LDAP authentication
Enterprise Edition
Tarantool Cluster Manager is a part of the Enterprise Edition.
In addition to its internal role-based access control model, Tarantool Cluster Manager can use an external LDAP (Lightweight Directory Access Protocol) directory server for user authentication and authorization.
When LDAP authentication is enabled, TCM uses a connected LDAP directory server to authenticates users who submit the login form. TCM constructs requests to the servers according to configuration parameters described on this page. Permissions of LDAP users in TCM are defined by LDAP group mapping.
Both LDAP and secure LDAPS (LDAP over TLS) protocols are supported.
To allow LDAP user authentication in TCM, enable the ldap
authentication method
in the security.auth configuration option before startup:
In the YAML TCM configuration:
security: auth: - ldap
In the command line:
$ tcm --security.auth="ldap"
Примечание
If both authentication methods – LDAP and local – are enabled, TCM tries them for each login attempt in the order they are specified in the configuration.
To enable LDAP user access to TCM, create an LDAP configuration that connects TCM to the LDAP server that stores the users. An LDAP configuration defines how TCM connects to the server and queries user data. To create an LDAP configuration, go to the LDAP page in the Settings group and click Add.
To edit an LDAP configuration, click Edit in the Actions menu of the corresponding row.
To delete an LDAP configuration, click Delete in the Actions menu of the corresponding row.
Define the general configuration settings:
Enabled. Defines if the configuration is used. Turn the toggle off to stop using the configuration.
Примечание
If there are several enabled LDAP configurations, TCM attempts to use them for user authentication in the order they are created.
Automatically add non-existent users. By default, TCM automatically saves LDAP user information to its backend store upon their first login. Turn the toggle off if you don’t want to save users from this LDAP server.
Enter the LDAP server connection parameters:
- Endpoints. URLs of the LDAP server. Example:
127.0.0.1:5056
. - Request timeout. The timeout for TCM requests to the LDAP server, in seconds.
- Enabled TLS. If the server uses LDAPS, turn this toggle on and specify TLS connection parameters, such as a certificate and a key file.
To define how TCM queries the LDAP server for user authentication and authorization, fill in the fields of the Queries step:
Query user and Query password. Credentials of the LDAP user on behalf of which all LDAP queries are executed: a distinguished name (DN) and a password. Example DN:
cn=admin,cn=users,dc=tarantool,dc=io
Base DN. The DN of a directory that serves as a root for making all LDAP requests. Example:
dc=tarantool,dc=io
.Username regex. A regular expression that defines a username template for this LDAP configuration. When a user enters their username on the login page, TCM matches it against username regular expressions of all enabled LDAP configurations and selects the one to use for this user authentication.
Example: a regex to match employee email addresses within the specified domain.
^([\w\-\.]+)@tarantool.io$
(Optional) Template DN. A template for building a DN to send in an authentication bind request. Use the numbers in curly braces as placeholders to replace with username regex parts:
{0}
,{1}
, and so on.Example:
cn={0},cn=users,dc=tarantool,dc=io
When used with the Username regex shown above, it substitutes
{0}
with the username part of the email address (before@
) entered into the login form. For example, the usernameuser1@tarantool.io
forms the following DN for bind request:cn=user1,cn=users,dc=tarantool,dc=io
(Optional) Template query. A template for querying the LDAP server for the DN. This way is used if Template DN is not provided.
Group query template. A template for querying groups to which a user belongs for authorization purposes. Learn more in LDAP user permissions. Example:
(&(objectCategory=person)(objectClass=user)(cn={0}))
Permissions of LDAP users in TCM are defined by the groups to which they belong. You can map TCM administrative and cluster permissions to LDAP groups on the Groups step of the configuration creation.
To assign permissions to an LDAP group, click Add group. In the dialog that opens,
enter the group name, for example, CN=Admins,CN=Builtin,DC=tarantool,DC=io
.
Then, select administrative permission to grant to this group in the Permissions list.
To grant cluster permissions, click Add cluster. Select a cluster and the cluster permissions to grant to the group. Save the group.
Each user has permissions of all LDAP groups to which they belong.