Configuring an LDAP authentication provider for Rudder

If you are operating on a corporate network or want to have your users in a centralized database, you can enable LDAP authentication for Rudder users.

LDAP is only for authentication

Take care of the following limitation of the current process: only authentication is delegated to LDAP, NOT authorizations. So you still have to declare user’s authorizations in the Rudder user file (rudder-users.xml).

A user whose authentication is accepted by LDAP but not declared in the rudder-users.xml file is considered to have no rights at all (and so will only see a reduced version of Rudder homepage, with no action nor tabs available).

The credentials of a user are defined in the XML file /opt/rudder/etc/rudder-users.xml. It expects the same format as regular file-based user login, but in this case "name" will be the login used to connect to LDAP and the password field will be ignored and should be set to "LDAP" to make it clear that this Rudder installation uses LDAP to log users in.

Every modification of this file should be followed by a restart of the Rudder web application to be taken into account:

service rudder-jetty restart

Enable LDAP authentication

LDAP authentication is enabled by setting the property rudder.auth.ldap.enable to true in file /opt/rudder/etc/rudder-web.properties

The LDAP authentication process is a bind/search/rebind in which an application connection (bind) is used to search (search) for a user entry given some base and filter parameters, and then, a bind (rebind) is tried on that entry with the credential provided by the user.

So next, you have to set-up the connection parameters to the LDAP directory to use. There are five properties to change:

  • rudder.auth.ldap.connection.url
  • rudder.auth.ldap.connection.bind.dn
  • rudder.auth.ldap.connection.bind.password
  • rudder.auth.ldap.searchbase
  • rudder.auth.ldap.filter

The search base and filter are used to find the user. The search base may be left empty, and

Here are some usage examples,

on standard LDAP:

rudder.auth.ldap.searchbase=ou=People
rudder.auth.ldap.filter=(&(uid={0})(objectclass=person))

on Active Directory:

rudder.auth.ldap.searchbase=
rudder.auth.ldap.filter=(&(sAMAccountName={0})(objectclass=user))