Configure LDAP

Contrast integrates with many types of Lightweight Directory Access Protocol (LDAP) servers. LDAP is an Internet protocol that web applications can use to look up users or groups listed on an LDAP directory server.

Contrast supports these LDAP server types:

  • OpenLDAP

  • OpenDS

  • ApacheDS

  • Fedora Directory Server

  • Microsoft Active Directory

  • Generic LDAP Servers

Connecting to an LDAP directory server is useful if you manage users and groups in a corporate directory, and you want to delegate the responsibility of managing user access of the application to your corporate directory administrators.

Note

Switching to LDAP from a different authentication method such as a local database may result in issues if the user ID attribute is inconsistent.

A system administrator can configure the LDAP server:

  1. Start by creating a user in the LDAP Server that is a dedicated read-only user or read-write user (depending on how you configure Contrast to interact with the LDAP directory). The user should be have read permission to the directory, including users with permission limited only to the Search Base. You will need this user to set the Search Base when configuring users for LDAP and when binding to user.

  2. Create user groups in the external LDAP server. You will later use these groups to assign SuperAdmin privileges in Contrast.

  3. Under system settings, select Authentication.

  4. Select Change authentication method.

  5. Select LDAP.

  6. Enter required information under Connect server and Bind server.

    LDAPConnectBind.png

    Option

    Description

    Default

    Connect server

    Protocol

    The protocol that should be used to communicate with the LDAP server. Choose between LDAP or LDAP with SSL (LDAPS).

    LDAP

    Hostname

    Enter the hostname to use when communicating with the LDAP server.

    localhost

    Port

    Enter the port to use when communicating with the LDAP server.

    389 (LDAP), 636 (LDAPS)

    Search base

    Enter the base distinguished name (DN) to use when communicating with the LDAP server. If your login domain is example.com, your base DN would be dc=example,dc=com.

    dc=contrastsecurity,dc=com

    Bind to server

    Method

    Select the method to use when connecting to the LDAP server. Options are shown in the next table.

    Simple

    Username

    Enter the full DN of the user that should bind to the directory to perform queries and check authentication.

    N/A

    Password

    Enter the password for the bind user specified in the Username field.

    N/A

    There are four supported bind mechanisms that can be used by Contrast. Each has different required fields:

    Method

    Description

    Required Fields

    Optional Fields

    Anonymous

    Administrators provide anonymous, read-only access to the directory.

    None

    N/A

    Simple

    This is standard username and password authentication. The username and password are verified as provided by the LDAP server.

    Username, Password

    N/A

    DIGEST-MD5

    A username and password are provided and hashed using MD5 prior to sending to the server to be authenticated.

    Username, Password

    SASL Realm

    CRAM-MD5

    The LDAP server issues a pre-authentication challege, which is sent with the MD5 hashed username and password to be authenticated.

    Username, Password

    SASL Realm

  7. Once you configure the connection to the LDAP server, select Test connection. Testing the connection ensures that the application can connect to the LDAP server and perform queries.

  8. Configure groups for LDAP.

  9. Configure users for LDAP.

  10. To verify that the group and user mappings are correctly configured, select Test login.

  11. Once you've successfully logged in as both SuperAdmin and Organization Administrator, select Finish to complete the configuration.

Important

If you configure your LDAP integration to connect to your server using SSL, you may need to take extra steps for self-signed or privately signed certificates.