Configuring Active Directory as External Authentication Provider

Prerequisites

You will need the following variables, adapted to the company LDAP/AD:

  • ldap.url=ldap://ldap.server.company.com:389/
  • ldap.domain= company.com
  • ldap.searchbase=OU=employees,DC=company,DC=com
  • ldap.isSearchBySamAccountName=false 

Note: To make sure the values are correct and the access is granted you can use ldaptools 

Note: You will need your ldap admin to provide an user on ldap to test integration (IE: ldap_user)

To test that you are able to bind, use the following:

ldapwhoami -x  -H <ldap.url>   -D '<ldap_user>@<ldap_domain>' -W

To list out the users that will be able to log in, use the following:

ldapsearch -x -A -H <ldap.url>  -b '<ldap.searchbase>' '(objectclass=user)' -D '<ldap_user>@<ldap_domain>' -W

Procedure

1) Locate the Properties file for both masters

a. This file is referred on the masters, on /etc/nem-upgrade.conf, on configuration section.

2) Add the properties for ldap integration:

  • ldap.url= ldap://ldap.server.company.com:389/
  • ldap.domain= company.com
  • ldap.searchbase=OU=employees,DC=company,DC=com
  • ldap.isSearchBySamAccountName=false

On one of the masters run the upgrade.

a. sudo nem upgrade

b. Wait until it's fully started.

4) On this master, check that the information has been added to this file:

a. /nem/mio-auth/application.yaml

 
...
authentication:
    activeDirectory:
        url:ldap://ldap.server.company.com:389/
        domain: itvplc.ads
        searchBase: OU=Employees,DC=ITVPLC,DC=ADS
        isSearchBySamAccountName: false
....   

5) Check in the mio-auth logs, that there are no errors at the startup.

6) Repeat steps 3,4,5 on the other master.

7) Log into the master url as masteruser.

a. On the right side column, there are three tabs on top, click on Access.

b. In the same column click on Accounts.

c. Select the account you want to authenticate against ldap.

d. Select the Metadata tab and click on Edit.

e. Add "External authenticator"

Add the following fields:

8) Once this has been done, and you have logged in with the correct username and password, the Ooyala Flex user is created with the default permissions.

Was this article helpful?