LDAP Authentication and Authorization
Configuring LDAP user authentication and authorization.
Tamr Core uses local database-backed authentication and authorization by default.
Tamr Core can also use LDAP to authenticate and authorize users. Configuring Tamr Core to use LDAP allows users to sign in to Tamr Core using their LDAP username and password and be authorized under their LDAP group membership.
Tip: LDAP group names are case-sensitive. Be sure to enter all values exactly as they appear.
Configuring LDAP Authentication and Authorization
To configure LDAP authentication and authorization:
- Connect Tamr Core to LDAP. See Connecting Tamr Core to LDAP.
- Configure LDAP user and group information. See Configuring LDAP User and Group Information.
- Optional. Configure additional LDAP domains. See Configuring Additional LDAP Domains.
- Map Tamr Core groups to LDAP groups. See Mapping Tamr Core Groups to LDAP Groups.
User and Group Synchronization
- User synchronization between Tamr Core and LDAP is "lazy", meaning that a user's account is added from LDAP to Tamr Core only when that user first signs in to Tamr Core.
- Group synchronization. Once a user signs in to Tamr Core, they must belong to any group in the configured group base domain that passes the configured group filter to be authorized. By default, unauthorized users are not given a role.
Connecting Tamr Core to LDAP
To connect Tamr Core to LDAP:
- Set each of the following configuration variables using the administration utility. See Configuring Tamr Core.
- Restart Tamr Core and its dependencies. See Restarting.
Configuration Variable | Example and Description |
---|---|
TAMR_AUTH_LDAP_HOST | localhost The fully-qualified hostname of the LDAP server. You cannot specify an alias for this variable. For example, specifying ${TAMR_AUTH_LDAP_HOST} does not work. |
TAMR_AUTH_LDAP_PORT | 389 The port number of the LDAP server. To use unencrypted connections enter the LDAP port number, typically 389. To use connections secured with LDAPS, enter the port number for secure connections, typically 689. |
TAMR_AUTH_LDAP_ADMIN_DN | cn=admin,dc=example,dc=com The LDAP domain name for the user account Tamr Core should use to connect to LDAP. This value must be the fully-qualified domain name (FQDN). Do not use aliases, such as [email protected] . |
TAMR_AUTH_LDAP_ADMIN_PASSWORD | JonSn0w The password of the user account Tamr Core should use to connect to LDAP. |
TAMR_AUTH_LDAP_SECURE | true The Boolean value (true or false) that specifies whether to enable Tamr Core to connect over LDAPS. |
Configuring LDAP User and Group Information
To configure LDAP user and group information:
- For each of the following configuration variables, set the variable using the admin tool. See Configuring Tamr Core.
Tip: LDAP group names are case-sensitive. Be sure to enter all values exactly as they appear. - Restart Tamr Core and its dependencies. See Restarting.
Configuration Variable | Example and Description |
---|---|
TAMR_AUTH_LDAP_USER_BASEDN | ou=People,dc=example,dc=com The base domain name for the users Tamr Core should query. |
TAMR_AUTH_LDAP_USER_IDATTR | cn The name of the LDAP attribute that Tamr Core matches a username against, for example, if the user signs in to Tamr Core as john.snow the LDAP attribute containing the value john.snow is configured here. Note, this is not necessarily the name of the LDAP unique identifier attribute of the user, typically uid . |
TAMR_AUTH_LDAP_USER_FILTER | (cn=*) The filter expression Tamr Core should apply when querying for a list of users. Set a value when you wish to restrict the users (within TAMR_AUTH_LDAP_USER_BASEDN ) considered for authentication. |
TAMR_AUTH_LDAP_USER_FINDER | (&(uid={username})(memberOf=cn=Directory Administrators,ou=Groups,dc=tamr,dc=com)) Uses a user's LDAP attributes, in addition to their credentials, to restrict them from authenticating. The expression must return only one result. To enforce this, the expression must begin with the AND condition &(uid={username}) . The remainder of the expression can be any ldap search conditions on a user's attributes, e.g. their group membership. |
TAMR_AUTH_LDAP_GROUP_BASEDN | ou=Groups,dc=example,dc=com The base domain name for the groups Tamr Core should query. |
TAMR_AUTH_LDAP_GROUP_IDATTR | cn The name of the unique identifier attribute of the LDAP groups Tamr Core should use. The name of the LDAP attribute that Tamr Core matches a group name against. For example, if the user signs in to Tamr Core and is a member of the group cn=curators,ou=Groups,dc=example,dc=com , the LDAP attribute containing the value curators is configured here.Note: This is not necessarily the name of the LDAP unique identifier attribute of the group, which is typically gid . |
TAMR_AUTH_LDAP_USER_MEMBEROFATTR | memberOf The name of the LDAP attribute containing the group membership of a user. The default value is memberOf , but isMemberOf and uniqueMember are also common.Note: The User object must contain an attribute specifying the user's group membership. Tamr Core uses the user object to obtain the list of groups to which a user belongs. |
TAMR_AUTH_LDAP_GROUP_FILTER | (cn=*) The filter expression Tamr Core should apply when querying groups. |
Configuring Additional LDAP Domains
Tamr Core can optionally query additional LDAP domains.
To configure additional LDAP domains:
- Set the following configuration variable using the admin tool. See Configuring Tamr Core.
- Restart Tamr Core and its dependencies. See Restarting.
Configuration Variable | Description and Example |
---|---|
TAMR_AUTH_ADDITIONAL_CREDENTIAL_FACTORIES | A list of ||| -separated JSON dictionaries, where each dictionary comprises an LDAP domain with the key-value pairs shown in the table that follows.{ 'type': 'com.tamr.auth.dao.LdapCredentialFactory', 'host': 'examplehost2.myhostname.net', 'port': '389', 'useSSL': 'false', 'adminDn': 'CN=TAMR_ADMIN,OU=ServiceAccounts,DC=people,DC=company', 'adminPassword': 'password', 'userBaseDn': 'OU=Personal,OU=US,OU=people,DC=company', 'userIdAttribute': 'AccountName', 'groupBaseDn': 'OU=PersonalGroups,DC=groups,DC=company', 'groupFilter': '(cn=*)' } ||| { 'type': 'com.tamr.auth.dao.LdapCredentialFactory', 'host': 'examplehost3.myhostname.net', 'port': '389', 'useSSL': 'false', 'adminDn': 'CN=TAMR_ADMIN,OU=ServiceAccounts,DC=people,DC=company', 'adminPassword': 'password', 'userBaseDn': 'OU=Personal,OU=EUR,OU=people,DC=company', 'userIdAttribute': 'AccountName', 'groupBaseDn': 'OU=PersonalGroups,OU=EUR,DC=groups,DC=company', 'groupFilter': '(cn=*)' } |
JSON keys for TAMR_AUTH_ADDITIONAL_CREDENTIAL_FACTORIES:
JSON Key | Description / Example Value |
---|---|
type | com.tamr.auth.dao.LdapCredentialFactory |
host | See TAMR_AUTH_LDAP_HOST. |
port | See TAMR_AUTH_LDAP_PORT. |
adminDn | See TAMR_AUTH_LDAP_ADMIN_DN. |
adminPassword | See TAMR_AUTH_LDAP_ADMIN_PASSWORD. |
useSSL | See TAMR_AUTH_LDAP_SECURE. |
userBaseDn | See TAMR_AUTH_LDAP_USER_BASEDN. |
userIdAttribute | See TAMR_AUTH_LDAP_USER_IDATTR. |
userFilter | See TAMR_AUTH_LDAP_USER_FILTER. |
userFinder | See TAMR_AUTH_LDAP_USER_FINDER. |
userMemberOfAttribute | See TAMR_AUTH_LDAP_USER_MEMBEROFATTR. |
groupFilter | See TAMR_AUTH_LDAP_GROUP_FILTER. |
groupIdAttribute | See TAMR_AUTH_LDAP_GROUP_IDATTR. |
groupBaseDn | See TAMR_AUTH_LDAP_GROUP_BASEDN. |
Mapping Tamr Core Groups to LDAP Groups
To create a Tamr Core group that corresponds to one or more LDAP groups, you can use the API user service to issue a POST call to the /groups endpoint, specifying a list of LDAP group DNs in the attribute sourceGroupNames
. For more information about this endpoint, see the Swagger API documentation installed with your Tamr Core instance.
Note: The value returned by the LDAP user attribute configured in TAMR_AUTH_LDAP_USER_MEMBEROFATTR
must match exactly (case-sensitive) the value that you configure in the Tamr Core group attribute, sourceGroupNames
.
To map Tamr Core groups to LDAP groups:
You create groups using POST /user/groups. For more information about this endpoint, see the Swagger API documentation installed with your Tamr Core instance.
For example, "sourceGroupNames": ["cn=Directory Administrators,ou=Groups,dc=example,dc=com"]
.
For a detailed example of adding groups, see Step 4: Configure Tamr and LDAP Group Information in this section.
Example: Configuring LDAP Authentication and Authorization
The following example shows five steps to configure Tamr Core to integrate with LDAP for both user authentication and authorization.
The example uses:
- The LDAP browser
phpldapadmin
to identify configuration values. - The command line utility
ldapsearch
to confirm configuration values.
Step 1. Identify and Confirm the LDAP Bind User Account
To connect to LDAP, Tamr Core requires the LDAP server details, host and port number, and the credentials of a functional LDAP user account known as the bind account. Contact your LDAP support team to obtain these details.
In this example, the LDAP server has the IP address 10.23.0.29
and the port number 389
. The LDAP bind user credentials are cn=admin,dc=example,dc=com
and JonSn0w
.
To verify the bind user credentials that Tamr Core requires:
- Access the LDAP server by using the web browser application
phpldapadmin
:
- Use the
ldapsearch
command to verify the LDAP server details and bind user credentials. Run the following command on the Tamr Core host server to confirm that the LDAP server is reachable and that the bind user credentials are valid.
ldapsearch -h <tamr-auth-ldap-host> -p <tamr-auth-ldap-port> \
-D <tamr-auth-ldap-admin-dn> -w <tamr-auth-ldap-admin-password>
For example:
ldapsearch -h 10.23.0.29 -p 389 -D cn=admin,dc=example,dc=com -w JonSn0w
- Set the Tamr Core configuration variables to the confirmed values as follows:
<tamr-home-directory>/tamr/utils/unify-admin.sh config:set \
--file <directory-path>/ldap-config.yaml
where ldap-config.yaml
is a YAML file as in the following example:
---
TAMR_AUTH_LDAP_HOST: "10.23.0.29"
TAMR_AUTH_LDAP_PORT: "389"
TAMR_AUTH_LDAP_ADMIN_DN: "cn=admin,dc=example,dc=com"
TAMR_AUTH_LDAP_ADMIN_PASSWORD: "JonSn0w"
Step 2. Identify and Confirm User Information
Tamr Core authenticates a user by searching LDAP and requires details of the corpus of users to search.
- Use the web browser application
phpldapadmin
to browse the LDAP server and identify the LDAP details of the corpus of users you wish Tamr Core to search when authenticating. Identify the organization unit "People" with DNou=People,dc=example,dc=com
as the corpus of users that Tamr authenticates.
- Identify the name of the LDAP attribute on the user object that identifies the user's unique sign in name. This user will enter
abergin
as their username to sign in to Tamr Core. Tamr Core then searches the user attributeuid
to find this name. This attribute name is set in the config varTAMR_AUTH_LDAP_USER_IDATTR
.
- Use
ldapsearch
to confirm the LDAP user details.
ldapsearch -h <tamr-auth-ldap-host> -p <tamr-auth-ldap-port> \
-D <tamr-auth-ldap-admin-dn> -w <tamr-auth-ldap-admin-password> \
-b <tamr-auth-ldap-user-basedn> <tamr-auth-ldap-user-idattr>="abergin"
- Add the configuration variables
TAMR_AUTH_LDAP_USER_BASEDN
andTAMR_AUTH_LDAP_USER_IDATTR
toldap-config.yaml
and update the configuration.
<tamr-home-directory>/tamr/utils/unify-admin.sh config:set \
--file <directory-path>/ldap-config.yaml
where ldap-config.yaml
is a YAML file that contains the following lines:
---
TAMR_AUTH_LDAP_HOST: "10.23.0.29"
TAMR_AUTH_LDAP_PORT: "389"
TAMR_AUTH_LDAP_ADMIN_DN: "cn=admin,dc=example,dc=com"
TAMR_AUTH_LDAP_ADMIN_PASSWORD: "JonSn0w"
TAMR_AUTH_LDAP_USER_BASEDN: "ou=People,dc=example,dc=com"
TAMR_AUTH_LDAP_USER_IDATTR: "uid"
Step 3. Identify and Confirm Group Information
Tamr Core authorizes a user who is signed in by querying LDAP for the user's group membership and matches that LDAP group to a Tamr Core group. It requires the details of the corpus of groups to search and a user attribute that specifies their group membership.
- Browse the LDAP server and identify the LDAP details of the corpus of groups you want Tamr Core to search when authorizing. Identify the organization unit "Groups" with DN
ou=Groups,dc=example,dc=com
as the corpus of groups that Tamr Core authorizes.
- Identify the name of the attribute that uniquely identifies a given group. Here it is the attribute
cn
. - To identify which group a given user belongs to, look up the user's information and identify which attribute contains the user's groups. Identify the user attribute
memberOf
as containing this information.
- Use
ldapsearch
to confirm the LDAP group details.
ldapsearch -h <tamr-auth-ldap-host> -p <tamr-auth-ldap-port> \
-d <tamr-auth-ldap-admin-dn> -w <tamr-auth-ldap-admin-password> \
-b <tamr-auth-ldap-group-basedn> \
<tamr-auth-ldap-group-idattr>="Accounting Managers"
- Use
ldapsearch
to confirm the LDAP user details contains the attributememberOf
. If this attribute is an operational attribute, add the argument+
, as follows:
ldapsearch -h <tamr-auth-ldap-host> -p <tamr-auth-ldap-port> \
-d <tamr-auth-ldap-admin-dn> -w <tamr-auth-ldap-admin-password> \
-b <tamr-auth-ldap-user-basedn> <tamr-auth-ldap-user-idattr>="abergin" +
- Add the configuration variables
TAMR_AUTH_LDAP_GROUP_BASEDN
,TAMR_AUTH_LDAP_GROUP_IDATTR
andTAMR_AUTH_LDAP_USER_MEMBEROFATTR
toldap-config.yaml
and update the configuration.
<tamr-home-directory>/tamr/utils/unify-admin.sh config:set \
--file <directory-path>/ldap-config.yaml
where ldap-config.yaml
is a YAML file that contains the following configuration:
---
TAMR_AUTH_LDAP_HOST: "10.23.0.29"
TAMR_AUTH_LDAP_PORT: "389"
TAMR_AUTH_LDAP_ADMIN_DN: "cn=admin,dc=example,dc=com"
TAMR_AUTH_LDAP_ADMIN_PASSWORD: "JonSn0w"
TAMR_AUTH_LDAP_USER_BASEDN: "ou=People,dc=example,dc=com"
TAMR_AUTH_LDAP_USER_IDATTR: "uid"
TAMR_AUTH_LDAP_GROUP_BASEDN: "ou=Groups,dc=example,dc=com"
TAMR_AUTH_LDAP_GROUP_IDATTR: "cn"
TAMR_AUTH_LDAP_USER_MEMBEROFATTR: "memberOf"
Step 4. Configure Tamr and LDAP Group Information
For each LDAP group, create a corresponding Tamr Core group.
To configure Tamr Core groups:
Create the Tamr Core group Tamr Core Accounting Managers
corresponding to the LDAP group cn=Accounting Managers,ou=Groups,dc=example,dc=com
, by calling the POST /user/groups with the following request.
{
"groupname": "Tamr Core Accounting Managers",
"description": "Group for Tamr Admins.",
"sourceGroupNames": [
"cn=Accounting Managers,ou=Groups,dc=example,dc=com"
]
}
Note: To configure roles, see Editing a User's Roles.
For more information about the /user/groups endpoint, see the Swagger API documentation installed with your Tamr Core instance.
Step 5. Optionally Configure User Filters
A user filter allows Tamr Core to prevent users from authenticating using a user's LDAP properties in addition to the user's credentials.
For example, you want to configure a filter that only allows users with the following characteristics:
- of objectClass
person
- of group membership
Accounting Managers
to authenticate successfully, set the configuration variable TAMR_AUTH_LDAP_USER_FINDER
as follows:
TAMR_AUTH_LDAP_USER_FINDER: "(&(uid={username})(objectClass=person)(memberOf=cn=Accounting Managers,ou=Groups,dc=example,dc=com))"
Updated about 2 years ago