Set Up LDAP Using OpenLDAP Container

litmus edge allows companies to set up an ldap server for managing user access to their devices, eliminating the need to define users locally on each litmus edge instance before you begin make sure you have access to litmus edge 3 11 1 and later basic knowledge of ldap protocol step 1 set up the openldap container to set up the openldap container and access the php ldap admin ui from your edge device, navigate to applications > containers copy and paste the below commands and click the run button command to run the openldap server docker run dit p 389 389 p 636 636 name my openldap container osixia/openldap\ latest command to run the web ui to configure users and groups docker run dit name phpldapadmin service p 9080 80 env phpldapadmin ldap hosts=\<ip of my openldp container> e phpldapadmin https=false osixia/phpldapadmin\ latest replace \<ip of my openldp container> with the ip address of the openldap container once both containers are running, you can access php ldap admin ui by going to \<ip address of le> 9080 in your web browser you should see this landing page step 2 create users and groups to configure the litmus edge ldap container, we need to first create some users and groups on the ldap server we will create two users, namely alice smith and bob jones , and two groups named litmus admin and litmus viewer these ldap groups will correspond to the administrator and viewer groups in litmus edge, respectively to proceed, we need to log in to the ldap server using the default credentials from the container login dn cn=admin,dc=example,dc=org password admin to log into the php ldap admin ui click the login button enter the default login dn and password upon successful login, you will see the landing page and an empty tree structure on the left side note to keep this guide simple, we will add the groups and users under this root level however, in an actual ldap server, the structure is more complicated and contains many subfolders step 2a add users to add users to the ldap server click the globe icon and then select create a child entry the create object page appears choose default from templates select inetorgperson from objectclasses list for the ldap server container click proceed >> fill out the basic details for the users cn asmith sn smith givenname alice employeenumber 12345 password \<enter a password> click create object and then commit repeat the above for bob jones (make sure you do this on the root of the ldap by clicking on dc=example, dc=org and create a child entry ) enter the following details cn bjones sn jones givenname bob employeenumber 54321 password \<enter a password> click create object and then commit you should see both alice and bob added to the ldap server step 2b add groups to add groups to the ldap server click the globe icon and then select create a child entry the create object page appears choose default from templates select groupofnames from objectclasses list for the ldap server container click proceed >> fill out the basic details for the groups cn litmus admin member click the search icon and select cn=asmith click create object click commit repeat the above for litmus viewer group (make sure you do this on the root of the ldap by clicking on dc=example, dc=org and create a child entry ) enter the following details cn litmus viewer member click the search icon and select cn=bjones click create object click commit we should now have four entries under the root folder of the ldap server next, we will configure litmus edge step 3 litmus edge ldap configuration to define the ldap server connection from your edge device navigate to system > ldap/ad auth and then click the + button to define a new ldap provider the add provider dialog box appears here, we have the option to start from a template or to define everything manually select advanced to fill in all details and understand each parameter on the generic tab, give the provider a name and click next the default selection for type is generic on the connection tab, enter the following host enter ip address of the ldap container as the host port enter the port number used to define the docker container for the ldap server for this guide, we used port 389 in step 1 bind dn and bind dn password enter the same admin user credentials to authenticate php ldap admin ui click next step 4 define user search details in the user tab, we define the parameters for litmus edge to search and parse relevant information from the ldap server, such as first name, last name, username, and userid the following information defines the user configuration user search base dn the dn (distinguished name) of the folder in the ldap server is the starting point for searching users as our ldap server is simple, we'll start searching from the top level folder, which is dc=example, dc=org search scope litmus edge can use this setting to determine the level at which it should search for users there are three options in the dropdown menu to choose from base search at the base level of the user search base dn one search one level below the base level of the user search base dn sub search all levels below the user search base dn for this guide, select sub to search everything under the top level folder user search filter we require a filter to provide litmus edge with a list of users who should have access to it in a practical scenario, individuals may want to limit access to only specific employees, but for guide, we will match any entry that has an objectclass of inetorgperson (&(objectclass=inetorgperson)) if you need more information on how to write ldap filters, you can refer this resource attribute for unique userid this is the attribute that litmus edge will use as a unique identifier for each user in this example, we will use employeenumber attribute for username this is the attribute that litmus edge will use for the username when logging in to le in this example, we will use cn so alice's username will be asmith and bob's username will be bjones first name this is the attribute that litmus edge will use for the user's first name this is the givenname attribute that we filled out when creating alice and bob's user accounts in the ldap server last name this is the attribute that litmus edge will use for the user's last name for this example, we will use sn attribute after configuring your user tab, it will look like the screenshot below step 5 define group search details the group tab is same as the user section, but this time we are telling litmus edge how to search for the groups the following information defines the group configuration group search base dn the dn (distinguished name) of the folder in the ldap server will be our starting point for searching groups as our ldap server is simple, we'll start searching from the top level folder, which is dc=example, dc=org search scope litmus edge can use this setting to determine the level at which it should search for groups there are three options in the dropdown menu to choose from base search at the base level of the group search base dn one search one level below the base level of the group search base dn sub search all levels below the group search base dn for this guide, select sub to search everything under the top level folder group search filter we require a filter to provide litmus edge with a list of groups who should have access to it for this guide, we will match any entry that has an objectclass of groupofnames and then we will add an additional filter to only include the groupofnames that have a cn that starts with litmus the filter looks like the following (&(objectclass=groupofnames)(cn=litmus )) group name attribute this is the attribute litmus edge will use to display the group name in this example, we will use cn group membership attribute this attribute informs litmus edge which users belong to the group this information is necessary for litmus edge to determine a user's permissions upon login in this example, we use member attribute group member value type this attribute tells litmus edge about the type of information stored in the list of members when we added bob and alice to the group, their user account dn was inserted in this example, litmus edge can use the attribute dn to identify members in the list after configuring your groups tab, it will look like the screenshot below step 6 test the configuration you will find a test button on this screen that will verify the input settings click the test button the update provider dialog box appears it shows the expected results for two users and two groups step 7 map ldap groups to litmus edge groups after a successful test of the connection, click create and map groups the map groups dialog box appears litmus edge was able to connect to the ldap server and find the list of groups that we created next, we need to map these groups to the local groups we have on litmus edge this mapping will let litmus edge know which permissions the user should be granted when they log in from the drop down menu, map litmus admin to administrators and litmus viewer to viewers and click save step 8 check user access to edge device now, we will log in as alice or bob and verify that they each have the administrator and viewer permissions, respectively note please use the login credentials that were configured for alice and bob in step 2a select openldap from provider id drop down to log in via ldap if you select internal provider, litmus edge will look for a local user with the username of asmith, which does not exist if your login was successful, you should see the eula and need to accept it (this is only the case for the first login) when you log in as alice, you have complete access to litmus edge to check, navigate to system/users/groups and select administrators you will notice that alice has been added to the administrators group this is expected because alice is part of the litmus admin on the ldap server if you log in as bob and try to access the same page as system/users/groups , you will find that you do not have the necessary access to view the page this is because bob has been assigned the viewers group permissions and does not have the required privileges to view the page