User GuidesAPI ReferenceRelease Notes
Doc HomeHelp CenterLog In
User Guides
Doc HomeHelp Center

LDAP Authentication and Authorization

Configuring LDAP user authentication and authorization.

Suggest Edits

Tamr uses local database-backed authentication and authorization by default.

Tamr can also use LDAP to authenticate and authorize users. Configuring Tamr to use LDAP allows users to log into Tamr using their LDAP username and password and be authorized under their LDAP group membership.

Configuring LDAP Authentication and Authorization

To configure LDAP authentication and authorization:

  1. Connect Tamr to LDAP. See Connecting Tamr to LDAP.
  2. Configure LDAP User and Group Information. See Configuring LDAP User and Group Information.
  3. Optionally configure additional LDAP domains. See Configuring Additional LDAP Domains.
  4. Map Tamr Groups to LDAP Groups. See Mapping Tamr Groups to LDAP Groups.

📘

User Synchronization

User synchronization between Tamr and LDAP is lazy, this means that a user's account is added from LDAP to Tamr only when that user first logs into Tamr.

📘

Group Synchronization

Once a user is logged into Tamr, they must belong to any group in the configured group base domain that passes the configured group filter to be authorized. By default, unauthorized users are not given a role.

Connecting Tamr to LDAP

To connect Tamr to LDAP:

  1. For each of the following configuration variables, set the configuration variable using the admin tool. See Creating or Updating a Configuration Variable.
  2. Restart Tamr and its dependencies. See Restarting.

TAMR_AUTH_LDAP_HOST

Configuration VariableExample Value
TAMR_AUTH_LDAP_HOSTlocalhost

The fully qualified hostname of the LDAP server.

TAMR_AUTH_LDAP_PORT

Configuration VariableExample Value
TAMR_AUTH_LDAP_PORT389

The port number of the LDAP server.

To use unencrypted connections enter the LDAP port number, typically 389. To use connections secured with LDAPS, enter the port number for secure connections, typically 689.

TAMR_AUTH_LDAP_ADMIN_DN

Configuration VariableExample Value
TAMR_AUTH_LDAP_ADMIN_DNcn=admin,dc=example,dc=com

The LDAP domain name for the user account Tamr should use to connect to LDAP.

TAMR_AUTH_LDAP_ADMIN_PASSWORD

Configuration VariableExample Value
TAMR_AUTH_LDAP_ADMIN_PASSWORDJonSn0w

The password of the user account Tamr should use to connect to LDAP.

TAMR_AUTH_LDAP_SECURE

Configuration VariableExample Value
TAMR_AUTH_LDAP_SECUREtrue

Enable Tamr to connect over LDAPS.

Configuring LDAP User and Group Information

To configure LDAP user and group information:

  1. For each of the following configuration variables, set the configuration variable using the admin tool. SeeCreating or Updating a Configuration Variable.
  2. Restart Tamr and its dependencies. See Restarting.

TAMR_AUTH_LDAP_USER_BASEDN

Configuration VariableExample Value
TAMR_AUTH_LDAP_USER_BASEDNou=People,dc=example,dc=com

The base domain name for the users Tamr should query.

TAMR_AUTH_LDAP_USER_IDATTR

Configuration VariableExample Value
TAMR_AUTH_LDAP_USER_IDATTRcn

The name of the LDAP attribute that Tamr matches a username against, e.g. if the user logs into Tamr as john.snow the LDAP attribute containing the value john.snow is configured here. Note, this is not necessarily the name of the LDAP unique identifier attribute of the user, typically uid.

TAMR_AUTH_LDAP_USER_FILTER

Configuration VariableExample Value
TAMR_AUTH_LDAP_USER_FILTER(cn=*)

The filter expression Tamr should apply when querying users. Set a value when you wish to restrict the users (within TAMR_AUTH_LDAP_USER_BASEDN) considered for authentication.

TAMR_AUTH_LDAP_GROUP_BASEDN

Configuration VariableExample Value
TAMR_AUTH_LDAP_GROUP_BASEDNou=Groups,dc=example,dc=com

The base domain name for the groups Tamr should query.

TAMR_AUTH_LDAP_GROUP_IDATTR

Configuration VariableExample Value
TAMR_AUTH_LDAP_GROUP_IDATTRcn

The name of the unique identifier attribute of the LDAP groups Tamr should use.
The name of the LDAP attribute that Tamr matches a group name against.

For example, if the user logs into Tamr and is a member of the group cn=curators,ou=Groups,dc=example,dc=com the LDAP attribute containing the value curators is configured here. Note, this is not necessarily the name of the LDAP unique identifier attribute of the group, typically gid.

TAMR_AUTH_LDAP_USER_MEMBEROFATTR

Configuration VariableDefault Value
TAMR_AUTH_LDAP_USER_MEMBEROFATTRmemberOf

The name of the LDAP attribute containing the group membership of a user. The default value is memberOf, but isMemberOf and uniqueMember are also common.

🚧

The User Object Must Include Group Membership

The user object must contain an attribute specifying the user's group membership. Tamr uses the user object to obtain the list of groups to which a user belongs.

TAMR_AUTH_LDAP_GROUP_FILTER

Configuration VariableExample Value
TAMR_AUTH_LDAP_GROUP_FILTER(cn=*)

The filter expression Tamr should apply when querying groups.

Configuring Additional LDAP Domains

Tamr can optionally query additional LDAP domains.

To configure additional LDAP domains

  1. For each of the following configuration variables, set the configuration variable using the admin tool. See Setting Configuration Variables.
  2. Restart Tamr and its dependencies. See Restarting.

TAMR_AUTH_ADDITIONAL_CREDENTIAL_FACTORIES

Configuration VariableExample Value
TAMR_AUTH_ADDITIONAL_CREDENTIAL_FACTORIES{ 'type': 'com.tamr.auth.dao.LdapCredentialFactory', 'host': 'examplehost2.myhostname.net', 'port': '389', 'useSSL': 'false', 'adminDn': 'CN=TAMR_ADMIN,OU=ServiceAccounts,DC=people,DC=company', 'adminPassword': 'password', 'userBaseDn': 'OU=Personal,OU=US,OU=people,DC=company', 'userIdAttribute': 'AccountName', 'groupBaseDn': 'OU=PersonalGroups,DC=groups,DC=company', 'groupFilter': '(cn=*)' } ||| { 'type': 'com.tamr.auth.dao.LdapCredentialFactory', 'host': 'examplehost3.myhostname.net', 'port': '389', 'useSSL': 'false', 'adminDn': 'CN=TAMR_ADMIN,OU=ServiceAccounts,DC=people,DC=company', 'adminPassword': 'password', 'userBaseDn': 'OU=Personal,OU=EUR,OU=people,DC=company', 'userIdAttribute': 'AccountName', 'groupBaseDn': 'OU=PersonalGroups,OU=EUR,DC=groups,DC=company', 'groupFilter': '(cn=*)' }

A list of pipe-separated (|) JSON dictionaries, where each dictionary comprises an LDAP domain with the following key-value pairs.

JSON KeyDescription / Example Value
typecom.tamr.auth.dao.LdapCredentialFactory
hostSee TAMR_AUTH_LDAP_HOST.
portSee TAMR_AUTH_LDAP_PORT.
adminDnSee TAMR_AUTH_LDAP_ADMIN_DN.
adminPasswordSee TAMR_AUTH_LDAP_ADMIN_PASSWORD.
useSSLSee TAMR_AUTH_LDAP_SECURE.
userBaseDnSee TAMR_AUTH_LDAP_USER_BASEDN.
userIdAttributeSee TAMR_AUTH_LDAP_USER_IDATTR.
groupFilterSee TAMR_AUTH_LDAP_GROUP_FILTER.
groupBaseDnSee TAMR_AUTH_LDAP_GROUP_BASEDN.

Mapping Tamr Groups to LDAP Groups

  1. Create Groups: POST /user/groups
    To create a Tamr group corresponding to one or more LDAP groups, issue an API request with POST /user/groups API, specifying a list of LDAP group DNs in the attribute sourceGroupNames. For example: "sourceGroupNames": ["cn=Directory Administrators,ou=Groups,dc=example,dc=com"].

🚧

Consistent Group Identification

The value returned by the LDAP user attribute configured in TAMR_AUTH_LDAP_USER_MEMBEROFATTR must exactly match the value that you configured in the Tamr group attribute, sourceGroupNames.

An Example of Configuring LDAP Authentication and Authorization

The following example configures Tamr to integrate with LDAP for user authentication and authorization.

The example uses:

  • the LDAP browser phpldapadmin to identify configuration values.
  • the command line utility ldapsearch to confirm configuration values.

Identifying and Confirming the LDAP Bind User Account

To connect to LDAP, Tamr requires the LDAP server details, host and port number, and the credentials of a functional LDAP user account known as the bind account. Contact your LDAP support team to obtain these details.

  1. In this example, the LDAP server has a IP address as 10.23.0.29 and the port number 389. The LDAP bind user credentials are cn=admin,dc=example,dc=com and JonSn0w. Set the following Tamr configuration variables with these values:
<tamr-home-directory>/tamr/utils/unify-admin.sh config:set --file /path/to/your/custom/ldap-config.yaml

Where ldap-config.yaml is a YAML file with the following configuration:

---
TAMR_AUTH_LDAP_HOST: "10.23.0.29"
TAMR_AUTH_LDAP_PORT: "389"
TAMR_AUTH_LDAP_ADMIN_DN: "cn=admin,dc=example,dc=com"
TAMR_AUTH_LDAP_ADMIN_PASSWORD: "JonSn0w"
  1. Use the web browser application phpldapadmin to access the LDAP server.
688
  1. Use ldapsearch to confirm the LDAP server details and bind user credentials. Run the following commands on the Tamr host server to confirm that the LDAP server is reachable from Tamr.
ldapsearch -h ${TAMR_AUTH_LDAP_HOST} -p ${TAMR_AUTH_LDAP_PORT} \
-D ${TAMR_AUTH_LDAP_ADMIN_DN} -w ${TAMR_AUTH_LDAP_ADMIN_PASSWORD}

Note: We chose the admin user as our bind user for querying LDAP. In the web browser we see this user's DN is cn=admin,dc=example,dc=com. This value is used for the configuration variable TAMR_AUTH_LDAP_ADMIN_DN.

Identifying and Confirming User Information

In order for Tamr to perform authentication for its given logged in user, it must search LDAP. We next require details of the corpus of users to search.

  1. Use the web browser application phpldapadmin to browse the LDAP server and identify the LDAP details of the corpus of users we wish Tamr to search when authenticating. Identify the organization unit "People" with DN ou=People,dc=example,dc=com as the corpus of users that Tamr authenticates.
688

We choose the organization unit "People" as the corpus users that Tamr authenticates.

  1. Identify the name of the LDAP attribute on the user object that identifies the user's unique login name.
688

We identify the attribute name that uniquely identifies a user. In the web browser we see this is uid. For example a user logging into Tamr will enter abergin as the username. Tamr then searches the user attribute uid to find this name. This attribute name is set in the config var TAMR_AUTH_LDAP_USER_IDATTR.

  1. Set the following Tamr configuration variables with these values:
<tamr-home-directory>/tamr/utils/unify-admin.sh config:set TAMR_AUTH_LDAP_USER_BASEDN="ou=People,dc=example,dc=com" TAMR_AUTH_LDAP_USER_IDATTR="uid"
  1. Use ldapsearch to confirm the LDAP user details.
ldapsearch -h ${TAMR_AUTH_LDAP_HOST} -p ${TAMR_AUTH_LDAP_PORT} \
-D ${TAMR_AUTH_LDAP_ADMIN_DN} -w ${TAMR_AUTH_LDAP_ADMIN_PASSWORD} \
-b ${TAMR_AUTH_LDAP_USER_BASEDN} ${TAMR_AUTH_LDAP_USER_IDATTR}="user1"

Identifying and Confirming Group Information

In order for Tamr to perform authorization for its given logged in user, it must query LDAP for the user's group membership and map that LDAP group to a Tamr group. We then require the details of the corpus of groups to search and how a user specifies its group membership.

  1. Browse the LDAP server and identify the LDAP details of the corpus of groups we wish Tamr to search when authorizing. We identify the organization unit "Groups" with DN ou=Groups,dc=example,dc=com as the corpus of groups that Tamr authorizes.
688

We choose the organization unit "Groups" as the corpus of groups that Tamr authoizes. Additionally note that here, the name of the attribute that uniquely identifies the group is cn.

  1. To identify which group a given user belongs to, look up the user's information and identify which attribute contains the user's groups. Identify the user attribute memberOf as containing this information.
1740

The user information for uid=gtyler contains an attribute memberOf that lists that user's groups, here "Accounting Managers". The group membership attribute name of the user object is set in the variable TAMR_AUTH_LDAP_USER_MEMBEROFATTR.

  1. Set the following Tamr configuration variables with these values:
<tamr-home-directory>/tamr/utils/unify-admin.sh config:set --file /path/to/your/custom/ldap-config.yaml

Where ldap-config.yaml is a YAML file containing:

---
TAMR_AUTH_LDAP_GROUP_BASEDN: "ou=Groups,dc=example,dc=com"
TAMR_AUTH_LDAP_GROUP_IDATTR: "cn"
TAMR_AUTH_LDAP_USER_MEMBEROFATTR: "memberOf"
  1. Use ldapsearch to confirm the LDAP group details.
ldapsearch -h ${TAMR_AUTH_LDAP_HOST} -p ${TAMR_AUTH_LDAP_PORT} \
-D ${TAMR_AUTH_LDAP_ADMIN_DN} -w ${TAMR_AUTH_LDAP_ADMIN_PASSWORD} \
-b ${TAMR_AUTH_LDAP_GROUP_BASEDN} \
${TAMR_AUTH_LDAP_GROUP_IDATTR}="Accounting Managers"
  1. We use ldapsearch to confirm the LDAP user details contains the attribute memberOf. If this attribute is an operational attribute you must add the argument + as follows
ldapsearch -h ${TAMR_AUTH_LDAP_HOST} -p ${TAMR_AUTH_LDAP_PORT} \
-D ${TAMR_AUTH_LDAP_ADMIN_DN} -w ${TAMR_AUTH_LDAP_ADMIN_PASSWORD} \
-b ${TAMR_AUTH_LDAP_USER_BASEDN} ${TAMR_AUTH_LDAP_USER_IDATTR}="abergin" +

Configure Tamr and LDAP Group Information

  1. For each LDAP group, create a corresponding Tamr group. For example, create the Tamr group Tamr Accounting Managers corresponding to the LDAP group cn=Accounting Managers,ou=Groups,dc=example,dc=com, by calling the API POST /user/groups with the following request.
{
  "groupname": "Tamr Accounting Managers",
  "description": "Group for Tamr Admins.",
   "sourceGroupNames": [
    "cn=Accounting Managers,ou=Groups,dc=example,dc=com"
  ]
}

Note: To configure roles, see Editing a User's Roles.

Updated about 5 years ago

What’s Next