Have a question? Want to report an issue? Contact JFrog support

Skip to end of metadata
Go to start of metadata

Introduction

Artifactory supports authenticating users against an LDAP server out-of-the-box.

When LDAP authentication is active, Artifactory first attempts to authenticate the user against the LDAP server. If LDAP authentication fails, Artifactory tries to authenticate via its internal database.

For every LDAP authenticated user Artifactory creates a new user in the internal database (provided the user does not already exist), and automatically assigns that user to the default groups.

Managing Permissions for LDAP Groups

Artifactory can synchronize your LDAP groups and leverage your existing organizational structure when managing group-based permissions. LDAP groups in Artifactory use super-fast caching and support Static, Dynamic and Hierarchical mapping strategies.

Powerful management is accomplished with multiple, switchable LDAP settings and visual feedback about the up-to-date status of groups and users coming from LDAP.
The LDAP Groups feature is bundled as one of the Add-ons included in Artifactory Pro.

For full details on how to synchronize your LDAP Groups with Artifactory, please refer to LDAP Groups.

Using Active Directory?

 If you are using Active Directory to authenticate users, please refer to Managing Security with Active Directory.

Page Contents


Configuration

To configure LDAP authentication, in the Admin module go to Security | LDAP and click New.

New LDAP Settings

The configuration parameters for LDAP connection settings are as follows:

Settings Name
The unique ID of the LDAP setting.
Enabled

When set, these settings are enabled.

LDAP URL

Location of the LDAP server in the following format: ldap://myserver:myport/dc=sampledomain,dc=com.

The URL should include the base DN used to search for and/or authenticate users.

Auto Create Artifactory Users
When set, Artifactory will automatically create new users for those who have logged in using LDAP, and assign them to the default groups.
Allow Created Users Access To Profile Page
When set, users created after logging in using LDAP will be able to access their profile page in Artifactory.
User DN Pattern

A DN pattern used to log users directly in to the LDAP database. This pattern is used to create a DN string for "direct" user authentication, and is relative to the base DN in the LDAP URL.

The pattern argument {0} is replaced with the username at runtime. This only works if anonymous binding is allowed and a direct user DN can be used (which is not the default case for Active Directory).

For example:
uid={0},ou=People

Email Attribute
An attribute that can be used to map a user's email to a user created automatically by Artifactory.
Search Filter

A filter expression used to search for the user DN that is used in LDAP authentication.
This is an LDAP search filter (as defined in 'RFC 2254') with optional arguments. In this case, the username is the only argument, denoted by '{0}'.

Possible examples are:
uid={0}) - this would search for a username match on the uid attribute.
Authentication using LDAP is performed from the DN found if successful.

Search Base
The Context name in which to search relative to the base DN in the LDAP URL. Multiple search bases may be specified separated by a pipe ( | ). This is parameter is optional.
Manager DN

The full DN of a user with permissions that allow querying the LDAP server. When working with LDAP Groups, the user should have permissions for any extra group attributes such as memberOf.

Manager Password

The password of the user binding to the LDAP server when using "search" authentication.

Search Sub Tree
When set, enables deep search through the sub-tree of the LDAP URL + Search Base. True by default.

Non-UI Authentication Cache

You can configure Artifactory to cache data about authentication against external systems such as LDAP for REST API requests. This means that the first time a user needs to be authenticated, Artifactory will query the external system for the user's permissions, group settings etc.

The information received from the external system is cached for a period of time which you can configure in the $ARTIFACTORY_HOME/etc/artifactory.system.properties file by setting the artifactory.security.authentication.cache.idleTimeSecs property.

This means that once a user is authenticated, while the authentication data is cached, Artifactory will use the cached data rather than querying the external system, so authentication is much faster

By default this is set to 300sec. 

REST API Only

 The cache is only relevant for REST API requests, and is not relevant when using the Artifactory UI.

 


Avoiding Clear Text Passwords

Storing your LDAP password in clear text in settings.xml on your disk is a big security threat, since this password is very sensitive and is used in SSO to other resources in the domain.
When using LDAP, we strongly recommend, using Artifactory's Encrypted Passwords in your local settings.


Preventing Authentication Fallback to the Local Artifactory Realm

In some cases, as an administrator you may want to require users to authenticate themselves through LDAP with their LDAP password.
However, if a user already has an internal account with a password in Artifactory, Artifactory can fallback to use his internal password if LDAP authentication fails.

You can prevent this fallback authentication by ensuring that the Disable Internal Password checkbox in the Edit User dialog is set. 


Using LDAPS (Secure LDAP)

To use LDAPS with a valid certificate from a CA trusted by Java, all you need to do us use a secure LDAP URL in your settings, e.g. ldaps://secure_ldap_host:636/dc=sampledomain,dc=com.

If you want to use LDAPS with a non-trusted (self-signed) certificate, please follow the steps described in Using a Self-Signed Certificate.

Secure LDAP for Saas Users

Secure LDAP is only supported for SaaS Enterprise users and but is available for all on-prem users.

 


Watch the Screencast

 

 

  • No labels