LDAP configuration (AEN 4.1.2)
==============================

.. raw:: html

    <p>Anaconda Enterprise Notebooks does local authentication against accounts
    in the AEN database by default. To configure AEN to authenticate against
    accounts in an LDAP (Lightweight Directory Access Protocol)
    server, follow these instructions.</p>
    <p>For more information about configuring AEN, please see the documentation on
    <a class="reference internal" href="../admin/configuration-files.html"><span class="doc">configuration files</span></a>.</p>
    <div class="section" id="install-openldap-libraries">
    <h2>Install OpenLDAP libraries<a class="headerlink" href="#install-openldap-libraries" title="Permalink to this headline">¶</a></h2>
    <p>The system needs the OpenLDAP libraries installed and accessible by
    Anaconda Enterprise Notebooks. Anaconda Enterprise Notebooks uses the
    OpenLDAP libraries to establish an LDAP connection to your LDAP servers.</p>
    <div class="section" id="centos-red-hat">
    <h3>CentOS/Red Hat<a class="headerlink" href="#centos-red-hat" title="Permalink to this headline">¶</a></h3>
    <p>To install <code class="docutils literal"><span class="pre">openldap</span></code> on CentOS or Red Hat, run the following commands:</p>
    <div class="code bash highlight-default"><div class="highlight"><pre><span></span><span class="n">sudo</span> <span class="n">yum</span> <span class="n">install</span> <span class="n">openldap</span>
    </pre></div>
    </div>
    </div>
    <div class="section" id="ubuntu-debian">
    <h3>Ubuntu/Debian<a class="headerlink" href="#ubuntu-debian" title="Permalink to this headline">¶</a></h3>
    <p>To install <code class="docutils literal"><span class="pre">openldap</span></code> on Ubuntu or Debian, follow the official
    OpenLDAP installation instructions:
    <a class="reference external" href="https://wiki.debian.org/LDAP/OpenLDAPSetup">https://wiki.debian.org/LDAP/OpenLDAPSetup</a></p>
    </div>
    </div>
    <div class="section" id="openldap">
    <h2>OpenLDAP<a class="headerlink" href="#openldap" title="Permalink to this headline">¶</a></h2>
    <p>Next, edit the
    <code class="docutils literal"><span class="pre">/opt/wakari/wakari-server/etc/wakari/wk-server-config.json</span></code>
    file. Add the LDAP settings as shown:</p>
    <div class="code json highlight-default"><div class="highlight"><pre><span></span><span class="p">{</span>
        <span class="s2">&quot;accounts&quot;</span><span class="p">:</span><span class="s2">&quot;wk_server.plugins.accounts.ldap2&quot;</span><span class="p">,</span>
        <span class="s2">&quot;LDAP&quot;</span> <span class="p">:</span> <span class="p">{</span>
            <span class="s2">&quot;URI&quot;</span><span class="p">:</span> <span class="s2">&quot;ldap://openldap.EXAMPLE.COM&quot;</span><span class="p">,</span>
            <span class="s2">&quot;BIND_DN&quot;</span><span class="p">:</span> <span class="s2">&quot;cn=Bob Jones,ou=Users,DC=EXAMPLE,DC=COM&quot;</span><span class="p">,</span>
            <span class="s2">&quot;BIND_AUTH&quot;</span><span class="p">:</span> <span class="s2">&quot;secretpass&quot;</span><span class="p">,</span>
            <span class="s2">&quot;USER_SEARCH&quot;</span><span class="p">:</span> <span class="p">{</span><span class="s2">&quot;base&quot;</span><span class="p">:</span> <span class="s2">&quot;DC=EXAMPLE,DC=COM&quot;</span><span class="p">,</span>
                            <span class="s2">&quot;filter&quot;</span><span class="p">:</span> <span class="s2">&quot;(| (&amp; (ou=Payroll)</span>
                                             <span class="p">(</span><span class="n">uid</span><span class="o">=%</span><span class="p">(</span><span class="n">username</span><span class="p">)</span><span class="n">s</span><span class="p">))</span>
                                          <span class="p">(</span><span class="o">&amp;</span> <span class="p">(</span><span class="n">ou</span><span class="o">=</span><span class="n">Facilities</span><span class="p">)</span>
                                             <span class="p">(</span><span class="n">uid</span><span class="o">=%</span><span class="p">(</span><span class="n">username</span><span class="p">)</span><span class="n">s</span><span class="p">)))</span><span class="s2">&quot;</span>
                            <span class="p">},</span>
            <span class="s2">&quot;KEY_MAP&quot;</span><span class="p">:</span> <span class="p">{</span><span class="s2">&quot;email&quot;</span><span class="p">:</span> <span class="s2">&quot;mail&quot;</span><span class="p">,</span>
                        <span class="s2">&quot;name&quot;</span><span class="p">:</span> <span class="s2">&quot;cn&quot;</span>
            <span class="p">}</span>
        <span class="p">}</span>
    <span class="p">}</span>
    </pre></div>
    </div>
    <div class="section" id="uri">
    <h3>URI<a class="headerlink" href="#uri" title="Permalink to this headline">¶</a></h3>
    <ul class="simple">
    <li>The IP address or hostname of your OpenLDAP server. For
    SSL/TLS, use the <code class="docutils literal"><span class="pre">ldaps://</span></code> prefix and specify a <code class="docutils literal"><span class="pre">TLS_CACERT</span></code> as
    described in the SSL/TLS configuration section below.</li>
    </ul>
    </div>
    <div class="section" id="bind-dn">
    <h3>BIND_DN<a class="headerlink" href="#bind-dn" title="Permalink to this headline">¶</a></h3>
    <ul class="simple">
    <li>The full directory path of the user you want AEN Server to bind as</li>
    </ul>
    </div>
    <div class="section" id="bind-auth">
    <h3>BIND_AUTH<a class="headerlink" href="#bind-auth" title="Permalink to this headline">¶</a></h3>
    <ul class="simple">
    <li>The password of the BIND_DN user</li>
    </ul>
    </div>
    <div class="section" id="user-search">
    <h3>USER_SEARCH<a class="headerlink" href="#user-search" title="Permalink to this headline">¶</a></h3>
    <ul class="simple">
    <li>base: the level at which you want to start the search</li>
    <li>filter: default is to search for the <strong>sAMAccountName</strong> attribute,
    and use its value for the AEN <em>Server</em> <em>username</em> field</li>
    </ul>
    </div>
    <div class="section" id="key-map">
    <h3>KEY_MAP<a class="headerlink" href="#key-map" title="Permalink to this headline">¶</a></h3>
    <ul class="simple">
    <li>Maps user attributes in AEN Server to LDAP user attributes
    (for example, the <code class="docutils literal"><span class="pre">mail</span></code> attribute in LDAP maps to the <code class="docutils literal"><span class="pre">email</span></code>
    attribute in AEN Server)</li>
    </ul>
    <p>As soon as LDAP is installed, LDAP authentication takes over, so add your
    admin account again:</p>
    <div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">wakari</span><span class="o">/</span><span class="n">wakari</span><span class="o">-</span><span class="n">server</span><span class="o">/</span><span class="nb">bin</span><span class="o">/</span><span class="n">wk</span><span class="o">-</span><span class="n">server</span><span class="o">-</span><span class="n">admin</span> <span class="n">superuser</span> <span class="o">--</span><span class="n">add</span> <span class="s2">&quot;jsmith&quot;</span>
    </pre></div>
    </div>
    </div>
    </div>
    <div class="section" id="active-directory">
    <h2>Active Directory<a class="headerlink" href="#active-directory" title="Permalink to this headline">¶</a></h2>
    <p>Microsoft Active Directory is a server program that provides directory services
    and uses the open industry standard Lightweight Directory Access Protocol
    (LDAP).</p>
    <p>To enable Active Directory support:</p>
    <p>Edit the <code class="docutils literal"><span class="pre">/opt/wakari/wakari-server/etc/wakari/wk-server-config.json</span></code>
    file.</p>
    <p>Add the LDAP settings as shown:</p>
    <div class="code json highlight-default"><div class="highlight"><pre><span></span><span class="p">{</span>
        <span class="s2">&quot;accounts&quot;</span><span class="p">:</span><span class="s2">&quot;wk_server.plugins.accounts.ldap2&quot;</span><span class="p">,</span>
        <span class="s2">&quot;LDAP&quot;</span> <span class="p">:</span> <span class="p">{</span>
            <span class="s2">&quot;URI&quot;</span><span class="p">:</span> <span class="s2">&quot;ldap://&lt;ad.EXAMPLE.COM&gt;&quot;</span><span class="p">,</span>
            <span class="s2">&quot;BIND_DN&quot;</span><span class="p">:</span> <span class="s2">&quot;CN=Bind User,CN=Users,DC=EXAMPLE,DC=COM&quot;</span><span class="p">,</span>
            <span class="s2">&quot;BIND_AUTH&quot;</span><span class="p">:</span> <span class="s2">&quot;secretpass&quot;</span><span class="p">,</span>
            <span class="s2">&quot;USER_SEARCH&quot;</span><span class="p">:</span> <span class="p">{</span><span class="s2">&quot;base&quot;</span><span class="p">:</span> <span class="s2">&quot;CN=Users,DC=EXAMPLE,DC=COM&quot;</span><span class="p">,</span>
                            <span class="s2">&quot;filter&quot;</span><span class="p">:</span> <span class="s2">&quot;sAMAccountName=</span><span class="si">%(username)s</span><span class="s2">&quot;</span>
            <span class="p">},</span>
            <span class="s2">&quot;KEY_MAP&quot;</span><span class="p">:</span> <span class="p">{</span><span class="s2">&quot;email&quot;</span><span class="p">:</span> <span class="s2">&quot;mail&quot;</span><span class="p">,</span>
                        <span class="s2">&quot;name&quot;</span><span class="p">:</span> <span class="s2">&quot;cn&quot;</span>
            <span class="p">}</span>
        <span class="p">}</span>
    <span class="p">}</span>
    </pre></div>
    </div>
    <div class="section" id="id1">
    <h3>URI<a class="headerlink" href="#id1" title="Permalink to this headline">¶</a></h3>
    <ul class="simple">
    <li>The IP address or hostname of your Active Directory server.
    Replace <code class="docutils literal"><span class="pre">&lt;ad.EXAMPLE.COM&gt;</span></code> with the actual URI. For
    SSL/TLS, use the <code class="docutils literal"><span class="pre">ldaps://</span></code> prefix and specify a <code class="docutils literal"><span class="pre">TLS_CACERT</span></code> as
    described in the SSL/TLS configuration section below.</li>
    </ul>
    </div>
    <div class="section" id="id2">
    <h3>BIND_DN<a class="headerlink" href="#id2" title="Permalink to this headline">¶</a></h3>
    <ul class="simple">
    <li>The full directory path of the user you want AEN Server to bind as.</li>
    </ul>
    </div>
    <div class="section" id="id3">
    <h3>BIND_AUTH<a class="headerlink" href="#id3" title="Permalink to this headline">¶</a></h3>
    <ul class="simple">
    <li>The password of the BIND_DN user</li>
    </ul>
    </div>
    <div class="section" id="id4">
    <h3>USER_SEARCH<a class="headerlink" href="#id4" title="Permalink to this headline">¶</a></h3>
    <ul class="simple">
    <li>base: the level at which you want to start the search</li>
    <li>filter: default is to search for the <strong>sAMAccountName</strong> attribute,
    and use its value for the AEN Server <code class="docutils literal"><span class="pre">username</span></code> field</li>
    </ul>
    </div>
    <div class="section" id="id5">
    <h3>KEY_MAP<a class="headerlink" href="#id5" title="Permalink to this headline">¶</a></h3>
    <ul class="simple">
    <li>Maps user attributes in AEN Server to LDAP user attributes
    (for example, the <code class="docutils literal"><span class="pre">mail</span></code> attribute in LDAP maps to the <code class="docutils literal"><span class="pre">email</span></code>
    attribute in AEN Server)</li>
    </ul>
    <p>As soon as LDAP is installed, LDAP authentication takes over, so add your
    admin account again:</p>
    <div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">wakari</span><span class="o">/</span><span class="n">wakari</span><span class="o">-</span><span class="n">server</span><span class="o">/</span><span class="nb">bin</span><span class="o">/</span><span class="n">wk</span><span class="o">-</span><span class="n">server</span><span class="o">-</span><span class="n">admin</span> <span class="n">superuser</span> <span class="o">--</span><span class="n">add</span> <span class="s2">&quot;jsmith&quot;</span>
    </pre></div>
    </div>
    </div>
    </div>
    <div class="section" id="ssl-tls-configuration">
    <h2>SSL/TLS configuration<a class="headerlink" href="#ssl-tls-configuration" title="Permalink to this headline">¶</a></h2>
    <p>Anaconda Enterprise Notebooks uses system-wide LDAP settings, including
    SSL/TLS support.</p>
    <ul class="simple">
    <li>On Red Hat/CentOS systems, these settings are located in <code class="docutils literal"><span class="pre">/etc/openldap/ldap.conf</span></code></li>
    <li>On Ubuntu/Debian systems, these settings are located in <code class="docutils literal"><span class="pre">/etc/ldap/ldap.conf</span></code></li>
    </ul>
    <p>Typically, the only required option is:</p>
    <div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">TLS_CACERT</span> <span class="o">/</span><span class="n">path</span><span class="o">/</span><span class="n">to</span><span class="o">/</span><span class="n">CA</span><span class="o">.</span><span class="n">cert</span>
    </pre></div>
    </div>
    <p>Where <code class="docutils literal"><span class="pre">CA.cert</span></code> is the Certificate Authority used to sign the LDAP server&#8217;s SSL certificate.
    In the case of a self-signed SSL certificate, this is the path to the
    SSL certificate itself.</p>
    </div>
    <div class="section" id="test-configuration-with-flask-ldap-check">
    <h2>Test configuration with Flask-LDAP check<a class="headerlink" href="#test-configuration-with-flask-ldap-check" title="Permalink to this headline">¶</a></h2>
    <p>Finally, test the LDAP configuration with the <code class="docutils literal"><span class="pre">flask-ldap-login-check</span></code>
    command:</p>
    <div class="code bash highlight-default"><div class="highlight"><pre><span></span><span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">wakari</span><span class="o">/</span><span class="n">wakari</span><span class="o">-</span><span class="n">server</span><span class="o">/</span><span class="nb">bin</span><span class="o">/</span><span class="n">flask</span><span class="o">-</span><span class="n">ldap</span><span class="o">-</span><span class="n">login</span><span class="o">-</span><span class="n">check</span> \
        <span class="n">wk_server</span><span class="o">.</span><span class="n">wsgi</span><span class="p">:</span><span class="n">app</span> \
        <span class="o">-</span><span class="n">u</span> <span class="p">[</span><span class="n">username</span><span class="p">]</span> \
        <span class="o">-</span><span class="n">p</span> <span class="p">[</span><span class="n">password</span><span class="p">]</span>
    </pre></div>
    </div>
    <p>Where <em>``username``</em> is the username of a valid user and <em>``password``</em>
    is that user&#8217;s <strong>BIND_AUTH</strong> password.</p>
    </div>
