- Notes, cautions, and warnings
- Introduction
- Authentication
- Data management
- Volumes
- Tags
- Data bins
- File type classes
- Viewfilters
- Set size limits or expiration dates by folder
- Data management configuration file
- Storage monitoring
- Common settings
- Plugins
- Backup and restore
- Secure Remote Services
- Logs and troubleshooting
DataIQ 2.2 Admin Guide
Configure authentication service
Configure Active Directory user info. Any changes to user or group information may take up to 15 minutes to take effect.
In the DataIQ UI, from the Settings tab, select . Fill out the form with information from your Active Directory setup:
- Display name: Display name for the configured LDAP provider, for example, AD-provider.
- Vendor: select Active Directory (AD).
- Username attribute: Directory service user object attribute that is mapped as the username. Select a user object in the directory service tree. Identify attribute to use as the username. Active Directory typically uses sAMAccountName or cn. Other LDAP vendors often use uid.
Attributes should be unique across users. A conflict in username between users will prevent that user from logging in.
- Top RDN: Relative Distinguished Name (RDN) of a user Distinguished Name (DN). Can vary across vendors. This value is often the same as the username attribute. Active Directory typically uses cn.
- UUID attribute: Universally Unique Identifier (UUID) attribute. This value is an LDAP operational attribute that is assigned to each LDAP object. Active Directory typically uses objectGUID. Other LDAP vendors typically use entryUUID.
- User object classes: An object class encapsulates attributes representing an LDAP object. Enter each object class listed in this field, for example, top,person,organizationalPerson,user .
- Connection URL: Connection URL of the LDAP provider. Requires a scheme and address. The port is optional. A default port is inferred based on the scheme (port 389 for LDAP and port 636 for LDAPS). IPv4 or a resolvable hostname are expected for the address. Examples: ldap://example.abc.com:389 or ldaps://10.1.2.3:636.
- Users DN: Users distinguished name (DN) representing where to locate users in the directory service tree, for example, CN=users,DC=ldap,DC=west,DC=abc,DC=com.
- User filter: Optional: apply an LDAP filter for additional criteria to select which users have access.
- Search scope: Enter scope of the search for users. Options:
- Users DN is a single level search of the configured "Users DN".
- Users Subtree searches all the configured "Users DN", and the subtree.
- Authentication: Type of authentication method used. Options:
- Anonymous: No password is used to identify the user groups. The directory service must be configured to allow anonymous authentication in order to select this option.
- Simple bind: Uses the bind credentials that are used by Keycloak to access the LDAP server.
- Admin bind DN: Distinguished name (DN) of LDAP admin that is associated with stored simple bind type, for example, CN=Administrator,CN=Users,DC=west,DC=local.
- Admin bind credential: Password, which is used for simple bind.
- Group filter: Optional: apply an LDAP filter for additional criteria in the LDAP query to select groups.
- Groups DN: Groups distinguished name (DN) representing where to locate groups in the directory service tree, for example, CN=Users,DC=west,DC=local.
- Group name attribute: The LDAP user object attribute mapped as the inherited group name. A group name is the unique identifier in DataIQ, so multiple groups cannot be created with the same name. Example: cn.
- Group object classes: An object class encapsulates attributes representing an LDAP object. A group is required to have each object class listed in this field. Example: group.
- User group lookup strategy: Choose strategy to resolve group membership. The group membership dictates user access within DataIQ. Options:
SEARCH_BY_GROUPS_MEMBERS: Search all groups specified by "Groups DN", with the chosen "Search scope". User is deemed a member of the group if user is found listed under the group member attribute.
Group member attribute in above example is member.
The group member attribute type is DN.
Group member user attribute is CN.
- RECURSIVE_SEARCH_BY_GROUPS_MEMBERS: Searches all groups specified by "Groups DN", with the chosen "Search scope". User is deemed a member of the group if user is found listed under the group's member attribute. Recursively search group members that are groups. For example, Group B is a member of Group A. The user is listed as member of Group B, but not explicitly listed as a member of Group A. This strategy resolves the user as a member of both Group A and Group B. This requires support for LDAP_MATCHING_RULE_IN_CHAIN on the directory service.
SEARCH_BY_USERS_MEMBERSHIP: Search user's memberOf attribute for groups.
- Group member attribute type: Name of the directory service attribute denoting a user in the group membership mappings. example: member: uid=person,ou=users,dc=example,dc=com
- Group member user attribute: Name of the directory service attribute denoting a user in the group membership mappings.
- User memberOf attribute: Name of a directory service attribute used to track the groups that the user is a member of. Used to resolve group membership.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\