Zoomdata Version

Lightweight Directory Access Protocol (LDAP)

OVERVIEW

LDAP (Lightweight Directory Access Protocol) is an application protocol used over an IP network to manage and access directory information contained in an organization’s secured network. Zoomdata has been tested and is performant with ActiveDirectory and OpenLDAP directory services. Zoomdata Server can be configured to use one of these LDAP services to authenticate users. When LDAP is enabled, users can log into Zoomdata using their familiar LDAP identity and credentials.

After enabling LDAP authentication in Zoomdata, users in the LDAP directory of your organization may be imported. All user information is still maintained in LDAP, not in your Zoomdata user accounts. To connect Zoomdata with an LDAP directory, coordination between the authorized LDAP administrator and Zoomdata Administrator (if different persons) is needed.

The following LDAP configuration information is needed to configure LDAP in Zoomdata:

Field Description
URL

The LDAP connection string for connecting to the LDAP repository. Connection string is of the following format:
ldap://<ldap server>:<ldap port>
where:

  • <ldap server> should be replaced by the DNS name or IP address of the LDAP repository server
  • <ldap port> should be replaced by the port number where LDAP service is listening on <ldap server> (typically port 389)
Bind user User name credential of the service account that (at minimum) has read access to the LDAP repository.
Bind password Password credential for the Bind user (LDAP service account).
Search base Identifies the Distinguished Name (DN) -  the location in the LDAP directory tree where to begin queries for registered users in the LDAP directory.
Query LDAP query that will resolve a specific set of users group found in the search base to be imported into Zoomdata.
User ID attribute Identifier attribute for users in LDAP implementation of your organization.
The following user ID attributes are supported: UID , CN , sAMAccountname , and userPrincipalName . This attribute will determine how user names will be represented in Zoomdata.

CONFIGURING LDAP

  1. Log in as supervisor.
  2. Click the Security tab and then click LDAP Settings .
  3. Under the LDAP Settings tab, toggle Enable LDAP on.
  4. Enter the LDAP connection URL (DNS or IP address) where the LDAP directory resides.
  5. Enter the Bind User and Bind Password credentials. The authorized LDAP administrator needs to provide these credentials.
  6. Specify the Search Base which is the DN or location in the LDAP directory tree where a search for registered users can begin. An example entry is provided in the text field: OU=people,DC=zoomdata,DC=local, where
  • OU means organizational unit
  • DC mean domain controller
  1. Provide a query string which can run to identify user nodes under the Search Base.  An example is provided in the text field: (objectclass=person). Keep in mind that you can only import individual users into Zoomdata. As a result, your query should be limited to objects that are designated as a “person” or “user.” For common LDAP query strings, refer to the Google reference source on LDAP Queries .


Figure 1

Enabling User Provisioning

You can enable user provisioning. This feature allows you to verify the identity of users that log into Zoomdata against the LDAP directory and automatically create new users in Zoomdata if the user's credentials have been validated against the LDAP directory.

If disabled, you will have to manually import the users in order to allow them to log into Zoomdata.

Figure 2

When you have enabled auto provisioning feature, you can select the default account for the provisioned users to be added.

The Default Account list contains all the account names, that are available within your Zoomdata instance. If you want the users to be added to one of them, select the corresponding account. Otherwise, select the User Account Mapping option to configure the mappings with LDAP attributes for your users.

Configuring Mappings

Using mappings, you can bind the user attributes from LDAP and Zoomdata.

  1. Select Login Name Mapping attribute from the list, that will be used as user login. There are four User ID Attributes supported: UID, CN, sAMAccountname, and userPrincipalName.
  2. Account Mapping - select the account to which for the user to be added to
  3. Active Account Mapping - select the account to which the user will log in for the first time
  4. Full Name Mapping
  5. Email mapping
  6. If you want to import users and the groups which they are assigned to, in the Group mapping attribute field, type the name of the corresponding column in LDAP.
    Once the credentials are verified, the user groups will be created in Zoomdata and each user will be assigned to the corresponding group. The user will be assigned the Group Only role. In case the group mapping is not specified, the user will be assigned the User role.


Figure 3

Managing Mappings to Custom User Attributes

Zoomdata supports the ability to associate custom user attributes with a Zoomdata user.  Using this feature, you can to store values that can be used for credential pass through. This means that if users have access to a particular data source that has been connected to Zoomdata, their credentials can be saved on this page so that his access privileges are maintained for that source within Zoomdata.


Figure 4

Manual IMPORTING USERS FROM LDAP DIRECTORY

  1. Log in as a supervisor and click the Accounts tab.

Figure 5

  1. Select the appropriate account to import users from the LDAP directory.
  2. On the Users page, click Import Users . A list of users in the LDAP directory will be displayed.

Figure 6

  1. To import specific users, select them from the list. To import all users, click Select all .
  2. Click Import .

If needed, you can delete imported users using the Users list in the left pane.

After users have been imported into Zoomdata, they can be assigned roles and permissions. For an overview of how Zoomdata manages users and groups and how to assign roles and permissions, refer to the following articles:

Using secure LDAP connection

To use the secure LDAP connection, you need to import the certificate to your local jre key store.

  1. Run the following command:
sudo keytool -import -file ca_file_name .pem -keystore opt/zoomdata/jre/lib/security/cacerts
  1. Restart Zoomdata after importing the certificate:
sudo service zoomdata restart

Now when using a secure connection to LDAP, the URL must be as follows: ldaps:// ldap server :636