Introduction

JFrog Container Registry supports authenticating users against an LDAP server out-of-the-box.

When LDAP authentication is active, JFrog Container Registry first attempts to authenticate the user against the LDAP server. If LDAP authentication fails, JFrog Container Registry tries to authenticate via its internal database.

For every LDAP authenticated user JFrog Container Registry creates a new user in the internal database (provided the user does not already exist), and automatically assigns that user to the default groups.


 If you are using Active Directory to authenticate users, please refer to Managing Security with Active Directory.



Configuration

To configure LDAP authentication, in the Admin module go to Security | LDAP and click New.

New LDAP Settings

The configuration parameters for LDAP connection settings are as follows:

Settings Name
The unique ID of the LDAP setting.
Enabled

When set, these settings are enabled.

LDAP URL

Location of the LDAP server in the following format: ldap://myserver:myport/dc=sampledomain,dc=com.

The URL should include the base DN used to search for and/or authenticate users.

Auto Create JFrog Container Registry Users
When set, JFrog Container Registry will automatically create new users for those who have logged in using LDAP, and assign them to the default groups.
Allow Created Users Access To Profile Page
When set, users created after logging in using LDAP will be able to access their profile page in JFrog Container Registry.
User DN Pattern

A DN pattern used to log users directly in to the LDAP database. This pattern is used to create a DN string for "direct" user authentication, and is relative to the base DN in the LDAP URL.

The pattern argument {0} is replaced with the username at runtime. This only works if anonymous binding is allowed and a direct user DN can be used (which is not the default case for Active Directory).

For example:
uid={0},ou=People

Email Attribute
An attribute that can be used to map a user's email to a user created automatically by JFrog Container Registry.
Search Filter

A filter expression used to search for the user DN that is used in LDAP authentication.
This is an LDAP search filter (as defined in 'RFC 2254') with optional arguments. In this case, the username is the only argument, denoted by '{0}'.

Possible examples are:
uid={0}) - this would search for a username match on the uid attribute.
Authentication using LDAP is performed from the DN found if successful.

Search Base
The Context name in which to search relative to the base DN in the LDAP URL. Multiple search bases may be specified separated by a pipe ( | ). This is parameter is optional.
Manager DN

The full DN of a user with permissions that allow querying the LDAP server. When working with LDAP Groups, the user should have permissions for any extra group attributes such as memberOf.

Manager Password

The password of the user binding to the LDAP server when using "search" authentication.

Search Sub Tree
When set, enables deep search through the sub-tree of the LDAP URL + Search Base. True by default.

Non-UI Authentication Cache

You can configure JFrog Container Registry to cache data about authentication against external systems such as LDAP for REST API requests. This means that the first time a user needs to be authenticated, JFrog Container Registry will query the external system for the user's permissions, group settings etc.

The information received from the external system is cached for a period of time which you can configure in the $ARTIFACTORY_HOME/etc/artifactory.system.properties file by setting the artifactory.security.authentication.cache.idleTimeSecs property.

This means that once a user is authenticated, while the authentication data is cached, JFrog Container Registry will use the cached data rather than querying the external system, so authentication is much faster.

By default this is set to 300sec. 

 The cache is only relevant for REST API requests, and is not relevant when using the JFrog Container Registry UI.



Avoiding Clear Text Passwords

Storing your LDAP password in clear text in settings.xml on your disk is a big security threat, since this password is very sensitive and is used in SSO to other resources in the domain.
When using LDAP, we strongly recommend, using JFrog Container Registry's Encrypted Passwords in your local settings.


Preventing Authentication Fallback to the Local JFrog Container Registry Realm

In some cases, as an administrator you may want to require users to authenticate themselves through LDAP with their LDAP password.
However, if a user already has an internal account with a password in JFrog Container Registry, JFrog Container Registry can fallback to use their internal password if LDAP authentication fails.

You can prevent this fallback authentication by ensuring that the Disable Internal Password checkbox in the Edit User dialog is set.