Prepare for LDAP configuration
You can optionally integrate Astra Control Center with a Lightweight Directory Access Protocol (LDAP) server to perform authentication for selected Astra users. LDAP is an industry standard protocol for accessing distributed directory information and a popular choice for enterprise authentication.
Overview of the implementation process
At a high level, there are several steps you need to perform to configure an LDAP server to provide authentication for Astra users.
|While the steps presented below are in a sequence, in some cases you can perform them in a different order. For example, you can define the Astra users and groups before configuring the LDAP server.|
Review Requirements and limitations to understand the options, requirements, and limitations.
Select an LDAP server and the desired configuration options (including security).
Perform the workflow Configure Astra to use an LDAP server to integrate Astra with the LDAP server.
Review the users and groups at the LDAP server to make sure they are defined properly.
Perform the appropriate workflow in Add LDAP entries to Astra to identify the users to be authenticated using LDAP.
Requirements and limitations
You should review the Astra configuration essentials presented below, including limitations and configuration options, before configuring Astra to use LDAP for authentication.
The Astra Control platform provides two deployment models. LDAP authentication is only supported with Astra Control Center deployments.
The current release of Astra Control Center only supports configuration of LDAP authentication using the Astra Control REST API. An important aspect of this limitation is the LDAP users are not displayed in the users tab of the Astra web interface. They are available through the REST API at the endpoint
You must have an LDAP server to accept and process the Astra authentication requests. Microsoft's Active Directory is supported with the current Astra Control Center release.
When configuring the LDAP server in Astra, you can optionally define a secure connection. In this case a certificate is needed for the LDAPS protocol.
You need to select the users to be authenticated using LDAP. You can do this either by identifying the individual users or a group of users. The accounts must be defined at the LDAP server. They also need to be identified in Astra (type LDAP) which allows the authentication requests to be forwarded to LDAP.
With the current release of Astra Control Center, the only supported value for
roleConstraint is "*". This indicates the user is not restricted to a limited set of namespaces and can access all of them. See Add LDAP entries to Astra for more information.
The credentials used by LDAP include the username (email address) and the associated password.
All email addresses acting as usernames in an Astra Control Center deployment must be unique. You cannot add an LDAP user with an email address that is already defined to Astra. If a duplicate email exists, you need to first delete it from Astra. See Remove users at the Astra Control Center documentation site for more information.
You can add the LDAP users and groups to Astra Control Center even if they don't yet exist in LDAP or if the LDAP server is not configured. This allows you to preconfigure the users and groups before configuring the LDAP server.
If an LDAP user belongs to multiple LDAP groups and the groups have been assigned different roles in Astra, the user's effective role when authenticating will be the most privileged. For example, if a user is assigned the
viewer role with group1 but has the
member role in group2, the user's role would be
member. This is based on the hierarchy used by Astra (highest to lowest):
Astra synchronizes it's users and groups with the LDAP server approximately every 60 second. So if a user or group is added to or removed from LDAP, it can take up to one minute before it is available in Astra.
Before attempting to reset the LDAP configuration, you must first disable LDAP authentication. Also, to change the LDAP server (
connectionHost), you need to perform both operations. See Disable and reset LDAP for more information.
The LDAP configuration workflows make REST API calls to accomplish the specific tasks. Each API call can include input parameters as shown in the provided samples. See API reference for information about how to locate the reference documentation.