Configuration (AEN 4.0)
=======================

.. raw:: html

    <div class="section" id="ldap">
    <h2>LDAP<a class="headerlink" href="#ldap" title="Permalink to this headline">¶</a></h2>
    <p>Anaconda Enterprise Notebooks does local authentication against accounts
    in the Anaconda Enterprise Notebooks database by default. To configure
    Anaconda Enterprise Notebooks to authenticate against accounts in a LDAP
    server, follow these instructions.</p>
    <div class="section" id="install-openldap-libraries">
    <h3>Install OpenLDAP Libraries<a class="headerlink" href="#install-openldap-libraries" title="Permalink to this headline">¶</a></h3>
    <p>The system needs the OpenLDAP libraries installed and accessible by
    Anaconda Enterprise Notebooks. Anaconda Enterprise Notebooks uses the
    OpenLDAP libraries to establish an LDAP connection to your LDAP servers.</p>
    <div class="section" id="centos-redhat">
    <h4>Centos/Redhat<a class="headerlink" href="#centos-redhat" title="Permalink to this headline">¶</a></h4>
    <p>To install <code class="docutils literal"><span class="pre">openldap</span></code> on CentOS or Redhat, run the following commands:</p>
    <div class="code bash highlight-default"><div class="highlight"><pre><span></span><span class="n">sudo</span> <span class="n">yum</span> <span class="n">install</span> <span class="n">openldap</span>
    </pre></div>
    </div>
    </div>
    <div class="section" id="ubuntu-debian">
    <h4>Ubuntu/Debian<a class="headerlink" href="#ubuntu-debian" title="Permalink to this headline">¶</a></h4>
    <p>To install <code class="docutils literal"><span class="pre">openldap</span></code> on Ubuntu or Debian, follow the official
    OpenLDAP installation instructions:
    <a class="reference external" href="https://wiki.debian.org/LDAP/OpenLDAPSetup">https://wiki.debian.org/LDAP/OpenLDAPSetup</a></p>
    </div>
    </div>
    </div>
    <div class="section" id="openldap">
    <h2>OpenLDAP<a class="headerlink" href="#openldap" title="Permalink to this headline">¶</a></h2>
    <p>Next, edit the
    <code class="docutils literal"><span class="pre">/opt/wakari/wakari-server/etc/wakari/wk-server-config.json</span></code> file.</p>
    <p>Add the LDAP settings as shown:</p>
    <div class="code json highlight-default"><div class="highlight"><pre><span></span><span class="p">{</span>
        <span class="s2">&quot;accounts&quot;</span><span class="p">:</span><span class="s2">&quot;wk_server.plugins.accounts.ldap2&quot;</span><span class="p">,</span>
        <span class="s2">&quot;LDAP&quot;</span> <span class="p">:</span> <span class="p">{</span>
            <span class="s2">&quot;URI&quot;</span><span class="p">:</span> <span class="s2">&quot;ldap://openldap.EXAMPLE.COM&quot;</span><span class="p">,</span>
            <span class="s2">&quot;BIND_DN&quot;</span><span class="p">:</span> <span class="s2">&quot;cn=Bob Jones,ou=Users,DC=EXAMPLE,DC=COM&quot;</span><span class="p">,</span>
            <span class="s2">&quot;BIND_AUTH&quot;</span><span class="p">:</span> <span class="s2">&quot;secretpass&quot;</span><span class="p">,</span>
            <span class="s2">&quot;USER_SEARCH&quot;</span><span class="p">:</span> <span class="p">{</span><span class="s2">&quot;base&quot;</span><span class="p">:</span> <span class="s2">&quot;DC=EXAMPLE,DC=COM&quot;</span><span class="p">,</span>
                            <span class="s2">&quot;filter&quot;</span><span class="p">:</span> <span class="s2">&quot;(| (&amp; (ou=Payroll)</span>
                                             <span class="p">(</span><span class="n">uid</span><span class="o">=%</span><span class="p">(</span><span class="n">username</span><span class="p">)</span><span class="n">s</span><span class="p">))</span>
                                          <span class="p">(</span><span class="o">&amp;</span> <span class="p">(</span><span class="n">ou</span><span class="o">=</span><span class="n">Facilities</span><span class="p">)</span>
                                             <span class="p">(</span><span class="n">uid</span><span class="o">=%</span><span class="p">(</span><span class="n">username</span><span class="p">)</span><span class="n">s</span><span class="p">)))</span><span class="s2">&quot;</span>
                            <span class="p">},</span>
            <span class="s2">&quot;KEY_MAP&quot;</span><span class="p">:</span> <span class="p">{</span><span class="s2">&quot;email&quot;</span><span class="p">:</span> <span class="s2">&quot;mail&quot;</span><span class="p">,</span>
                        <span class="s2">&quot;name&quot;</span><span class="p">:</span> <span class="s2">&quot;cn&quot;</span>
            <span class="p">}</span>
        <span class="p">}</span>
    <span class="p">}</span>
    </pre></div>
    </div>
    <div class="section" id="uri">
    <h3>URI<a class="headerlink" href="#uri" title="Permalink to this headline">¶</a></h3>
    <ul class="simple">
    <li>The IP address or hostname of your Active Directory server. For
    SSL/TLS, use the <code class="docutils literal"><span class="pre">ldaps://</span></code> prefix and specify a <code class="docutils literal"><span class="pre">TLS_CACERT</span></code> as
    described in the SSL/TLS configuration section below.</li>
    </ul>
    </div>
    <div class="section" id="bind-dn">
    <h3>BIND_DN<a class="headerlink" href="#bind-dn" title="Permalink to this headline">¶</a></h3>
    <ul class="simple">
    <li>The full directory path of the user you want AEN <em>Server</em> to bind as.</li>
    </ul>
    </div>
    <div class="section" id="bind-auth">
    <h3>BIND_AUTH<a class="headerlink" href="#bind-auth" title="Permalink to this headline">¶</a></h3>
    <ul class="simple">
    <li>The password of the BIND_DN user.</li>
    </ul>
    </div>
    <div class="section" id="user-search">
    <h3>USER_SEARCH<a class="headerlink" href="#user-search" title="Permalink to this headline">¶</a></h3>
    <ul class="simple">
    <li>base: the level at which you want to start the search.</li>
    <li>filter: default is to search for the <strong>sAMAccountName</strong> attribute,
    and use its value for the AEN <em>Server</em> <em>username</em> field.</li>
    </ul>
    </div>
    <div class="section" id="key-map">
    <h3>KEY_MAP<a class="headerlink" href="#key-map" title="Permalink to this headline">¶</a></h3>
    <ul class="simple">
    <li>Map user attributes in AEN <em>Server</em> to LDAP user attributes (ex: the
    <code class="docutils literal"><span class="pre">mail</span></code> attribute in LDAP maps to the <code class="docutils literal"><span class="pre">email</span></code> attribute in AEN
    <em>Server</em>)</li>
    </ul>
    <p>As soon as LDAP is installed LDAP takes over, so you need to add your
    admin account again:</p>
    <div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">wakari</span><span class="o">/</span><span class="n">wakari</span><span class="o">-</span><span class="n">server</span><span class="o">/</span><span class="nb">bin</span><span class="o">/</span><span class="n">wk</span><span class="o">-</span><span class="n">server</span><span class="o">-</span><span class="n">admin</span> <span class="n">superuser</span> <span class="o">--</span><span class="n">add</span> <span class="s2">&quot;jsmith&quot;</span>
    </pre></div>
    </div>
    </div>
    </div>
    <div class="section" id="active-directory">
    <h2>Active Directory<a class="headerlink" href="#active-directory" title="Permalink to this headline">¶</a></h2>
    <p>Microsoft Active Directory is a server program that provides directory services
    and uses the open industry standard Lightweight Directory Access Protocol
    (LDAP).</p>
    <p>To enable Active Directory support:</p>
    <p>Edit the <code class="docutils literal"><span class="pre">/opt/wakari/wakari-server/etc/wakari/wk-server-config.json</span></code>
    file.</p>
    <p>Add the LDAP settings as shown:</p>
    <div class="code json highlight-default"><div class="highlight"><pre><span></span><span class="p">{</span>
        <span class="s2">&quot;accounts&quot;</span><span class="p">:</span><span class="s2">&quot;wk_server.plugins.accounts.ldap2&quot;</span><span class="p">,</span>
        <span class="s2">&quot;LDAP&quot;</span> <span class="p">:</span> <span class="p">{</span>
            <span class="s2">&quot;URI&quot;</span><span class="p">:</span> <span class="s2">&quot;ldap://ad.EXAMPLE.COM&quot;</span><span class="p">,</span>
            <span class="s2">&quot;BIND_DN&quot;</span><span class="p">:</span> <span class="s2">&quot;CN=Bind User,CN=Users,DC=EXAMPLE,DC=COM&quot;</span><span class="p">,</span>
            <span class="s2">&quot;BIND_AUTH&quot;</span><span class="p">:</span> <span class="s2">&quot;secretpass&quot;</span><span class="p">,</span>
            <span class="s2">&quot;USER_SEARCH&quot;</span><span class="p">:</span> <span class="p">{</span><span class="s2">&quot;base&quot;</span><span class="p">:</span> <span class="s2">&quot;CN=Users,DC=EXAMPLE,DC=COM&quot;</span><span class="p">,</span>
                            <span class="s2">&quot;filter&quot;</span><span class="p">:</span> <span class="s2">&quot;sAMAccountName=</span><span class="si">%(username)s</span><span class="s2">&quot;</span>
            <span class="p">},</span>
            <span class="s2">&quot;KEY_MAP&quot;</span><span class="p">:</span> <span class="p">{</span><span class="s2">&quot;email&quot;</span><span class="p">:</span> <span class="s2">&quot;mail&quot;</span><span class="p">,</span>
                        <span class="s2">&quot;name&quot;</span><span class="p">:</span> <span class="s2">&quot;cn&quot;</span>
            <span class="p">}</span>
        <span class="p">}</span>
    <span class="p">}</span>
    </pre></div>
    </div>
    <div class="section" id="id1">
    <h3>URI<a class="headerlink" href="#id1" title="Permalink to this headline">¶</a></h3>
    <ul class="simple">
    <li>The IP address or hostname of your Active Directory server. For
    SSL/TLS, use the <code class="docutils literal"><span class="pre">ldaps://</span></code> prefix and specify a <code class="docutils literal"><span class="pre">TLS_CACERT</span></code> as
    described in the SSL/TLS configuration section below.</li>
    </ul>
    </div>
    <div class="section" id="id2">
    <h3>BIND_DN<a class="headerlink" href="#id2" title="Permalink to this headline">¶</a></h3>
    <ul class="simple">
    <li>The full directory path of the user you want AEN <em>Server</em> to bind as.</li>
    </ul>
    </div>
    <div class="section" id="id3">
    <h3>BIND_AUTH<a class="headerlink" href="#id3" title="Permalink to this headline">¶</a></h3>
    <ul class="simple">
    <li>The password of the BIND_DN user.</li>
    </ul>
    </div>
    <div class="section" id="id4">
    <h3>USER_SEARCH<a class="headerlink" href="#id4" title="Permalink to this headline">¶</a></h3>
    <ul class="simple">
    <li>base: the level at which you want to start the search.</li>
    <li>filter: default is to search for the <strong>sAMAccountName</strong> attribute,
    and use its value for the AEN <em>Server</em> <em>username</em> field.</li>
    </ul>
    </div>
    <div class="section" id="id5">
    <h3>KEY_MAP<a class="headerlink" href="#id5" title="Permalink to this headline">¶</a></h3>
    <ul class="simple">
    <li>Map user attributes in AEN <em>Server</em> to LDAP user attributes (ex: the
    <code class="docutils literal"><span class="pre">mail</span></code> attribute in LDAP maps to the <code class="docutils literal"><span class="pre">email</span></code> attribute in AEN
    <em>Server</em>)</li>
    </ul>
    <p>As soon as LDAP is installed LDAP takes over, so you need to add your
    admin account again:</p>
    <div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">wakari</span><span class="o">/</span><span class="n">wakari</span><span class="o">-</span><span class="n">server</span><span class="o">/</span><span class="nb">bin</span><span class="o">/</span><span class="n">wk</span><span class="o">-</span><span class="n">server</span><span class="o">-</span><span class="n">admin</span> <span class="n">superuser</span> <span class="o">--</span><span class="n">add</span> <span class="s2">&quot;jsmith&quot;</span>
    </pre></div>
    </div>
    </div>
    </div>
    <div class="section" id="ssl-tls-configuration">
    <h2>SSL/TLS configuration<a class="headerlink" href="#ssl-tls-configuration" title="Permalink to this headline">¶</a></h2>
    <p>Anaconda Enterprise Notebooks uses system-wide LDAP settings, including
    SSL/TLS support.</p>
    <ul class="simple">
    <li>On Redhat/CentOS systems, these settings are located in <code class="docutils literal"><span class="pre">/etc/openldap/ldap.conf</span></code></li>
    <li>On Ubuntu/Debian systems, these settings are located in <code class="docutils literal"><span class="pre">/etc/ldap/ldap.conf</span></code></li>
    </ul>
    <p>Typically, the only option needed is:</p>
    <div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">TLS_CACERT</span> <span class="o">/</span><span class="n">path</span><span class="o">/</span><span class="n">to</span><span class="o">/</span><span class="n">CA</span><span class="o">.</span><span class="n">cert</span>
    </pre></div>
    </div>
    <p>Where CA.cert is the CA used to sign the LDAP server&#8217;s SSL certificate.
    In the case of a self-signed SSL certificate, this is the path to the
    SSL certificate itself.</p>
    </div>
    <div class="section" id="test-configuration-with-flask-ldap-check">
    <h2>Test configuration with Flask LDAP Check<a class="headerlink" href="#test-configuration-with-flask-ldap-check" title="Permalink to this headline">¶</a></h2>
    <p>Finally, test the LDAP configuration with the <code class="docutils literal"><span class="pre">flask-ldap-login-check</span></code>
    command:</p>
    <div class="code bash highlight-default"><div class="highlight"><pre><span></span><span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">wakari</span><span class="o">/</span><span class="n">wakari</span><span class="o">-</span><span class="n">server</span><span class="o">/</span><span class="nb">bin</span><span class="o">/</span><span class="n">flask</span><span class="o">-</span><span class="n">ldap</span><span class="o">-</span><span class="n">login</span><span class="o">-</span><span class="n">check</span> \
        <span class="n">wk_server</span><span class="o">.</span><span class="n">wsgi</span><span class="p">:</span><span class="n">app</span> \
        <span class="o">-</span><span class="n">u</span> <span class="p">[</span><span class="n">username</span><span class="p">]</span> \
        <span class="o">-</span><span class="n">p</span> <span class="p">[</span><span class="n">password</span><span class="p">]</span>
    </pre></div>
    </div>
    <p>Where <em>``username``</em> is the username of a valid user and <em>``password``</em>
    is that user&#8217;s <strong>BIND_AUTH</strong> password.</p>
    </div>
