Using the latest version?
JFrog Container Registry Guide


Skip to end of metadata
Go to start of metadata

Introduction

JFrog Container Registry supports integration with an Active Directory server to authenticate users and synchronize groups.

When authentication using Active Directory is configured and active, JFrog Container Registry first attempts to authenticate the user against the Active Directory server. If the authentication fails, JFrog Container Registry tries to authenticate via its internal database.

For every externally authenticated user configured in your Active Directory server, JFrog Container Registry creates a new user in the internal database (provided the user does not already exist), and automatically assigns that user to the default groups.

Page Contents



Working With Active Directory

We will describe how to configure JFrog Container Registry to work with Active Directory using an example.

Consider an Active Directory server that must support the following conditions:

  • Users are located in two geographically separated sites. Some are in the US (designated as "us"), while others are in Israel (designated as "il").
  • Each site defines users and groups in different places in the Active Directory tree as displayed below.

Active Directory Structure

To configure Active Directory authentication, in the Admin module, go to Security | LDAP  and click New.

The configuration parameters are as follows:

Settings Name
The unique ID of the Active Directory setting.
Enabled

When set, these settings are enabled.

Active Directory URL

Location of the Active Directory server LDAP access point in the following format: ldap://myserver:myport/dc=sampledomain,dc=com.

The URL may include the base DN used to search for and/or authenticate users. If not specified, the Search Base field is required.

User DN Pattern

A DN pattern used to log users directly in to the LDAP database.

For Active Directory, we recommend leaving this field blank since this only works if anonymous binding is allowed and a direct user DN can be used, which is not the default case in Active Directory.

Auto Create JFrog Container Registry Users
When set, JFrog Container Registry will automatically create new users for those who have logged in using Active Directory. Any newly created users will be associated to the default groups.
Email Attribute

An attribute that can be used to map a user's email to a user created automatically by JFrog Container Registry.

This corresponds to the mail field in Active Directory.

Search Filter

A filter expression used to search for the user DN that is used in Active Directory authentication.
This is an LDAP search filter (as defined in 'RFC 2254') with optional arguments. In this case, the username is the only argument, denoted by '{0}'.

For Active Directory the corresponding field should be sAMAccountName={0}.

Search Base

The Context name in which to search relative to the base DN in the Active Directory URL. This parameter is optional, but if possible, we highly recommend that you set it to prevent long searches on the Active Directory tree. Leaving this field blank will significantly slow down the Active Directory integration.

The configuration in the example below indicates that search should only be performed under "frogs/il" or "frogs/us". This improves search performance since JFrog Container Registry will not search outside the scope of the "frogs" entry.

Manager DN

The full DN of a user with permissions that allow querying the Active Directory server. When working with LDAP Groups, the user should have permissions for any extra group attributes such as memberOf.

Manager Password

The password of the user binding to the Active Directory server when using "search" authentication.

Search Sub Tree
When set, enables deep search through the sub-tree of the Active Directory URL + Search Base. True by default.
  • No labels