Back to Documentation

Soltra Edge LDAP Plug-in

Overview

The LDAP Plug-in for Soltra Edge enables Single Sign-On (SSO) by deferring user authentication to a standard-compliant LDAP server such as OpenLDAP, OpenDJ, or Microsoft Active Directory.

With the exception of authentication method, LDAP users are otherwise identical to standard accounts.

Methods of Operation

The LDAP Plug-in has two modes of operation: Search and Bind and Direct Bind.

These are covered in detail during the configuration step.

Installation

Note: This Plug-In is only available for those with a Soltra Edge Enterprise license.

The LDAP functionality is provided as a Soltra Edge Plug-in. Plug-ins must be installed by a Soltra Edge administrator.

Before you can install the LDAP Plug-In you need to download the Plug-In. Download the LDAP Plug-In by signing into the Soltra Forums (https://forums.soltra.com) with your forums user account and select “Downloads”.

 

 

Select the license level and select the version of the Plug-In, based off the version of Soltra Edge you are running, that you want to download.

 

 

Select the Plug-In and click the blue “Download this file” button.

 

 

Once you have the Plug-In downloaded, you will start the installation process.

 

Login as an Admin/Super User.

 

 

From the navigation bar, go to Settings>Plug-ins.

 

 

Select the green “Select and Upload” button.

 

 

Select the downloaded LDAP zipped file and choose “Open”.

 

 

Select the blue “Install” button.

 

 

Select red “Install Plug-in” button.

 

 

Select the red “Restart Services” button.

 

 

The appliance will show it is restarting.

 

 

Once all services have restarted, you will return to the “Plug-in” page showing the LDAP Plug-In running.

 

 

At this time the LDAP Plug-In is installed and ready for configuration.

 

Configuration

 

LDAP Settings

Administrators manage the LDAP configuration by selecting the ”Plug-Ins” navigation bar option, then selecting the “Configure LDAP Settings” option.

 

 

LDAP Mode

The initial Settings page allows users to specify the LDAP Plug-Ins mode of operation based on the existing infrastructure layout and configuration.

The two modes of operation are Search and Bind, and Direct Bind.

 

 

Search and Bind Mode

Search and Bind mode, the most commonly used LDAP mode, involves connecting to the LDAP server, either anonymously (anonymous bind) or with a specified account such as a service account. Once configured, when user’s log in, the LDAP server searches for the appropriate user Distinguished Name (DN) for the user attempting to login. Once the DN is found, an attempt to bind as the user is made passing the DN and password to authenticate.

Configuration Options

 

Reference screenshot for all Configuration Options below

 

LDAP Server URL

URL to your LDAP Server, in the form of ldap://myldap.example.local or ldaps://192.168.1.22. The LDAP protocol prefix is required, using ldap:// for unencrypted LDAP connections, or ldaps:// for SSL secured connections. To specify a non-standard port, use standard syntax such as ldap://10.0.1.21:2294.

Custom User Naming Attribute

Allows administrator to specify the specific user naming attribute. This is necessary if you are not using the standard uid or sAMAccountName values. The configured attribute will be used for lookups and the associated value will be used by users for login. For example, with a Custom User Naming Attribute value of myCustomId and a DN of myCustomId=batman,uid=bwayne,ou=heroes,dc=waynecorp,dc=com, the user would log into Soltra Edge using the username batman.

Bind Methods

LDAP clients use two basic methods to connect and interact with an LDAP server: Authenticated Bind and Anonymous Bind.

Authenticated Bind

If your organization requires authenticated bind, typically with either a service or administrator account, enter the Bind DN and password for the specified account into the Bind DN and Bind Password fields (see screenshot above), respectively.

Anonymous Bind

If your organization supports anonymous bind, check the Anonymous Bind checkbox (see screenshot above). Enabling anonymous bind will ignore any values in the Bind DN and Bind Password fields and attempt to bind anonymously.

Base DN for Search

The Base DN for Search allows the Soltra Edge administrator to specify the LDAP directory location to search for users.

Save and Test Settings

For Search and Bind Mode, when the “Save and Test Settings button” is clicked, Soltra Edge will attempt to connect to the LDAP server using the method specified in the configuration above. If anonymous bind is enabled, an anonymous bind will be attempted, and for authenticated bind, Soltra Edge will attempt to bind as the specified account. The results will be displayed once the test is complete.

Note: Communication to the server and binding are tested on this page. If the Base DN for Searchvalue is incorrect or a custom user naming attribute is used, it is possible to have a successful test but have users that are unable to login. Please check with your LDAP Administrator to validate the Base DN for Search and Custom User Naming Attribute fields.

Apply Settings

Once settings have been saved and tested, the “Apply Settings button will be available. Please click the “Apply Settings” button which will reload the necessary services, and allow users to login via LDAP.

 

 

Direct Bind Mode

 

 

Direct Bind skips the search phase, and allows the administrator to fully specify the DN for users. Since no search is performed, the DN must be accurate for authentication via LDAP to work. The DN is specified with a placeholder, making the entire DN customizable so the administrator can adapt the LDAP configuration to any user naming attribute and specify any location in the LDAP Directory hierarchy.

 

 

Configuration Options

LDAP Server URL

URL to your LDAP Server, in the form of ldap://myldap.example.local or ldaps://192.168.1.22. The LDAP protocol prefix is required, using ldap:// for unencrypted LDAP connections, or ldaps:// for SSL secured connections. To specify a non-standard port, use standard syntax such as ldap://10.0.1.21:2294.

Direct Bind Template

The Direct Bind Template specifies the specific DN template for all user accounts that will use Soltra Edge. In Direct Bind Mode, users will have an identical DN, with the sole difference between users being the username. All attribute names and the hierarchy must be identical. Any users outside of the specified DN will not be able to login.

An example configuration value for Direct Bind is as follows: uid=%(user)s,ou=People,dc=example,dc=com

In the above example, the uid attribute would be the value used for the username used to login. For example, with the above example configuration, for a user with the following DN: uid=tstark,ou=People,dc=example,dc=com, the user would login with the username tstark.

Important: The %(user)s placeholder MUST be in the configuration to identify the user naming attribute when using Direct Bind. The user attribute will determine the username users use to login. Please contact your LDAP Administrator for the configuration specific to your environment.

Apply Settings

Click the “Apply Settings button to apply the configuration changes. Unlike Search and Bind Mode, it is not possible to test the connection as there is no bind step. Users login directly based on the passed credentials and template specified above.

 

 

Usage

Once the LDAP Plug-In is configured properly, the basic workflow for user account setup and activation is specified below.

Important: By default, all LDAP Users are intentionally locked when they first attempt to login. This is done to allow the Soltra Administrator to specify the new user’s organization and TLP settings, as well as internally validate that the new user in question is authorized to access Soltra Edge. Once a user is ready to be enabled, the Soltra Administrator must visit the new user’s profile, navigate to the “Access” tab on the left of the page, uncheck the “Locked User” checkbox, and click the “Update” button to apply the settings. Until these steps are performed the user will be unable to login to Soltra Edge.

 

 

Brief Reference

The steps for adding an LDAP user is as follows:

  • LDAP user attempts to log into the Soltra Edge Server.

 

  • The LDAP user is notified that the account is locked out until the Soltra Edge Administrator enables the account.

 

  • The Soltra Edge Administrator is notified via internal message that a new LDAP user has attempted to login.

 

 

  • The Soltra Edge Administrator navigates to the LDAP user’s Soltra Edge user account through the link in the internal message or by going to the “User” app in Soltra Edge.

 

 

  • The Soltra Edge Administrator unchecks the “Locked User” checkbox and selects the blue “Update” button.

 

 

Support

Troubleshooting

Logs

If Soltra Edge is in Debug Mode, the LDAP Plug-In will log debug information to a log file at /var/log/edge/events.log.

Trouble Logging In

If a user is having difficulty logging in to Soltra Edge for the first time, login as a Soltra Administrator and ensure that their account is not locked.

 

 

For more information, join the conversation in the Soltra Edge Forums at forums.soltra.com.