Managing Security with LDAP

Skip to end of metadata
Comment: Migrated to Confluence 4.0
Go to start of metadata
Table of Contents
Expand all   Collapse all

LDAP Authentication

Artifactory OSS has out-of-the-box support for authenticating users against an LDAP server.
When LDAP authentication is active, Artifactory will first attempt to authenticate the user against the LDAP server. If the LDAP authentication fails, Artifactory will try to authenticate via its internal database.
For every LDAP authenticated user Artifactory will create a new user in the internal database, if that user doesn't already exist, and will assign the user the default (auto-join) groups.

Managing Permissions for LDAP Groups

Artifactory can synchronize your LDAP groups and leverage your existing organizational structure when managing group-based permissions. LDAP groups in Artifactory uses super-fast caching, and has support for both Static, Dynamic, and Hierarchical mapping strategies. Powerful management is accomplished with multiple switchable LDAP settings and visual feedback about the up-to-date status of groups and users coming from LDAP.
The LDAP Groups feature is bundled as one of the add-ons in the Artifactory Power Pack.

Configuration

LDAP authentication is configurable from Admin:Security:LDAP Settings.

The configuration parameters for connecting to LDAP are:

  • Ldap Url - Location of the LDAP server in the form of: ldap://myserver:myport/dc=sampledomain,dc=com. It should include the base DN for searching and/or authenticating users.
  • User DN Pattern - A DN pattern that can used to directly login users to the LDAP database. This pattern is used for creating a DN string for "direct" user authentication, where the pattern is relative to the base DN in the ldapUrl. The pattern argument {0} will be replace with the username in runtime. This will work only if anonymous binding is allowed and a direct user DN can be used (which is not the default case for Active Directory).
    For example:
    uid={0},ou=People
  • Search Filter - A filter expression used to search for the user DN that will be used in LDAP authentication.
    This is a LDAP search filter (as defined in 'RFC 2254') with optional arguments. In this case, the username is the only argument, denoted by '{0}'.
    Possible examples are:
    (uid={0}) - this would search for a username match on the uid attribute.
    Authentication to LDAP will be done from the DN found if successful.
  • Search Base - Context name to search in, relative to the base DN in the ldapUrl. This is parameter is optional.
  • Manager DN - Used only with "search" authentication method. It is the DN of the user who will bind to the LDAP server to perform the search.
  • Manager Password - Used only with "search" authentication method. It is the password of the user who will bind to the LDAP server to perform the search.
  • Search Sub Tree - Flag to enable deep search through the sub tree of the ldapUrl + searchBase. True by default.
  • Auto Create Artifactory Users - Whether or not to automatically create new users in Artifactory for logged-in LDAP users and assign them default auto-join groups.

Avoiding Clear Text Passwords

Storing your LDAP password in clear text in settings.xml on your disk is a big security threat, since this password is very sensitive and is used in SSO to other resources on the domain.
We strongly recommend, especially with LDAP, to use Artifactory's encrypted passwords in your local settings.

Preventing Authentication Fallback to the Local Artifactory Realm

As an administrator you might want users to authenticate only through LDAP with their LDAP password. However, if a user had already an account in the internal database with a password Artifactory will fallback to use his database password when his LDAP password failed.
To prevent this scenario you can edit the specific user (Admin:Security:Users) and turn on the Disable Internal Password flag.

Using LDAPS (Secure LDAP)

To use LDAPS your LDAP server needs to have a valid certificate from a CA trusted by Java. No other setting is required, except using a secure LDAP URL in your settings, e.g. ldaps://secure_ldap_host:636/dc=sampledomain,dc=com

If, however, you wish to use LDAPS with a non-trusted (self-signed) certificate, please follow these steps (thanks to Marc Schoechlin for providing this information):

  1. Download the CA of the ssl secured ldap server
    openssl s_client -connect the.ldap.server.net:636 -showcerts > server.ca
  2. Identify the CA certificate and keep only the ascii-text between BEGIN/END CERTIFIACTE maker
  3. Identify the standard cacerts file of your Java installation
  4. Create a custom cacerts file by copying the cacerts file to the Artifactory configuration dir, e.g.
    cp /usr/lib64/jvm/java-1_6_0-ibm-1.6.0/jre/lib/security/cacerts /etc/artifactory
  5. Import the CA certificate
    keytool -import -alias myca -keystore cacerts -trustcacerts -file server.ca
    => Password: changeit
    => Aggree for adding the certificate
  6. Change permissions for the artifactory user
    chown 755 /etc/artifactory/cacerts
    chown artifactory:users /etc/artifactory/cacerts
  7. Modify the defaults of the Artifactory JVM to use the custom cacerts file
    echo "export JAVA_OPTIONS=\"\$JAVA_OPTIONS -Djavax.net.ssl.trustStore=/etc/artifactory/cacerts\"" >> /etc/artifactory/default
  8. Restart Artifactory
Labels:
None
Edit Labels