DocumentationAPICommunitySupport
GuidesAPI
DocumentationAPICommunitySupportLog In

Configure LDAP for On-Premises Deployments

Suggest Edits

This article describes how to configure Authentication and Authorization in an On-Premises environment using LDAP (Lightweight Directory Access Protocol). LDAP enables enterprises to authenticate users to access OverOps by storing credentials on an external LDAP server.
To enable LDAP for OverOps you need to have access to the following properties:

  • IP address and hostname of the LDAP server
  • Bind user to access the LDAP server
  • Bind password to the LDAP server.

LDAP configuration for OverOps is carried out from the On-Premises server properties file.

Authentication

Authentication is the process through which users are verified at login. By default, user accounts are managed by the OverOps analysis server. User accounts managed by OverOps, are stored and encrypted using Bcrypt (industry standard with salt strings).
OverOps also natively supports integrations with LDAP to synchronize with the chosen identity management solution.

To enable LDAP:

  1. From /opt/takipi-server/storage/tomcat/shared directory, open the my.server.properties file.
  2. In the my.server.properties file, comment out and fill in the LDAP parameters as follows:
    a. GLOBAL_DOMAIN_AUTH_ENABLED=true
    b. GLOBAL_DOMAIN_AUTH_TYPE=LDAP
    c. GLOBAL_DOMAIN_AUTH_LDAP_URL=
    Set the LDAP hostname according to the distinguished name of the organization configured in your LDAP server. Format: ldap[s]://<LDAP_HOSTNAME>:[port=636]
    Examples:
ldaps://takipi.com:636
ldap://takipi.com
ldaps://takipi.org.il

d. GLOBAL_DOMAIN_AUTH_LDAP_BIND_USER=
Set the binder user for your LDAP server.
Format: cn=,dc=,dc=
Example:
cn=peter,dc=overops,dc=com

e. GLOBAL_DOMAIN_AUTH_LDAP_BIND_PASSWORD=
Set the password for the binder user of the LDAP server.
Optional properties
f. GLOBAL_DOMAIN_AUTH_LDAP_BASE_DN=
Set the root to search from in the LDAP tree. Default: empty (searches the entire tree)
g. GLOBAL_DOMAIN_AUTH_LDAP_USERS_QUERY=
Set the users search query. Default: uid=? (for example: For Active Directory, use “(sAMAccountName=?)”)
The provided default includes the standard options for extracting the correct email, lastname, firstname and other parameters from the LDAP server. All parameter names in the default string are matched against the LDAP server and the relevant one is used:
h. LDAP_SAML_EMAIL_FIELD_NAMES=
Set the property names for the email property. Default: “mail;email”
i. LDAP_SAML_FIRSTNAME_FIELD_NAMES=
Sets the property names for the first name property. Default: “gn;givenName;firstName”
j. LDAP_SAML_LASTNAME_FIELD_NAMES
Sets the property names for the last name property. Default: “sn;surName;lastName”
k. LDAP_SAML_PHONE_FIELD_NAMES
Sets the property names for the phone property. Default: “telephoneNumber;phone;telephone;phoneNumber”

Example:

GLOBAL_DOMAIN_AUTH_ENABLED=true
GLOBAL_DOMAIN_AUTH_TYPE=LDAP
GLOBAL_DOMAIN_AUTH_LDAP_URL=ldaps://takipi.com
GLOBAL_DOMAIN_AUTH_LDAP_BIND_USER=cn=peter,dc=overops,dc=com 
GLOBAL_DOMAIN_AUTH_LDAP_BIND_PASSWORD=
GLOBAL_DOMAIN_AUTH_LDAP_BASE_DN=cn=Users,dc=example,dc=com
GLOBAL_DOMAIN_AUTH_LDAP_USERS_QUERY=(sAMAccountName=?)
LDAP_SAML_EMAIL_FIELD_NAMES=email;mail
LDAP_SAML_FIRSTNAME_FIELD_NAMES=gn;givenName;firstName
LDAP_SAML_LASTNAME_FIELD_NAMES=sn;surName;lastName
LDAP_SAML_PHONE_FIELD_NAMES=telephoneNumber;phone;telephone;phoneNumber

Authorization

Authorization is the control mechanism that allows authenticated users to view or change certain information.
Owners of each environment key (identified by a unique environment key) have Admin capabilities
Admins are authorized to change key and security settings, while retaining the ability to access information. They can edit code redaction policies, Storage Server location, manage user roles, etc. Admin users can set other users’ roles, and set the IP address range, from which authenticated users can access the key, to a specific network or VPN.

833

Manage access of team members and IP access points

Members access is limited. Members may view snapshots, create views, and access information in OverOps, but they cannot change key or security configurations.

Automatic Distribution of Environment Keys

Every active environment key generated by the global domain initializer can be automatically shared with users logged in via LDAP.
To configure automatic key distribution:

  • In the my.server.properties file, comment out and fill in the global domain initializer:
    GLOBAL_DOMAIN_INITIALIZER=

Updated over 2 years ago