Set up LDAP for Pulse UI

This document describes how to configure LDAP authentication for Pulse UI.

Prerequisites

Before you begin, ensure that you have the following information:

• LDAP server FQDN
• LDAP port (389 for non-SSL or 636 for SSL)
• Root CA certificate path (for SSL connections)
• LDAP bind user (service account)
• LDAP bind password
• User search base DN
• User search filter
• Group search base DN
• Group search filter

Configuration Steps

Step 1: Verify the LDAP Configuration File

Check whether the LDAP configuration file exists.

xxxxxxxxxx

ls -al $AcceloHome/config/ldap/ldap.conf

If the file does not exist, generate a default configuration file.

xxxxxxxxxx

accelo configure ldap

Expected output

xxxxxxxxxx

There is no ldap config file available

Generating a new ldap config file

Please edit '$AcceloHome/config/ldap/ldap.conf' and rerun this command

Step 2: Configure LDAP Settings

Open the LDAP configuration file.

xxxxxxxxxx

vi $AcceloHome/config/ldap/ldap.conf

• LDAP Server: Specify the fully qualified domain name (FQDN) of the LDAP server.

xxxxxxxxxx

host = <LDAP_FQDN>

• LDAP Port: If LDAP uses port 389, enable non-SSL mode.

xxxxxxxxxx

insecureNoSSL = true

• Root CA Certificate: Specify the path to the SSL root CA certificate.

xxxxxxxxxx

rootCA = <CERTIFICATE_FILE_PATH>

• Bind User: Specify the LDAP service account used for directory searches. The account must be a member of the LDAP administrator group.

xxxxxxxxxx

bindDN = <BIND_DN>

• Bind Password: Specify the encrypted password string.

xxxxxxxxxx

bindPW = <ENCRYPTED_PASSWORD>

encryptedPassword = true

• User Search Configuration

Specify the base DN and filter used to search for users.

Example:

xxxxxxxxxx

userBaseDN = cn=users,cn=accounts,dc=acceldata,dc=io

userFilter = (objectClass=person)

• Group Search Configuration: Specify the base DN and filter used to search for groups.

Example:

xxxxxxxxxx

groupBaseDN = cn=groups,cn=accounts,dc=acceldata,dc=io

groupFilter = (objectClass=posixgroup)

Step 3: Validate LDAP Search Access

Verify that the bind user has permission to search users and groups.

xxxxxxxxxx

ldapsearch -x \

  -h <hostname> \

  -p 389 \

  -D "uid=admins,cn=users,dc=acceldata,dc=io" \

  -W \

  -b "cn=accounts,dc=acceldata,dc=io" \

  "(&(objectClass=person)(uid=admins))"

Successful results indicate that the bind account has the required search permissions.

Step 4: Validate LDAP Connectivity

Run the LDAP configuration command.

xxxxxxxxxx

accelo configure ldap

When prompted, enter the LDAP user credentials.

xxxxxxxxxx

Checking LDAP connection

Enter LDAP username: gs

Enter LDAP password: *******

Expected output

xxxxxxxxxx

performing ldap search ou=users,dc=acceldata,dc=io sub (&(objectClass=inetOrgPerson)(uid=gs))

username "gs" mapped to entry cn=gs,ou=users,dc=acceldata,dc=io

✗ Do you want to use this configuration: y

Type y and press Enter.

Expected output

xxxxxxxxxx

Ok, Updating login properties.

✓ Done, You can now login using LDAP.

Step 5: Push the LDAP Configuration

Push the updated LDAP configuration to the database.

xxxxxxxxxx

accelo admin database push-config -a

Step 6: Deploy the LDAP Add-on

Deploy the LDAP add-on.

xxxxxxxxxx

accelo deploy addons

Select LDAP from the list.

xxxxxxxxxx

[ ] Job Runner

[ ] Kafka 0.10.2 Connector

[ ] Kafka Connector

> [x] LDAP

[ ] Log Reduce

[ ] LogSearch

[ ] Memsql Connector

Expected output

Starting the deployment ..

Completed [==================================================================================================] 100.00% 0s

✓ Done, Addons deployment completed.

Step 7: Restart the GraphQL Service

Restart the GraphQL service.

xxxxxxxxxx

accelo restart ad-graphql

Step 8: Configure the Default LDAP Role

1. Log in to Pulse Web UI.
2. Create an Ops role with the required permissions.
3. Configure the role as the default LDAP role.

All users authenticated through LDAP are automatically assigned this role after login.

Verify the Configuration

Verify the following:

• LDAP users can successfully authenticate.
• Users are automatically assigned the default Ops role.
• User and group searches return expected results.
• Pulse UI access is granted according to the configured role permissions.