LDAP integration question

[euanmacinnes]

One of the biggest headaches of database admin, and infrastructure is the separate account management of individual apps. Is there a plan to add LDAP support for CloudBeaver, so that we can give consistent account logging information to users, as well as map connections to LDAP roles for centralized security management? 2-4 users isn't much of a problem, but 40-50 users most definitely is, just to give an idea of scale.

[kseniiaguzeeva]

Thank you for the idea. We will think what can be done.

[simonpinnow]

Hi, this would be an important feature for us, too. Without it is hard to handle. We want to use it inside of a kubernetes.

Thank you. Best regards. Simon

[Geronium]

hello,

some news of the ldap integration ?

Thank you

[kseniiaguzeeva]

Could you please give more details and examples how do you use LDAP? Do you use it for Active Directory only? As I see different cases exist and we should understand what way will be the best to integrate it. Thank you in advance for your help.

[Geronium]

hello,

in my case, we use openldap to authenticate on the applications. Either directly or through the system (which allows it to authenticate via openldap).

you can see an exemple of the entry inside the ldap

dn: uid=test,ou=users,idPF=prod,ou=enterprise,c=com cn: test gidnumber: 1000 givenname: test homedirectory: /home/test loginshell: /bin/bash mail: test@test.com objectclass: top objectclass: person objectclass: inetOrgPerson objectclass: posixAccount sn: test uid: test uidnumber: 1000 userpassword: test

and an exemple of application configuration directly

import ldap import django_auth_ldap.config from django_auth_ldap.config import LDAPSearch

AUTH_LDAP_SERVER_URI = "ldap://172.222.1.254:389" AUTH_LDAP_BIND_DN = "cn=Manager,ou=enteprise,c=com" AUTH_LDAP_BIND_PASSWORD = "***" AUTH_LDAP_USER_SEARCH = django_auth_ldap.config.LDAPSearch( "ou=users,idPF=prod,ou=enterprise,c=com", ldap.SCOPE_SUBTREE, "uid=%(user)s" )

if we pass by the system, we need to authorize the system to authenticate with the ldap, for that i use nslcd and i add the rights in the pam.d configuration for this application

-(mer. juil. 07 10:22:47)--(myserver:/etc/pam.d)- [root] # cat application

%PAM-1.0

auth sufficient pam_ldap.so auth requisite pam_succeed_if.so quiet auth required pam_unix.so nodelay account required pam_unix.so

i don't know what is better, to authenticate by the system (if it's possible) or directly with the ldap, but it's what we need, in my case.

Thank you.

[dawsongzhao]

we aslo need ldap to countrol develper access connections

[kseniiaguzeeva]

@dawsongzhao thank you for voting. Could you please also give more details and examples how do you use LDAP?

[simonpinnow]

Hey, sorry for delay because of holiday.

For us it would be nice to have:

1. a simple ldap bind with the user credentials given during authentication
2. a configured ldap group of which the user must be a member of

configuration:

• ldap-server-hostname
• ldap port
• ssl certificate (optional)
• ldap group

best regards Simon

[ThePrez]

piling on (for better or for worse). I'd like to use an IBM i server for LDAP authentication (so people can log into DBeaver with their IBM i username/pw).

^^ The above is probably non-useful feedback, but I can say that the LDAP support/design in the gitbucket project works great for this use case.

[kseniiaguzeeva]

It's quite difficult to implement the feature, because different cases exist how LDAP can be used. Thank you for the provided link, we are going to investigate it. An implimentation is going to be after 21.1 release.

[Geronium]

Hello,

we are at the 22.1.0 version, we have exceeded the 21.1 release and i don't see the ldap fonctionnality. In the millestone

https://github.com/dbeaver/cloudbeaver/milestones

the ldap fonctionnality is not planned.

I noticed that in the last release there was the addition of "authentication via nginx" ?

"Users can login to the application via Nginx."

can we use it to connect via ldap ?

Thank you

[alexander-skoblikov]

@Geronium Hello, yes, it is potentially possible if you can integrate nginx with ldap and send the correct authorization headers when opening Cloudbeaver. You can read more about required headers and how to set it up on the Cloudbever side on our wiki page - Reverse proxy authentication

[bsteinweg]

We use LDAP as a way to connect to Oracle databases, without needing to distribute TNS Names file to all users. LDAP simply allows easier administration of Oracle DB connections. Seems like that would be a simple and helpful addition to DBeaver...!

[jonsbun]

Would be great to know if this feature planned only for EE or also in Community edition?

[EvgeniaBzzz]

@jonsbun We plan to add this functionality to all versions.

[EvgeniaBzzz]

Thanks everyone for waiting, it's finally done! LDAP auth is available in CloudBeaver Community edition v.24.1.0 (PRO versions will be released in a week). Wiki page with configuration will be created soon.

We would appreciate your feedback, any improvements are welcome! 🦫

---

Configuring LDAP in Community edition:

• open workspace/.data/.cloudbeaver.runtime.conf and add configuration to app.authConfigurations (you can also add it to cloudbeaver/deploy/cloudbeaver/.cloudbeaver.conf if you prefer to have LDAP in all new workspaces)

  "authConfigurations": [
    {
      "id": "ldap",
      "provider": "ldap",
      "displayName": "LDAP",
      "disabled": false,
      "iconURL": "",
      "description": "",
      "parameters": {
        "ldap-host": "your_host",
        "ldap-port": "389",
        "ldap-dn": "ou\your_ou,dc\your_dc1,dc\your_dc2"
      }
    }
  ]

  • do not forget to restart a server
• enable LDAP in Administration - Server configuration
• you will see a new LDAP tab on the auth window

[jonsbun]

Thank you for this integration. I have a few additional questions:

• What is the correct way to provide LDAP binding account credentials?
• Is it possible to map LDAP users with the CloudBeaver Teams automatically?

[EvgeniaBzzz]

@jonsbun

1. It depends on your LDAP structure. If you have 1-2 organization units then you can specify them in config (in ldap-dn). So you will have to login only with you common name and password. If you have many organization units then you can specify in config only dc's and login with ou + cn + password.

2. LDAP users are created automatically after the first login. There is no user provisioning. So you can't map teams.

[EvgeniaBzzz]

Also wiki page is ready, you can find some extra information there. LDAP Authentication

[jonsbun]

2. LDAP users are created automatically after the first login. There is no user provisioning. So you can't map teams.

Well, then I think LDAP users mapping with the teams would be very useful. Now the LDAP user first must login and only after that mapping is possible. For example, if a Local users are used, mapping can be achieved in one iteration.

[EvgeniaBzzz]

@jonsbun could you, please, create a new issue for that feature?

[EvgeniaBzzz]

All pro-versions 24.1.0 with LDAP provider are also released. I'm closing this issue, but you are always welcome to leave a comment here or to create a new one 🦫

[iegurbide]

I have been giving this a go but I don't think enough information is available to try to integrate with our LDAP system.

Some questions that arise:

• What user is being used to bind to the LDAP server (as ours requires authentication). It is the same user logging in to the specific application i.e no service user is being used? Normally this would be done with a placeholder.

• What field is user name? Generally this should be a configurable unique identifier for the user. Depending on the ldap this attribute could be uid, sAMAccountName, mail, etc. No clue what is being used in this case.

In general, an ldap query looks something like this:

ldapsearch -x -D "\<bind-user>" -w "\<bind-password>"-b "\<base-dn>" "\<filter>" -H "\<ldap-host>:\<ldap-port>"

I'm assuming mapping from the configuration file is something like this:

• \<base-dn> --> ldap-dn
• \<ldap-host> --> ldap-host
• \<ldap-port> --> ldap-port

It would be really helpful to know how the rest of the elements are mapped or if they have even been considered.

[jwetzell]

I am in the same boat as @iegurbide it seems there is not enough configurability to support the LDAP setups I see. Gotten numerous other products successfully integrated with LDAP (Harbor, Grafana, Gitea, etc.) without issue.

[jonsbun]

@jonsbun could you, please, create a new issue for that feature?

Feature request: https://github.com/dbeaver/cloudbeaver/issues/2715. I also summarized feedback from the @iegurbide.

[EvgeniaBzzz]

New parameters have been added: ldap-cn - User identifier attribute ldap-bind-user - Bind User DN ldap-bind-user-pwd - Bind User Password ldap-filter - User Filter

Extra information you can find in the LDAP Authentication article