This article describes how to configure Authentication and Authorization in an On-Premises environment using LDAP (Lightweight Directory Access Protocol). LDAP enables enterprises to authenticate users to access OverOps by storing credentials on an external LDAP server.
To enable LDAP for OverOps you need to have access to the following properties:
- IP address and hostname of the LDAP server
- Bind user to access the LDAP server
- Bind password to the LDAP server.
LDAP configuration for OverOps is carried out from the On-Premises server properties file.
Authentication is the process through which users are verified at login. By default, user accounts are managed by the OverOps analysis server. User accounts managed by OverOps, are stored and encrypted using Bcrypt (industry standard with salt strings).
OverOps also natively supports integrations with LDAP to synchronize with the chosen identity management solution.
To enable LDAP:
- From /opt/takipi-server/storage/tomcat/shared directory, open the my.server.properties file.
- In the my.server.properties file, comment out and fill in the LDAP parameters as follows:
Set the LDAP hostname according to the distinguished name of the organization configured in your LDAP server. Format: ldap[s]://<LDAP_HOSTNAME>:[port=636]
ldaps://takipi.com:636 ldap://takipi.com ldaps://takipi.org.il
Set the binder user for your LDAP server.
Set the password for the binder user of the LDAP server.
Set the root to search from in the LDAP tree. Default: empty (searches the entire tree)
Set the users search query. Default: uid=? (for example: For Active Directory, use “(sAMAccountName=?)”)
The provided default includes the standard options for extracting the correct email, lastname, firstname and other parameters from the LDAP server. All parameter names in the default string are matched against the LDAP server and the relevant one is used:
Set the property names for the email property. Default: “mail;email”
Sets the property names for the first name property. Default: “gn;givenName;firstName”
Sets the property names for the last name property. Default: “sn;surName;lastName”
Sets the property names for the phone property. Default: “telephoneNumber;phone;telephone;phoneNumber”
GLOBAL_DOMAIN_AUTH_ENABLED=true GLOBAL_DOMAIN_AUTH_TYPE=LDAP GLOBAL_DOMAIN_AUTH_LDAP_URL=ldaps://takipi.com GLOBAL_DOMAIN_AUTH_LDAP_BIND_USER=cn=peter,dc=overops,dc=com GLOBAL_DOMAIN_AUTH_LDAP_BIND_PASSWORD= GLOBAL_DOMAIN_AUTH_LDAP_BASE_DN=cn=Users,dc=example,dc=com GLOBAL_DOMAIN_AUTH_LDAP_USERS_QUERY=(sAMAccountName=?) LDAP_SAML_EMAIL_FIELD_NAMES=email;mail LDAP_SAML_FIRSTNAME_FIELD_NAMES=gn;givenName;firstName LDAP_SAML_LASTNAME_FIELD_NAMES=sn;surName;lastName LDAP_SAML_PHONE_FIELD_NAMES=telephoneNumber;phone;telephone;phoneNumber
Authorization is the control mechanism that allows authenticated users to view or change certain information.
Owners of each environment key (identified by a unique environment key) have Admin capabilities
Admins are authorized to change key and security settings, while retaining the ability to access information. They can edit code redaction policies, Storage Server location, manage user roles, etc. Admin users can set other users’ roles, and set the IP address range, from which authenticated users can access the key, to a specific network or VPN.
Members access is limited. Members may view snapshots, create views, and access information in OverOps, but they cannot change key or security configurations.
Every active environment key generated by the global domain initializer can be automatically shared with users logged in via LDAP.
To configure automatic key distribution:
- In the my.server.properties file, comment out and fill in the global domain initializer:
Updated over 2 years ago