Configuring LDAP authentication for Microsoft Active Directory¶
To configure LDAP for MetalSoft a series of configurations are required on both the MetalSoft side and also on the Identity Provider side to ensure that MetalSoft uses the correct attributes.
The following are the attributes that need to be configured and an example configuration using Microsoft Active Directory. These are changed in the Admin UI under Global Configuration/Authentication and ticking Enable LDAP Authentication.
Important
When testing the configuration, we strongly suggest keeping “Enable built-in Authentication enabled until LDAP authentication and login have been confirmed as working.
LDAP URL: ldap://saml-test.ad.metalsoft.dev:389
LDAP User Search Base:
ou=adfsusers,dc=ad,dc=metalsoft,dc=dev
LDAP User Search Filter:
(userPrincipalName={{username}})
LDAP Group Search Base:
ou=adfsGroups,dc=ad,dc=metalsoft,dc=dev
LDAP Group Search Filter:
(member={{dn}})
LDAP Bind DN: `cn=adfsadmin,ou=adfsusers,dc=ad,dc=metalsoft,dc=dev``
LDAP Bind Credentials:
(As set for adfsadmin)
LDAP Allowed Domains:
ad.metalsoft.dev
After this is set up, the following groups must be set up (LDAP Group-MetalSoft role):
MS-Model_root
-root
MS-Model_FullAdmin
-full_admin
MS-Model_BasicAdmin
-basic_admin
MS-Model_User
-user
Within LDAP, the following fields are used by MetalSoft:
userPrincipalName - Used to Log in
mail - Used to identify user (if a user who is a built in user, then the mail address will be matched with the email address field in MetalSoft)
sAMAccountName - Used to populate the user name in MetalSoft
Group (as above) - Used to assign the role to the user
Adding a user in the group MS-Model_FullAdmin
will be mapped to a full_admin
role in MetalSoft.
Once the LDAP configuration and the groups have been set up, the users will be able to log in.
Important
If a user is set up as a built in user, and then domain is then changed to LDAP, the built in user will be converted to an LDAP user and the role will be changed according to the group the user is assigned to.
Important
Currently, if a user is archived, they will not be able to be converted to an LDAP user. The user will have to be un-archived before they can log in using LDAP.