Enabling authentication via LDAP

Talend MDM Platform Installation Guide

EnrichVersion
6.1
EnrichProdName
Talend MDM Platform
task
Installation and Upgrade
EnrichPlatform
Talend Identity Management
Talend Administration Center
Talend Artifact Repository
Talend Activity Monitoring Console
Talend MDM Server
Talend Project Audit
Talend Studio
Talend ESB
Talend SAP RFC Server
Talend DQ Portal
Talend JobServer
Talend CommandLine
Talend Log Server
Talend Installer
Talend Repository Manager
Talend Runtime
Talend MDM Web UI

To configure MDM to integrate an existing LDAP directory, you need to enable authentication via LDAP in the MDM configuration file and to provide certain information related to your LDAP installation.

If all MDM users are defined in LDAP:

  1. Start the MDM server in the default local authentication mode and connect to the Talend MDM Web User Interface as an admin user.

  2. Make sure the LDAP user with the same login as the default administrator user exists.

    If not, on the [Manage Users] page, create a new user with the UUID used by LDAP with the administration and System_Admin rights, save your changes and shut down the MDM server.

  3. Follow the procedure to configure authentication via LDAP (see below).

If some technical users (such as administrator) are not defined in LDAP:

If the MDM user defined in the Talend MDM Web User Interface cannot be found in the LDAP directory, you need to make the server fall back on the MDM existing users during authentication.

  1. To configure this fallback operation, open the file <$INSTALLDIR>\conf\jaas_ldap.conf.

    The jaas_ldap.conf file is a template that contains the configuration information related to LDAP.

  2. Change the value of the LDAP login module value to sufficient and chain the LDAP and MDM login modules together.

    You can use either direct or indirect LDAP authentication.

    For a complete procedure about how to use indirect LDAP authentication, see the Knowledge Base article https://help.talend.com/display/KB/How+to+configure+Talend+MDM+with+LDAP+authentication+if+LdapDirect+is+set+to+false.

    An example of using direct LDAP authentication (LdapDirect=true) is shown below:

    MDM {  
      com.amalto.core.server.security.jaas.LDAPLoginModule sufficient
      useFirstPass=false
      java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
      java.naming.security.authentication="simple"
      java.naming.provider.url="ldap://localhost:10389"
      LdapDirect=true
      principalDNPrefix="cn="
      principalDNSuffix=",ou=talend,dc=example,dc=com";
    };
    TDSC {  
      com.amalto.core.server.security.jaas.LDAPLoginModule sufficient
      useFirstPass=false
      java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
      java.naming.security.authentication="simple"
      java.naming.provider.url="ldap://localhost:10389"
      LdapDirect=true
      principalDNPrefix="cn="
      principalDNSuffix=",ou=talend,dc=example,dc=com";  
    };

    An example of using indirect LDAP authentication (LdapDirect=false) is shown below:

    MDM {  
      com.amalto.core.server.security.jaas.LDAPLoginModule sufficient
      useFirstPass=false
      java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
      java.naming.security.authentication="simple"
      java.naming.provider.url="ldap://localhost:10389"
      LdapDirect=false
      LdapAdminDN="uid=admin,ou=system"
      LdapAdminPassword=secret
      searchBase="ou=talend,dc=example,dc=com"
      searchFilter="(&(objectClass=*)&(cn={0}))";
    };
    TDSC {  
      com.amalto.core.server.security.jaas.LDAPLoginModule sufficient
      useFirstPass=false
      java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
      java.naming.security.authentication="simple"
      java.naming.provider.url="ldap://localhost:10389"
      LdapDirect=false
      LdapAdminDN="uid=admin,ou=system"
      LdapAdminPassword=secret
      searchBase="ou=talend,dc=example,dc=com"
      searchFilter="(&(objectClass=*)&(cn={0}))";
    };
  3. Save your changes. If the LDAP login module (flagged as sufficient) succeeds, that is to say the user exists both in LDAP and MDM, no further authentication process is performed. If it fails, that is to say the user does not exist in LDAP, authentication continues with the MDM login module (flagged as required).

  4. Follow the next procedure to update the LDAP configuration according to your installation.

To configure authentication via LDAP:

  1. Under the directory <$INSTALLDIR>\conf, open the file jaas_ldap.conf.

  2. Update the information shown in the table below with the appropriate details for your installation.

    module-option namePurposeExample
    java.naming.factory.initial

    Indicate the LDAP library/factory to be used.

    com.sun.jndi.ldap.LdapCtxFactory

    useFirstPass

    Indicate whether to use the stored login name and password for authentication.

    false

    java.naming.security.authentication

    Indicate the LDAP authentication scheme, which can be none, simple or strong.

    simple

    java.naming.provider.url

    Provide the URL of the LDAP server, including the port.

    ldap://monet:389

    ldap://your-company.com:3268

    LdapDirect

    Specify which LDAP authentification method to use.

    • When this option is set to true, a direct attempt is made using the username to build the distinguished name (DN) of the the user. In this case, the principalDNPrefix and principalDNSuffix parameters must be set.

    • When it is set to false, the indirect authentication method is used, in which an admin user must browse through the LDAP directory to find the DN for the given username. In this case, the LdapAdminDN, LdapAdminPassword, searchBase and searchFilter parameters must be set.

    true

    false

    principalDNPrefix

    Specify the optional prefix to add to the username to build the DN in the direct method.

    cn=

    principalDNSuffix

    Specify the optional suffix to add to the username to build the DN in the direct method.

    ,ou=talend,dc=example,dc=com

    LdapAdminDN

    Specify the DN of a directory administrator.

    uid=admin,ou=system

    LdapAdminPassword

    Specify the password of a directory administrator.

    secret

    searchBase

    Define the location in the directory from which the LDAP search begins.

    ou=talend,dc=example,dc=com

    searchFilter

    Define an LDAP search criteria.

    (&(objectClass=*)&(cn={0}))

  3. Save your changes under the file name jaas.conf.

    Warning

    Since this action will replace the existing jaas.conf file, it is strongly recommended that you first make a backup copy of the existing jaas.conf file, and/or copy all the relevant configuration information into your new file.

  4. Restart your Talend MDM server for your changes to be taken into account.