This topic describes how to connect an outbound corporate OpenLDAP to an identity provider. This connection lets you synchronize IDaaS organizations and accounts to OpenLDAP. You can also use OpenLDAP identities to log on to IDaaS or applications.
About OpenLDAP
OpenLDAP is an open source implementation of the Lightweight Directory Access Protocol (LDAP). It is often used to manage resources in an enterprise, such as users, computers, and networks. Because OpenLDAP is widely used, it is often referred to simply as LDAP.
You can use the network endpoint feature to synchronize data from LDAP and delegate authentication to LDAP without opening public ports.
Connect to OpenLDAP
Step 1: Connect to OpenLDAP
Log on to the IDaaS console. Select your IDaaS instance and click Manage in the Actions column.
Click . Find OpenLDAP in the list and click Add.
On the Connect to OpenLDAP panel, enter the following information.
Display Name: The name that users see when they log on to or use IDaaS.
Network Access Endpoint: If you want only IDaaS to send requests to this LDAP server, add the IP address of IDaaS to the whitelist of the server. Shared endpoints use shared, fixed public egress IP addresses. Dedicated endpoints use dedicated, custom private and public egress IP addresses. Using a dedicated endpoint, IDaaS can access your Alibaba Cloud VPC over a private network. This removes the need to open public ports to access your LDAP server. For more information, see Network endpoints.
Server address: The address of the LDAP server. The default port for LDAP is 389. For example, 127.0.0.1:389. Port 636 is typically used when you enable LDAPS or StartTLS.
Enable StartTLS: Enable this feature to significantly improve connection security. For more information about how to enable this feature, see LDAP security configuration.
Administrator Account: IDaaS uses this LDAP administrator account to read LDAP information for data synchronization or delegated authentication. The account must have at least read permission. The account must be in Distinguished Name (DN) format, such as cn=admin,ou=Technical Department,dc=example,dc=com.
Administrator Password: The logon password for the administrator account.
Confirm the information and click Next.
Step 2: Select Scenario
On the Select Scenario page, configure the scenarios that you want LDAP to support.
Basic Configuration
Synchronization Direction:
Data from the selected source IDaaS node is imported to LDAP users or organizations. For Source Node, enter an IDaaS node. For Target Node, enter the DN of an LDAP node. The DN of the LDAP root node is typically dc=example,dc=com, which is your domain.
Incremental Provisioning:
Exports data that has changed in IDaaS in real time.
Scheduled Verification:
Performs a scheduled full synchronization to keep IDaaS and LDAP data consistent.
Delegated Authentication:
Allows users to log on to IDaaS using their LDAP accounts.
Automatic Password Update:
Synchronizes the passwords of IDaaS accounts to LDAP when users are synchronized. This requires an SSL connection. The passwords of the IDaaS accounts must also meet the password requirements of LDAP.
Advanced Configuration
User ObjectClass, Organization ObjectClass:
The
ObjectClassdefines the object type, such as a user or an organization. For example, objects in the query results whereObjectClass=userare considered users. You do not typically need to modify this setting.User RDN, Organization RDN:
If you have custom Relative Distinguished Names (RDNs) for objects in LDAP, you can configure the write identifier here. For example, when IDaaS synchronizes an account to LDAP, it uses 'ou' as the RDN for the organization.
User Sign-in ID:
When users log on to IDaaS using LDAP delegated authentication, IDaaS uses these properties to query for the user in LDAP and match the password. If the password is correct, the user is allowed to log on to IDaaS. You can use a comma (,) to separate multiple properties. This creates an OR relationship, which means a user can log on with any of the specified properties. Make sure that the properties correspond to the same LDAP user. Otherwise, the user cannot log on.
Step 3: Field Mapping
If you have historical data for users or organizations in LDAP, you must attach LDAP accounts to IDaaS accounts. You may also want to use data from certain fields of IDaaS accounts as data for LDAP accounts. For example, you can use the mobile number from an IDaaS account as the username for an LDAP user. In these cases, you must configure Field Mapping. To use the Mapping Identifier feature, you must manually enable it for a field, such as the Mobile Phone field shown in the following figure.
After you complete the configuration, click Save and Push to trigger data synchronization. This action imports all data from the source IDaaS node to the target LDAP node. To save only the configuration, click Save Only.
For more information, see Field mapping.
LDAP security configuration
By default, LDAP transmits data in plaintext. This data is not encrypted or protected, which creates a threat of data theft. Use LDAPS or StartTLS to improve the security of data transmission. After you configure a certificate in LDAP, you can use LDAPS or StartTLS in IDaaS. For optimal security, enable one of these options.
After you configure the certificate, you can retrieve the certificate fingerprint in IDaaS with a single click. This establishes a trust relationship between IDaaS and the LDAP certificate and reduces the threat of certificate forgery.
LDAP personalization
ObjectClass
In LDAP, an ObjectClass is a collection of attributes. Every object must have an ObjectClass. You can use ObjectClass to define an object as a user, organization, or computer. For example, for the object in the following figure, if you set the User ObjectClass to "inetOrgPerson,posixAccount,top" in IDaaS, IDaaS treats the object as a user. You can view the ObjectClass when you edit an object in LDAP.
LDAP has flexible customization capabilities. If you customize the ObjectClass for users or organizations, you must ensure that the ObjectClass is consistent. This ensures that the data synchronized to IDaaS meets your expectations.
Logon identity
When a user logs on to IDaaS using LDAP delegated authentication, IDaaS uses these attributes to find the user in LDAP and verify the password. If the password is correct, the user is allowed to log on to IDaaS.
You can typically use attributes such as uid, mobile phone number, mailbox, or employee ID for logon. You can define these attributes during creation or in the Delegated Authentication settings. If you use multiple attributes, you must ensure that each attribute is unique and corresponds to the same LDAP user. Otherwise, the user cannot use delegated authentication.
LDAP synchronization configuration
Get the Base DN
The Base DN is the path identity for a node in LDAP. IDaaS performs operations, such as queries and data synchronization, only under this node. You can set the Base DN of the target node in the Synchronization Direction settings.
The DN format is ou=AnOrganization,dc=example,dc=com. The DN of the root node is typically dc=example,dc=com, which is your domain. You can also view the DN of a node directly in LDAP, as shown in the following figure:
Additionally, when the path of a node changes, its Base DN also changes. To prevent LDAP data synchronization errors caused by node path adjustments, IDaaS uses the entryUUID of the node as a node fingerprint when you configure the Base DN of the target synchronization node in IDaaS. If the Base DN changes and no longer matches the node fingerprint, data synchronization is blocked. After you reconfigure the target node, synchronization can proceed normally.
Scheduled Check
IDaaS automatically performs a full synchronization of all data under the source IDaaS node based on the scheduled check time. To synchronize data immediately, you can manually trigger a full synchronization.