All versions of this manual
X
 

Access control: LDAP / Active Directory

If Linkurious is connected to an LDAP service, users will be authenticated using the external service at each log-in.

If you have a LDAP service running in your network, you can use it to authenticate users in Linkurious.

Contact your network administrator to ensure that the machine where Linkurious is installed can connect to the LDAP service.

OpenLDAP

For OpenLDAP compatible providers, add an ldap section inside the access configuration.

Allowed options in access.ldap:

  • enabled: true to enable this authentication strategy
  • url: URL of the LDAP server
  • bindDN (optional): "Domain Name" of the LDAP account used to search other accounts
  • bindPassword (optional): Password of the LDAP account used to search other accounts
  • baseDN: Base "Domain Name" in which users will be searched. It can be a string or a non-empty array of strings
  • usernameField: Name of the LDAP attribute containing the user's name
  • emailField: Name of the LDAP attribute containing the user's e-mail
  • groupField (optional): Name of the LDAP attribute containing the user's group

The bindDN and bindPassword are optional. If specified they will be used to bind to the LDAP server.

Example LDAP configuration:

"access": {
  // [...] 
  "ldap": {
    "enabled": true,
    "url": "ldap://ldap.forumsys.com:389",
    "bindDN": "cn=read-only-admin,dc=example,dc=com",
    "bindPassword": "password",
    "baseDN": ["dc=example,dc=com"],
    "usernameField": "uid",
    "emailField": "mail",
    "groupField": "group"
  }
}

Active Directory

For Microsoft Active Directory, add a msActiveDirectory section inside the access configuration.

Allowed options in access.msActiveDirectory:

  • enabled: true to enable this authentication strategy
  • url: URL of the Active Directory server
  • baseDN: Base "Domain Name" in which users will be searched
  • domain: (optional) Domain of your Active Directory server
  • netbiosDomain: (optional) Netbios domain of your Active Directory server
  • tls.rejectUnauthorized: (optional) Whether the SSL certificate of your Active Directory server will be checked

Users can authenticate with their userPrincipalName or their sAMAccountName.

Use the domain configuration key to avoid your users to specify the domain part of their userPrincipalName. Use the netbiosDomain configuration key to avoid your users to specify the netbios domain part of their sAMAccountName.

Example Active Directory configuration:

"access": {
  // [...] 
  "msActiveDirectory": {
    "enabled": true,
    "url": "ldaps://ldap.lks.com:636",
    "baseDN": "dc=ldap,dc=lks,dc=com",
    "domain": "ldap.lks.com",
    "netbiosDomain": "LINKURIO",
    "tls": {
      "rejectUnauthorized": true
    }
  }
}

In alternative is possible to use your on premises Active Directory in conjunction with Azure Active Directory to provide SSO to your users. Please refer to Prerequisites for Azure AD Connect for more information and to SSO with Azure AD to know how to setup Azure AD as an identity provider.