationValidate the LDAP User Credential and ConfigurationsDeploy the Pulse LDAP addonPush the updated “acceldata.conf“ to Pulse DBRestart the Pulse Web UI serviceAdding Additional Flag for Custom Filter in Group SearchConfigurations to Enable the Special SearchEnable SSL/TLS for LDAPSCustom LDAP Configuration FileLogs from ad-ldap container