Search


Cloud customer?
Upgrade in MyJFrog >


Working with an older version?

JFrog Artifactory 6.x
JFrog Xray 2.x
JFrog Mission Control 3.x
JFrog Distribution 1.x
JFrog Enterprise+ (Pre-Platform Release)




Overview

The JFrog Platform supports authenticating users against an LDAP server out-of-the-box.

When LDAP authentication is active, the JFrog Platform Unit (JPD) first attempts to authenticate the user against the LDAP server. If LDAP authentication fails, it then tries to authenticate via its internal database.

For every LDAP authenticated user, a new user is created in the internal database (provided the user does not already exist), and automatically assigns that user to the default groups.

Managing Permissions for LDAP Groups

Your LDAP groups can be synchronised while leverage your existing organizational structure when managing group-based permissions. LDAP groups in the system use super-fast caching and support Static, Dynamic and Hierarchical mapping strategies.

Powerful management is accomplished with multiple, switchable LDAP settings and visual feedback about the up-to-date status of groups and users coming from LDAP.

For full details on how to synchronize your LDAP Groups with Artifactory, please refer to LDAP Groups.

Using Active Directory?

 If you are using Active Directory to authenticate users, please refer to Managing Security with Active Directory.

Page Contents



Configuration

To configure LDAP authentication, in the Administration module go to Security | LDAP and click New LDAP Settings.

The configuration parameters for LDAP connection settings are as follows:

Enabled
When set, these settings are enabled.
Settings Name
The unique ID of the LDAP setting.
LDAP URL

Location of the LDAP server in the following format: ldap://myserver:myport/dc=sampledomain,dc=com.

The URL should include the base DN used to search for and/or authenticate users.

Auto Create System Users
When set, the system will automatically create new users for those who have logged in using LDAP, and assign them to the default groups.
Allow Created Users Access To Profile Page
When set, users created after logging in using LDAP will be able to access their profile page.
User DN Pattern

A DN pattern used to log users directly in to the LDAP database. This pattern is used to create a DN string for "direct" user authentication, and is relative to the base DN in the LDAP URL.

The pattern argument {0} is replaced with the username at runtime. This only works if anonymous binding is allowed and a direct user DN can be used (which is not the default case for Active Directory).

For example:
uid={0},ou=People

Email Attribute
An attribute that can be used to map a user's email to a user created automatically by the system.
Search Filter

A filter expression used to search for the user DN that is used in LDAP authentication.
This is an LDAP search filter (as defined in 'RFC 2254') with optional arguments. In this case, the username is the only argument, denoted by '{0}'.

Possible examples are:
uid={0}) - this would search for a username match on the uid attribute.
Authentication using LDAP is performed from the DN found if successful.

Search Base
The Context name in which to search relative to the base DN in the LDAP URL. Multiple search bases may be specified separated by a pipe ( | ). This is parameter is optional.
Secure LDAP Search
Protects against LDAP poisoning by filtering out users exposed to vulnerabilities.
Search Sub Tree
When set, enables deep search through the sub-tree of the LDAP URL + Search Base. True by default.
Manager DN

The full DN of a user with permissions that allow querying the LDAP server. When working with LDAP Groups, the user should have permissions for any extra group attributes such as memberOf.

Manager Password

The password of the user binding to the LDAP server when using "search" authentication.

Test LDAP Connection
Run a LDAP test to validate your settings are correct.

LDAP Groups

The LDAP Groups Add-on allows you to synchronize your LDAP groups with the system and leverage your existing organizational structure for managing group-based permissions.

Unlike many LDAP integrations, LDAP groups use super-fast caching, and has support for both Static, Dynamic and Hierarchical mapping strategies. Powerful management is accomplished with multiple switchable LDAP settings and visual feedback about the up-to-date status of groups and users coming from LDAP.

LDAP groups synchronization works by instructing the system about the external groups authenticated users belong to.  Once logged-in, you are automatically associated with your LDAP groups and inherit group-based permission managed in the system.

Make sure users log in

Synchronizing LDAP groups does not automatically create users that are members of those groups. Once the LDAP connection is configured, the LDAP users are only created in the system after they log in to the system for the first time. Automatic creation of users can be controlled by the Auto Create Users checkbox in the LDAP Settings screen.



Usage

LDAP Groups settings are available in the Administration module under Security | LDAP.

To use LDAP groups you must first set up an LDAP server for authentication from the LDAP Settings screen.  You must also alert the system about the correct LDAP group settings to use with your existing LDAP schema.

Active Directory Users

For specific help with setting up LDAP groups for an Active Directory installation please see Managing Security with Active Directory.

Group Synchronization Strategies

The JFrog Platform Deployment (JPD) supports three ways of mapping groups to LDAP schemas: 

  • Static: Group objects are aware of their members, however, the users are not aware of the groups they belong to.
    Each group object such as groupOfNames or groupOfUniqueNames holds its respective member attributes, typically member or uniqueMember, which is a user DN.
  • Dynamic: User objects are aware of what groups they belong to, but the group objects are not aware of their members.
    Each user object contains a custom attribute, such as group, that holds the group DNs or group names of which the user is a member.
  • Hierarchy: The user's DN is indicative of the groups the user belongs to by using group names as part of user DN hierarchy.
    Each user DN contains a list of ou's or custom attributes that make up the group association. 
    For example,
    uid=user1,ou=developers,ou=uk,dc=jfrog,dc=org indicates that user1 belongs to two groups: uk and developers.

Using OpenLDAP

When using OpenLDAP, you can't apply the Dynamic strategy because the memberOf attribute is not defined by default (memberOf is an overlay), so JPD would not be able to fetch it from the LDAP server.



Synchronizing LDAP Groups with the JPD

Importing Groups Through the UI

Once you have configured how groups should be retrieved from your LDAP server, you can verify your set up by clicking the Refresh button on the Synchronize LDAP Groups sub-panel. A list of available LDAP groups is displayed according to your settings.

You are now ready to synchronize/import groups into the system. The groups table allows you to select which groups to import and displays the sync-state for each group:

A group can either be completely new or already existing in JPD. If a group already exists in the system it can become outdated (for example, if the group DN has changed) - this is indicated in the table so you can select to re-import it.

Once a group is imported (synced) a new external LDAP group is created in the system with the name of the group.

Once you have imported LDAP groups, you can Manage Permissions on them as with regular the JPD groups. Users association to these groups is external and controlled strictly by LDAP.

Make sure that LDAP group settings is enabled (in the LDAP Groups Settings panel) in order for your settings to become effective.

To synchronize a group through the UI, in the Administration module, under Security | LDAP, select the group you want to synchronize, and search for groups that have been defined under the corresponding group settings. Once groups have been found, select Import.

 

Once the groups are synchronized, you should see them in your list of groups (Administration module under Security | Groups) indicated as External.

Using the REST API

You may also synchronize LDAP groups by using the Create or Replace Group REST API to create groups with the ‘ldap’ realm and full DN path to the group object under your LDAP server.

Limitation

 Make sure to use lower case only when creating LDAP groups through the REST API. Using upper or mixed case will prevent synchronization of groups.

When using the REST API to synchronize LDAP groups, you need to specify the exact and full Group DN path to the group on your LDAP server. The example below shows the JSON payload you would use to synchronize the "testgroup" group displayed in the below LDAP server:

LDAP Server Schema

Sample JSON:
{
	"name": "testgroup",
	"description" : "This groups already exists in ldap",
	"autoJoin" : false,
	"realm": "ldap",
	"realmAttributes": "ldapGroupName=testgroup;groupsStrategy=STATIC;groupDn=cn=testgroup,ou=support,ou=UserGroups,dc=openstack,dc=org"
}



Non-UI Authentication Cache 


You can configure the system to cache data about authentication against external systems such as LDAP for REST API requests. This means that the first time a user needs to be authenticated, the system will query the external system for the user's permissions, group settings etc.The information received from the external system is cached for a period of time which you can configure in the $JFROG_HOME/artifactory/var/etc/artifactory/artifactory.system.properties file by setting the artifactory.security.authentication.cache.idleTimeSecs property. This means that once a user is authenticated, while the authentication data is cached, Artifactory will use the cached data rather than querying the external system, so authentication is much fasterBy default this is set to 300 sec. 

REST API Only

 The cache is only relevant for REST API requests, and is not relevant when using the UI.



Avoiding Clear Text Passwords

Storing your LDAP password in clear text in settings.xml on your disk is a big security threat, since this password is very sensitive and is used in SSO to other resources in the domain.
When using LDAP, we strongly recommend, using the JPD's Encrypted Passwords in your local settings.


Preventing Authentication Fallback to the Local Artifactory Realm

In some cases, as an administrator you may want to require users to authenticate themselves through LDAP with their LDAP password.
However, if a user already has an internal account with a password in the system, you can set the system to fallback to use his internal password if LDAP authentication fails.

You can prevent this fallback authentication by ensuring that the Disable Internal Password checkbox in the Edit User dialog is set. 



Using LDAPS (Secure LDAP)

To use LDAPS with a valid certificate from a CA trusted by Java, all you need to do us use a secure LDAP URL in your settings, e.g. ldaps://secure_ldap_host:636/dc=sampledomain,dc=com.

If you want to use LDAPS with a non-trusted (self-signed) certificate, please follow the steps described in Using a Self-Signed Certificate.

Secure LDAP for Saas Users

Secure LDAP is only supported for SaaS Enterprise users and but is available for all on-prem users.

Copyright © 2020 JFrog Ltd.