This article describes how to configure Authentication and Authorization in an On-Premises environment using LDAP (Lightweight Directory Access Protocol). LDAP enables enterprises to authenticate users to access OverOps by storing credentials on an external LDAP server.
To enable LDAP for OverOps you need to have access to the following properties:

• IP address and hostname of the LDAP server
• Bind user to access the LDAP server
• Bind password to the LDAP server.

LDAP configuration for OverOps is carried out from the On-Premises server properties file.

Authentication

Authentication is the process through which users are verified at login. By default, user accounts are managed by the OverOps analysis server. User accounts managed by OverOps, are stored and encrypted using Bcrypt (industry standard with salt strings).
OverOps also natively supports integrations with LDAP to synchronize with the chosen identity management solution.

To enable LDAP:

1. From /opt/takipi-server/storage/tomcat/shared directory, open the my.server.properties file.
2. In the my.server.properties file, comment out and fill in the LDAP parameters as follows:
   a. GLOBAL_DOMAIN_AUTH_ENABLED=true
   b. GLOBAL_DOMAIN_AUTH_TYPE=LDAP
   c. GLOBAL_DOMAIN_AUTH_LDAP_URL=
   Set the LDAP hostname according to the distinguished name of the organization configured in your LDAP server. Format: ldap[s]://<LDAP_HOSTNAME>:[port=636]
   Examples:

ldaps://takipi.com:636
ldap://takipi.com
ldaps://takipi.org.il

d. GLOBAL_DOMAIN_AUTH_LDAP_BIND_USER=
Set the binder user for your LDAP server.
Format: cn=,dc=,dc=
Example:
cn=peter,dc=overops,dc=com

e. GLOBAL_DOMAIN_AUTH_LDAP_BIND_PASSWORD=
Set the password for the binder user of the LDAP server.
Optional properties
f. GLOBAL_DOMAIN_AUTH_LDAP_BASE_DN=
Set the root to search from in the LDAP tree. Default: empty (searches the entire tree)
g. GLOBAL_DOMAIN_AUTH_LDAP_USERS_QUERY=
Set the users search query. Default: uid=? (for example: For Active Directory, use “(sAMAccountName=?)”)
The provided default includes the standard options for extracting the correct email, lastname, firstname and other parameters from the LDAP server. All parameter names in the default string are matched against the LDAP server and the relevant one is used:
h. LDAP_SAML_EMAIL_FIELD_NAMES=
Set the property names for the email property. Default: “mail;email”
i. LDAP_SAML_FIRSTNAME_FIELD_NAMES=
Sets the property names for the first name property. Default: “gn;givenName;firstName”
j. LDAP_SAML_LASTNAME_FIELD_NAMES
Sets the property names for the last name property. Default: “sn;surName;lastName”
k. LDAP_SAML_PHONE_FIELD_NAMES
Sets the property names for the phone property. Default: “telephoneNumber;phone;telephone;phoneNumber”

Example:

GLOBAL_DOMAIN_AUTH_ENABLED=true
GLOBAL_DOMAIN_AUTH_TYPE=LDAP
GLOBAL_DOMAIN_AUTH_LDAP_URL=ldaps://takipi.com
GLOBAL_DOMAIN_AUTH_LDAP_BIND_USER=cn=peter,dc=overops,dc=com 
GLOBAL_DOMAIN_AUTH_LDAP_BIND_PASSWORD=
GLOBAL_DOMAIN_AUTH_LDAP_BASE_DN=cn=Users,dc=example,dc=com
GLOBAL_DOMAIN_AUTH_LDAP_USERS_QUERY=(sAMAccountName=?)
LDAP_SAML_EMAIL_FIELD_NAMES=email;mail
LDAP_SAML_FIRSTNAME_FIELD_NAMES=gn;givenName;firstName
LDAP_SAML_LASTNAME_FIELD_NAMES=sn;surName;lastName
LDAP_SAML_PHONE_FIELD_NAMES=telephoneNumber;phone;telephone;phoneNumber

Authorization

Authorization is the control mechanism that allows authenticated users to view or change certain information.
Owners of each environment key (identified by a unique environment key) have Admin capabilities
Admins are authorized to change key and security settings, while retaining the ability to access information. They can edit code redaction policies, Storage Server location, manage user roles, etc. Admin users can set other users’ roles, and set the IP address range, from which authenticated users can access the key, to a specific network or VPN.

Members access is limited. Members may view snapshots, create views, and access information in OverOps, but they cannot change key or security configurations.

Automatic Distribution of Environment Keys

Every active environment key generated by the global domain initializer can be automatically shared with users logged in via LDAP.
To configure automatic key distribution:

• In the my.server.properties file, comment out and fill in the global domain initializer:
  GLOBAL_DOMAIN_INITIALIZER=

Role Based Access Control

Organizations may decided to leverage LDAP to control access to services. This requires configuration in the LDAP service itself as well as an `ldap-mapping.yaml' file configured in OverOps.

LDAP memberOf Configuration

The LDAP server should have the memberOf extension. This is enabled in OpenLDAP by default. If you do not have the memberOf extension consult our vendors documentation. The LDAP Admin would then create a group and associate that group with the user:

📘

Keep In Mind

These are very basic examples from our development teams test LDIF file. There are many ways of managing this. Use your LDAP server tools as you see fit. The key thing to know here is that OverOps uses the memberOf attribute on the user to determine LDAP group mapping.

Example Group

dn: cn=org1,ou=groups,dc=example,dc=org
cn: org1
uniqueMember:
objectclass: groupOfUniqueNames

Example User

dn: cn=jjordan,ou=users,dc=example,dc=org
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
cn: jjordan
. . .
mail: [email protected]
userpassword: password

Example Association

dn: cn=org1,ou=groups,dc=example,dc=org
changetype: modify
replace: uniqueMember
uniqueMember: cn=jjordan,ou=users,dc=example,dc=org

Configuring the `ldap-mapping.yaml' File

Once LDAP is configured for group management we need to tell OverOps what that group has access to. In order to do this we have created the example-ldap-mapping.yaml file in the configuration directory that you can copy/rename to ldap-mapping.yaml. The file format is YAML (https://yaml.org/spec/1.2.2/) it was chosen to help organize and visualize the structure of the LDAP configuration. At the top of the file is documentation on the formatting as well as an example.

The main parts are as follows:
groups - Document root that is required (do not change this)
LDAP Group names - Fully qualified path to the LDAP Group
OverOps Role name - Valid values are: ADMIN, MEMBER, VIEWER
Service Names - OverOps service names owned by the domain initializer that you wish to give access to

Misconfiguration

Since this is a configuration file there is a chance mistakes will be made. Best effort is made to give access to resources that are configurable. If an LDAP group, role or service is not found that permission will be ignored. If users are not getting access to everything they should please check the logs; when we cannot match things we will let you know.

File Handling

This file is live meaning if you create, update, or delete the file configuration changes take effect right away. While changes take effect right away the user will need to log out and log back in to see the changes in there user session.