Configure Astra to use an LDAP server
You need to select an LDAP server and configure Astra to use the server as an authentication provider. The configuration task consists of the steps described below. Each step includes a single REST API call.
1. Add a CA certificate
Perform the following REST API call to add a CA certificate to Astra.
This step is optional and only required if you want Astra and the LDAP to communicate over a secure channel using LDAPS. |
HTTP method | Path |
---|---|
POST |
/accounts/{account_id}/core/v1/certificates |
JSON input example
{
"type": "application/astra-certificate",
"version": "1.0",
"certUse": "rootCA",
"cert": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMyVEN",
"isSelfSigned": "true"
}
Note the following about the input parameters:
-
cert
is a JSON string containing a base64 encoded PKCS-11 formatted certificate (PEM encoded). -
isSelfSigned
should be set totrue
if the certificate is self-signed. The default isfalse
.
Curl example
curl --location -i --request POST --data @JSONinput 'https://astra.example.com/accounts/<ACCOUNT_ID>/core/v1/certificates' --header 'Content-Type: application/astra-certificate+json' --header 'Accept: */*' --header 'Authorization: Bearer <API_TOKEN>'
JSON response example
{
"type": "application/astra-certificate",
"version": "1.0",
"id": "a5212e7e-402b-4cff-bba0-63f3c6505199",
"certUse": "rootCA",
"cert": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMyVEN",
"cn": "adldap.example.com",
"expiryTimestamp": "2023-07-08T20:22:07Z",
"isSelfSigned": "true",
"trustState": "trusted",
"trustStateTransitions": [
{
"from": "untrusted",
"to": [
"trusted",
"expired"
]
},
{
"from": "trusted",
"to": [
"untrusted",
"expired"
]
},
{
"from": "expired",
"to": [
"untrusted",
"trusted"
]
}
],
"trustStateDesired": "trusted",
"trustStateDetails": [],
"metadata": {
"creationTimestamp": "2022-07-21T04:16:06Z",
"modificationTimestamp": "2022-07-21T04:16:06Z",
"createdBy": "8a02d2b8-a69d-4064-827f-36851b3e1e6e",
"modifiedBy": "8a02d2b8-a69d-4064-827f-36851b3e1e6e",
"labels": []
}
}
2. Add the bind credentials
Perform the following REST API call to add the bind credentials.
HTTP method | Path |
---|---|
POST |
/accounts/{account_id}/core/v1/credentials |
JSON input example
{
"name": "ldapBindCredential",
"type": "application/astra-credential",
"version": "1.1",
"keyStore": {
"bindDn": "dWlkPWFkbWluLG91PXN5c3RlbQ==",
"password": "cGFzc3dvcmQ="
}
}
Note the following about the input parameters:
-
bindDn
andpassword
are the base64 encoded bind credentials of the LDAP admin user that is able to connect and search the LDAP directory.bindDn
is the LDAP user's email address.
Curl example
curl --location -i --request POST --data @JSONinput 'https://astra.example.com/accounts/<ACCOUNT_ID>/core/v1/credentials' --header 'Content-Type: application/astra-credential+json' --header 'Accept: */*' --header 'Authorization: Bearer <API_TOKEN>'
JSON response example
{
"type": "application/astra-credential",
"version": "1.1",
"id": "3bd9c8a7-f5a4-4c44-b778-90a85fc7d154",
"name": "ldapBindCredential",
"metadata": {
"creationTimestamp": "2022-07-21T06:53:11Z",
"modificationTimestamp": "2022-07-21T06:53:11Z",
"createdBy": "527329f2-662c-41c0-ada9-2f428f14c137"
}
}
Note the following the response parameters:
-
The
id
of the credential is used in subsequent workflow steps.
3. Retrieve the UUID of the LDAP setting
Perform the following REST API call to retrieve the UUID of the astra.account.ldap
setting that is included with Astra Control Center.
The curl example below uses a query parameter to filter the settings collection. You can instead remove the filter to get all the settings and then search for astra.account.ldap .
|
HTTP method | Path |
---|---|
GET |
/accounts/{account_id}/core/v1/settings |
Curl example
curl --location -i --request GET 'https://astra.example.com/accounts/<ACCOUNT_ID>/core/v1/settings?filter=name%20eq%20'astra.account.ldap'&include=name,id' --header 'Accept: */*' --header 'Authorization: Bearer <API_TOKEN>'
JSON response example
{
"items": [
["astra.account.ldap",
"12072b56-e939-45ec-974d-2dd83b7815df"
]
],
"metadata": {}
}
4. Update the LDAP setting
Perform the following REST API call to update the LDAP setting and complete the configuration. Use the id
value from the previous API call for the <SETTING_ID>
value in the URL path below.
You can issue a GET request for the specific setting first to see the configSchema. This will provide more information about the required fields in the configuration. |
HTTP method | Path |
---|---|
PUT |
/accounts/{account_id}/core/v1/settings/{setting_id} |
JSON input example
{
"type": "application/astra-setting",
"version": "1.0",
"desiredConfig": {
"connectionHost": "myldap.example.com",
"credentialId": "3bd9c8a7-f5a4-4c44-b778-90a85fc7d154",
"groupBaseDN": "OU=groups,OU=astra,DC=example,DC=com",
"isEnabled": "true",
"port": 686,
"secureMode": "LDAPS",
"userBaseDN": "OU=users,OU=astra,DC=example,dc=com",
"userSearchFilter": "((objectClass=User))",
"vendor": "Active Directory"
}
}
Note the following about the input parameters:
-
isEnabled
should be set totrue
or an error may occur. -
credentialId
is the id of the bind credential created earlier. -
secureMode
should be set toLDAP
orLDAPS
based on your configuration in the earlier step. -
Only 'Active Directory' is supported as a vendor.
Curl example
curl --location -i --request PUT --data @JSONinput 'https://astra.example.com/accounts/<ACCOUNT_ID>/core/v1/settings/<SETTING_ID>' --header 'Content-Type: application/astra-setting+json' --header 'Accept: */*' --header 'Authorization: Bearer <API_TOKEN>'
If the call is successful, the HTTP 204 response is returned.
5. Retrieve the LDAP setting
You can optionally perform the following REST API call to retrieve the LDAP settings and confirm the update.
HTTP method | Path |
---|---|
GET |
/accounts/{account_id}/core/v1/settings/{setting_id} |
Curl example
curl --location -i --request GET 'https://astra.example.com/accounts/<ACCOUNT_ID>/core/v1/settings/<SETTING_ID>' --header 'Accept: */*' --header 'Authorization: Bearer <API_TOKEN>'
JSON response example
{
"items": [
{
"type": "application/astra-setting",
"version": "1.0",
"metadata": {
"creationTimestamp": "2022-06-17T21:16:31Z",
"modificationTimestamp": "2022-07-21T07:12:20Z",
"labels": [],
"createdBy": "system",
"modifiedBy": "00000000-0000-0000-0000-000000000000"
},
"id": "12072b56-e939-45ec-974d-2dd83b7815df",
"name": "astra.account.ldap",
"desiredConfig": {
"connectionHost": "10.193.61.88",
"credentialId": "3bd9c8a7-f5a4-4c44-b778-90a85fc7d154",
"groupBaseDN": "ou=groups,ou=astra,dc=example,dc=com",
"isEnabled": "true",
"port": 686,
"secureMode": "LDAPS",
"userBaseDN": "ou=users,ou=astra,dc=example,dc=com",
"userSearchFilter": "((objectClass=User))",
"vendor": "Active Directory"
},
"currentConfig": {
"connectionHost": "10.193.160.209",
"credentialId": "3bd9c8a7-f5a4-4c44-b778-90a85fc7d154",
"groupBaseDN": "ou=groups,ou=astra,dc=example,dc=com",
"isEnabled": "true",
"port": 686,
"secureMode": "LDAPS",
"userBaseDN": "ou=users,ou=astra,dc=example,dc=com",
"userSearchFilter": "((objectClass=User))",
"vendor": "Active Directory"
},
"configSchema": {
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "astra.account.ldap",
"type": "object",
"properties": {
"connectionHost": {
"type": "string",
"description": "The hostname or IP address of your LDAP server."
},
"credentialId": {
"type": "string",
"description": "The credential ID for LDAP account."
},
"groupBaseDN": {
"type": "string",
"description": "The base DN of the tree used to start the group search. The system searches the subtree from the specified location."
},
"groupSearchCustomFilter": {
"type": "string",
"description": "Type of search that controls the default group search filter used."
},
"isEnabled": {
"type": "string",
"description": "This property determines if this setting is enabled or not."
},
"port": {
"type": "integer",
"description": "The port on which the LDAP server is running."
},
"secureMode": {
"type": "string",
"description": "The secure mode LDAPS or LDAP."
},
"userBaseDN": {
"type": "string",
"description": "The base DN of the tree used to start the user search. The system searches the subtree from the specified location."
},
"userSearchFilter": {
"type": "string",
"description": "The filter used to search for users according a search criteria."
},
"vendor": {
"type": "string",
"description": "The LDAP provider you are using.",
"enum": ["Active Directory"]
}
},
"additionalProperties": false,
"required": [
"connectionHost",
"secureMode",
"credentialId",
"userBaseDN",
"userSearchFilter",
"groupBaseDN",
"vendor",
"isEnabled"
]
},
"state": "valid",
}
],
"metadata": {}
}
Locate the state
field in the response which will have one of the values in the table below.
State | Description |
---|---|
pending |
The configuration process is still active and not completed yet. |
valid |
Configuration has been completed successfully and |
error |
The LDAP configuration process failed. |