Set up LDAP for Pulse UI

This document describes how to configure LDAP authentication for Pulse UI.


Prerequisites

Before you begin, ensure that you have the following information:

  • LDAP server FQDN

  • LDAP port (389 for non-SSL or 636 for SSL)

  • Root CA certificate path (for SSL connections)

  • LDAP bind user (service account)

  • LDAP bind password

  • User search base DN

  • User search filter

  • Group search base DN

  • Group search filter


Configuration Steps

Step 1: Verify the LDAP Configuration File

Check whether the LDAP configuration file exists.

ls -al $AcceloHome/config/ldap/ldap.conf

If the file does not exist, generate a default configuration file.

accelo configure ldap

Expected output

There is no ldap config file available Generating a new ldap config file Please edit '$AcceloHome/config/ldap/ldap.conf' and rerun this command

Step 2: Configure LDAP Settings

Open the LDAP configuration file.

vi $AcceloHome/config/ldap/ldap.conf
  • LDAP Server: Specify the fully qualified domain name (FQDN) of the LDAP server.

host = <LDAP_FQDN>
  • LDAP Port: If LDAP uses port 389, enable non-SSL mode.

insecureNoSSL = true
  • Root CA Certificate: Specify the path to the SSL root CA certificate.

rootCA = <CERTIFICATE_FILE_PATH>
  • Bind User: Specify the LDAP service account used for directory searches. The account must be a member of the LDAP administrator group.

bindDN = <BIND_DN>
  • Bind Password: Specify the encrypted password string.

bindPW = <ENCRYPTED_PASSWORD> encryptedPassword = true
  • User Search Configuration

Specify the base DN and filter used to search for users.

Example:

userBaseDN = cn=users,cn=accounts,dc=acceldata,dc=io userFilter = (objectClass=person)
  • Group Search Configuration: Specify the base DN and filter used to search for groups.

Example:

groupBaseDN = cn=groups,cn=accounts,dc=acceldata,dc=io groupFilter = (objectClass=posixgroup)

Step 3: Validate LDAP Search Access

Verify that the bind user has permission to search users and groups.

ldapsearch -x \ -h <hostname> \ -p 389 \ -D "uid=admins,cn=users,dc=acceldata,dc=io" \ -W \ -b "cn=accounts,dc=acceldata,dc=io" \ "(&(objectClass=person)(uid=admins))"

Successful results indicate that the bind account has the required search permissions.


Step 4: Validate LDAP Connectivity

Run the LDAP configuration command.

accelo configure ldap

When prompted, enter the LDAP user credentials.

Checking LDAP connection Enter LDAP username: gs Enter LDAP password: *******

Expected output

performing ldap search ou=users,dc=acceldata,dc=io sub (&(objectClass=inetOrgPerson)(uid=gs)) username "gs" mapped to entry cn=gs,ou=users,dc=acceldata,dc=io ✗ Do you want to use this configuration: y

Type y and press Enter.

Expected output

Ok, Updating login properties. ✓ Done, You can now login using LDAP.

Step 5: Push the LDAP Configuration

Push the updated LDAP configuration to the database.

accelo admin database push-config -a

Step 6: Deploy the LDAP Add-on

Deploy the LDAP add-on.

accelo deploy addons

Select LDAP from the list.

[ ] Job Runner [ ] Kafka 0.10.2 Connector [ ] Kafka Connector > [x] LDAP [ ] Log Reduce [ ] LogSearch [ ] Memsql Connector

Expected output

Starting the deployment .. Completed [==================================================================================================] 100.00% 0s ✓ Done, Addons deployment completed.

Step 7: Restart the GraphQL Service

Restart the GraphQL service.

accelo restart ad-graphql

Step 8: Configure the Default LDAP Role

  1. Log in to Pulse Web UI.

  2. Create an Ops role with the required permissions.

  3. Configure the role as the default LDAP role.

All users authenticated through LDAP are automatically assigned this role after login.


Verify the Configuration

Verify the following:

  • LDAP users can successfully authenticate.

  • Users are automatically assigned the default Ops role.

  • User and group searches return expected results.

  • Pulse UI access is granted according to the configured role permissions.