User GuidesAPI ReferenceRelease Notes
Doc HomeHelp CenterLog In

LDAP Authentication and Authorization

Configuring LDAP user authentication and authorization.

Tamr Core uses local database-backed authentication and authorization by default.

Tamr Core can also use LDAP to authenticate and authorize users. Configuring Tamr Core to use LDAP allows users to sign in to Tamr Core using their LDAP username and password and be authorized under their LDAP group membership.

Tip: LDAP group names are case-sensitive. Be sure to enter all values exactly as they appear.

Configuring LDAP Authentication and Authorization

To configure LDAP authentication and authorization:

  1. Connect Tamr Core to LDAP. See Connecting Tamr Core to LDAP.
  2. Configure LDAP user and group information. See Configuring LDAP User and Group Information.
  3. Optional. Configure additional LDAP domains. See Configuring Additional LDAP Domains.
  4. Map Tamr Core groups to LDAP groups. See Mapping Tamr Core Groups to LDAP Groups.

User and Group Synchronization

  • User synchronization between Tamr Core and LDAP is "lazy", meaning that a user's account is added from LDAP to Tamr Core only when that user first signs in to Tamr Core.
  • Group synchronization. Once a user signs in to Tamr Core, they must belong to any group in the configured group base domain that passes the configured group filter to be authorized. By default, unauthorized users are not given a role.

Connecting Tamr Core to LDAP

To connect Tamr Core to LDAP:

  1. Set each of the following configuration variables using the administration utility. See Configuring Tamr Core.
  2. Restart Tamr Core and its dependencies. See Restarting.
Configuration VariableExample and Description
TAMR_AUTH_LDAP_HOSTlocalhost
The fully-qualified hostname of the LDAP server. You cannot specify an alias for this variable. For example, specifying ${TAMR_AUTH_LDAP_HOST} does not work.
TAMR_AUTH_LDAP_PORT389
The port number of the LDAP server.
To use unencrypted connections enter the LDAP port number, typically 389. To use connections secured with LDAPS, enter the port number for secure connections, typically 689.
TAMR_AUTH_LDAP_ADMIN_DNcn=admin,dc=example,dc=com
The LDAP domain name for the user account Tamr Core should use to connect to LDAP. This value must be the fully-qualified domain name (FQDN). Do not use aliases, such as [email protected].
TAMR_AUTH_LDAP_ADMIN_PASSWORDJonSn0w
The password of the user account Tamr Core should use to connect to LDAP.
TAMR_AUTH_LDAP_SECUREtrue
The Boolean value (true or false) that specifies whether to enable Tamr Core to connect over LDAPS.

Configuring LDAP User and Group Information

To configure LDAP user and group information:

  1. For each of the following configuration variables, set the variable using the admin tool. See Configuring Tamr Core.
    Tip: LDAP group names are case-sensitive. Be sure to enter all values exactly as they appear.
  2. Restart Tamr Core and its dependencies. See Restarting.
Configuration VariableExample and Description
TAMR_AUTH_LDAP_USER_BASEDNou=People,dc=example,dc=com
The base domain name for the users Tamr Core should query.
TAMR_AUTH_LDAP_USER_IDATTRcn
The name of the LDAP attribute that Tamr Core matches a username against, for example, if the user signs in to Tamr Core as john.snow the LDAP attribute containing the value john.snow is configured here. Note, this is not necessarily the name of the LDAP unique identifier attribute of the user, typically uid.
TAMR_AUTH_LDAP_USER_FILTER(cn=*)
The filter expression Tamr Core should apply when querying for a list of users. Set a value when you wish to restrict the users (within TAMR_AUTH_LDAP_USER_BASEDN) considered for authentication.
TAMR_AUTH_LDAP_USER_FINDER(&(uid={username})(memberOf=cn=Directory Administrators,ou=Groups,dc=tamr,dc=com))
Uses a user's LDAP attributes, in addition to their credentials, to restrict them from authenticating. The expression must return only one result. To enforce this, the expression must begin with the AND condition &(uid={username}). The remainder of the expression can be any ldap search conditions on a user's attributes, e.g. their group membership.
TAMR_AUTH_LDAP_GROUP_BASEDNou=Groups,dc=example,dc=com
The base domain name for the groups Tamr Core should query.
TAMR_AUTH_LDAP_GROUP_IDATTRcn
The name of the unique identifier attribute of the LDAP groups Tamr Core should use.
The name of the LDAP attribute that Tamr Core matches a group name against.

For example, if the user signs in to Tamr Core and is a member of the group cn=curators,ou=Groups,dc=example,dc=com, the LDAP attribute containing the value curators is configured here.

Note: This is not necessarily the name of the LDAP unique identifier attribute of the group, which is typically gid.
TAMR_AUTH_LDAP_USER_MEMBEROFATTRmemberOf
The name of the LDAP attribute containing the group membership of a user. The default value is memberOf, but isMemberOf and uniqueMember are also common.

Note: The User object must contain an attribute specifying the user's group membership. Tamr Core uses the user object to obtain the list of groups to which a user belongs.
TAMR_AUTH_LDAP_GROUP_FILTER(cn=*)
The filter expression Tamr Core should apply when querying groups.

Configuring Additional LDAP Domains

Tamr Core can optionally query additional LDAP domains.

To configure additional LDAP domains:

  1. Set the following configuration variable using the admin tool. See Configuring Tamr Core.
  2. Restart Tamr Core and its dependencies. See Restarting.
Configuration VariableDescription and Example
TAMR_AUTH_ADDITIONAL_CREDENTIAL_FACTORIESA list of |||-separated JSON dictionaries, where each dictionary comprises an LDAP domain with the key-value pairs shown in the table that follows.

{ 'type': 'com.tamr.auth.dao.LdapCredentialFactory', 'host': 'examplehost2.myhostname.net', 'port': '389', 'useSSL': 'false', 'adminDn': 'CN=TAMR_ADMIN,OU=ServiceAccounts,DC=people,DC=company', 'adminPassword': 'password', 'userBaseDn': 'OU=Personal,OU=US,OU=people,DC=company', 'userIdAttribute': 'AccountName', 'groupBaseDn': 'OU=PersonalGroups,DC=groups,DC=company', 'groupFilter': '(cn=*)' } ||| { 'type': 'com.tamr.auth.dao.LdapCredentialFactory', 'host': 'examplehost3.myhostname.net', 'port': '389', 'useSSL': 'false', 'adminDn': 'CN=TAMR_ADMIN,OU=ServiceAccounts,DC=people,DC=company', 'adminPassword': 'password', 'userBaseDn': 'OU=Personal,OU=EUR,OU=people,DC=company', 'userIdAttribute': 'AccountName', 'groupBaseDn': 'OU=PersonalGroups,OU=EUR,DC=groups,DC=company', 'groupFilter': '(cn=*)' }

JSON keys for TAMR_AUTH_ADDITIONAL_CREDENTIAL_FACTORIES:

JSON KeyDescription / Example Value
typecom.tamr.auth.dao.LdapCredentialFactory
hostSee TAMR_AUTH_LDAP_HOST.
portSee TAMR_AUTH_LDAP_PORT.
adminDnSee TAMR_AUTH_LDAP_ADMIN_DN.
adminPasswordSee TAMR_AUTH_LDAP_ADMIN_PASSWORD.
useSSLSee TAMR_AUTH_LDAP_SECURE.
userBaseDnSee TAMR_AUTH_LDAP_USER_BASEDN.
userIdAttributeSee TAMR_AUTH_LDAP_USER_IDATTR.
userFilterSee TAMR_AUTH_LDAP_USER_FILTER.
userFinderSee TAMR_AUTH_LDAP_USER_FINDER.
userMemberOfAttributeSee TAMR_AUTH_LDAP_USER_MEMBEROFATTR.
groupFilterSee TAMR_AUTH_LDAP_GROUP_FILTER.
groupIdAttributeSee TAMR_AUTH_LDAP_GROUP_IDATTR.
groupBaseDnSee TAMR_AUTH_LDAP_GROUP_BASEDN.

Mapping Tamr Core Groups to LDAP Groups

To create a Tamr Core group that corresponds to one or more LDAP groups, you can use the API user service to issue a POST call to the /groups endpoint, specifying a list of LDAP group DNs in the attribute sourceGroupNames. For more information about this endpoint, see the Swagger API documentation installed with your Tamr Core instance.

Note: The value returned by the LDAP user attribute configured in TAMR_AUTH_LDAP_USER_MEMBEROFATTR must match exactly (case-sensitive) the value that you configure in the Tamr Core group attribute, sourceGroupNames.

To map Tamr Core groups to LDAP groups:

You create groups using POST /user/groups. For more information about this endpoint, see the Swagger API documentation installed with your Tamr Core instance.

For example, "sourceGroupNames": ["cn=Directory Administrators,ou=Groups,dc=example,dc=com"].

For a detailed example of adding groups, see Step 4: Configure Tamr and LDAP Group Information in this section.

Example: Configuring LDAP Authentication and Authorization

The following example shows five steps to configure Tamr Core to integrate with LDAP for both user authentication and authorization.

The example uses:

  • The LDAP browser phpldapadmin to identify configuration values.
  • The command line utility ldapsearch to confirm configuration values.

Step 1. Identify and Confirm the LDAP Bind User Account

To connect to LDAP, Tamr Core requires the LDAP server details, host and port number, and the credentials of a functional LDAP user account known as the bind account. Contact your LDAP support team to obtain these details.

In this example, the LDAP server has the IP address 10.23.0.29 and the port number 389. The LDAP bind user credentials are cn=admin,dc=example,dc=com and JonSn0w.

To verify the bind user credentials that Tamr Core requires:

  1. Access the LDAP server by using the web browser application phpldapadmin:
688

The admin user is selected as the bind user for querying LDAP. In the web browser, this user's DN is cn=admin,dc=example,dc=com. This value is used for the config var TAMR_AUTH_LDAP_ADMIN_DN.

  1. Use the ldapsearch command to verify the LDAP server details and bind user credentials. Run the following command on the Tamr Core host server to confirm that the LDAP server is reachable and that the bind user credentials are valid.
ldapsearch -h <tamr-auth-ldap-host> -p <tamr-auth-ldap-port> \
-D <tamr-auth-ldap-admin-dn> -w <tamr-auth-ldap-admin-password>

For example:

ldapsearch -h 10.23.0.29 -p 389 -D cn=admin,dc=example,dc=com -w JonSn0w
  1. Set the Tamr Core configuration variables to the confirmed values as follows:
<tamr-home-directory>/tamr/utils/unify-admin.sh config:set \
--file <directory-path>/ldap-config.yaml

where ldap-config.yaml is a YAML file as in the following example:

---
TAMR_AUTH_LDAP_HOST: "10.23.0.29"
TAMR_AUTH_LDAP_PORT: "389"
TAMR_AUTH_LDAP_ADMIN_DN: "cn=admin,dc=example,dc=com"
TAMR_AUTH_LDAP_ADMIN_PASSWORD: "JonSn0w"

Step 2. Identify and Confirm User Information

Tamr Core authenticates a user by searching LDAP and requires details of the corpus of users to search.

  1. Use the web browser application phpldapadmin to browse the LDAP server and identify the LDAP details of the corpus of users you wish Tamr Core to search when authenticating. Identify the organization unit "People" with DN ou=People,dc=example,dc=com as the corpus of users that Tamr authenticates.
688

The organization unit "People" set as the corpus of users that Tamr authenticates.

  1. Identify the name of the LDAP attribute on the user object that identifies the user's unique sign in name. This user will enter abergin as their username to sign in to Tamr Core. Tamr Core then searches the user attribute uid to find this name. This attribute name is set in the config var TAMR_AUTH_LDAP_USER_IDATTR.
688

The uid attribute uniquely identifies a user.

  1. Use ldapsearch to confirm the LDAP user details.
ldapsearch -h <tamr-auth-ldap-host> -p <tamr-auth-ldap-port> \
-D <tamr-auth-ldap-admin-dn> -w <tamr-auth-ldap-admin-password> \
-b <tamr-auth-ldap-user-basedn> <tamr-auth-ldap-user-idattr>="abergin"
  1. Add the configuration variables TAMR_AUTH_LDAP_USER_BASEDN and TAMR_AUTH_LDAP_USER_IDATTR to ldap-config.yaml and update the configuration.
<tamr-home-directory>/tamr/utils/unify-admin.sh config:set \
--file <directory-path>/ldap-config.yaml

where ldap-config.yaml is a YAML file that contains the following lines:

---
TAMR_AUTH_LDAP_HOST: "10.23.0.29"
TAMR_AUTH_LDAP_PORT: "389"
TAMR_AUTH_LDAP_ADMIN_DN: "cn=admin,dc=example,dc=com"
TAMR_AUTH_LDAP_ADMIN_PASSWORD: "JonSn0w"
TAMR_AUTH_LDAP_USER_BASEDN: "ou=People,dc=example,dc=com"
TAMR_AUTH_LDAP_USER_IDATTR: "uid"

Step 3. Identify and Confirm Group Information

Tamr Core authorizes a user who is signed in by querying LDAP for the user's group membership and matches that LDAP group to a Tamr Core group. It requires the details of the corpus of groups to search and a user attribute that specifies their group membership.

  1. Browse the LDAP server and identify the LDAP details of the corpus of groups you want Tamr Core to search when authorizing. Identify the organization unit "Groups" with DN ou=Groups,dc=example,dc=com as the corpus of groups that Tamr Core authorizes.
688

The organization unit "Groups" set as the corpus of groups that Tamr Core authorizes. The name of the attribute that uniquely identifies the group is cn.

  1. Identify the name of the attribute that uniquely identifies a given group. Here it is the attribute cn.
  2. To identify which group a given user belongs to, look up the user's information and identify which attribute contains the user's groups. Identify the user attribute memberOf as containing this information.
1740

The user information for uid=gtyler contains an attribute memberOf that lists that user's groups, here "Accounting Managers". The group membership attribute name of the user object is set in the variable TAMR_AUTH_LDAP_USER_MEMBEROFATTR.

  1. Use ldapsearch to confirm the LDAP group details.
ldapsearch -h <tamr-auth-ldap-host> -p <tamr-auth-ldap-port> \
-d <tamr-auth-ldap-admin-dn> -w <tamr-auth-ldap-admin-password> \
-b <tamr-auth-ldap-group-basedn> \
<tamr-auth-ldap-group-idattr>="Accounting Managers"
  1. Use ldapsearch to confirm the LDAP user details contains the attribute memberOf. If this attribute is an operational attribute, add the argument +, as follows:
ldapsearch -h <tamr-auth-ldap-host> -p <tamr-auth-ldap-port> \
-d <tamr-auth-ldap-admin-dn> -w <tamr-auth-ldap-admin-password> \
-b <tamr-auth-ldap-user-basedn> <tamr-auth-ldap-user-idattr>="abergin" +
  1. Add the configuration variables TAMR_AUTH_LDAP_GROUP_BASEDN, TAMR_AUTH_LDAP_GROUP_IDATTR and TAMR_AUTH_LDAP_USER_MEMBEROFATTR to ldap-config.yaml and update the configuration.
<tamr-home-directory>/tamr/utils/unify-admin.sh config:set \
--file <directory-path>/ldap-config.yaml

where ldap-config.yaml is a YAML file that contains the following configuration:

---
TAMR_AUTH_LDAP_HOST: "10.23.0.29"
TAMR_AUTH_LDAP_PORT: "389"
TAMR_AUTH_LDAP_ADMIN_DN: "cn=admin,dc=example,dc=com"
TAMR_AUTH_LDAP_ADMIN_PASSWORD: "JonSn0w"
TAMR_AUTH_LDAP_USER_BASEDN: "ou=People,dc=example,dc=com"
TAMR_AUTH_LDAP_USER_IDATTR: "uid"
TAMR_AUTH_LDAP_GROUP_BASEDN: "ou=Groups,dc=example,dc=com"
TAMR_AUTH_LDAP_GROUP_IDATTR: "cn"
TAMR_AUTH_LDAP_USER_MEMBEROFATTR: "memberOf"

Step 4. Configure Tamr and LDAP Group Information

For each LDAP group, create a corresponding Tamr Core group.

To configure Tamr Core groups:

Create the Tamr Core group Tamr Core Accounting Managers corresponding to the LDAP group cn=Accounting Managers,ou=Groups,dc=example,dc=com, by calling the POST /user/groups with the following request.

{
  "groupname": "Tamr Core Accounting Managers",
  "description": "Group for Tamr Admins.",
   "sourceGroupNames": [
    "cn=Accounting Managers,ou=Groups,dc=example,dc=com"
  ]
}

Note: To configure roles, see Editing a User's Roles.

For more information about the /user/groups endpoint, see the Swagger API documentation installed with your Tamr Core instance.

Step 5. Optionally Configure User Filters

A user filter allows Tamr Core to prevent users from authenticating using a user's LDAP properties in addition to the user's credentials.

For example, you want to configure a filter that only allows users with the following characteristics:

  • of objectClass person
  • of group membership Accounting Managers

to authenticate successfully, set the configuration variable TAMR_AUTH_LDAP_USER_FINDER as follows:

TAMR_AUTH_LDAP_USER_FINDER: "(&(uid={username})(objectClass=person)(memberOf=cn=Accounting Managers,ou=Groups,dc=example,dc=com))"