Product Documentation

Appearance

EE: All appliance platforms

LDAP Authentication Modes

Yellowbrick supports two modes for LDAP authentication:

  • Bind
  • Search, then Bind

See also LDAP Authentication Settings.

Bind Mode

In Bind mode, the Yellowbrick cluster builds a user's full credential from a prefix, the username, and a suffix. Typically, these components build a distinguished name that uniquely identifies a user in the LDAP Directory Server. A distinguished name is a unique set of attributes that define a path to the user in the LDAP structure.

For example, a username analyst1 in the OrgUsers organizational unit (OU) at the root of the directory structure might have the following distinguished name:

uid=analyst1,ou=OrgUsers,dc=test,dc=yellowbrick,dc=io

The DN prefix is uid=, and the DN suffix is ,ou=OrgUsers,dc=test,dc=yellowbrick,dc=io. When analyst1 logs into the cluster, the username is submitted to the LDAP server as follows:

uid=analyst1,ou=OrgUsers,dc=test,dc=yellowbrick,dc=io

Alternatively, the DN prefix may specify cn=. This CN (common name) value can be either the username or the first and last name of the user.

If you are using a Microsoft Active Directory (AD) environment, instead of using a fully qualified distinguished name, you can use the user principal name (UPN), which is a unique identifier in AD. The UPN consists of the username (sAMAccountName) and domain. For example, analyst1 in the test.yellowbrick.io domain has the UPN analyst1@test.yellowbrick.io. In this case, @test.yellowbrick.io would be your DN suffix for login and you would leave the DN prefix blank. For more information about UPNs, see the MSDN documentation.

Note: Bind mode is most useful if all of your users are in a single organizational unit (OU), or if they are in AD. If users are in multiple organizational units and you are not using AD, Yellowbrick Data recommends you use the Search, then Bind mode, as described in the next section.

Search, then Bind Mode

This mode allows the Yellowbrick cluster to connect to the LDAP server, search the tree for an attribute containing the username, then retrieve that user's distinguished name for authentication. The base DN is the location in the tree to start searching from, and it must specify the fully qualified distinguished name.

For example, if your tree looks like this:

test.yellowbrick.io 
    OrgUsers 
       <individual users>
    SecurityGroups
       Database
          <separate groups>

you can set your Base DN to ou=OrgUsers,dc=test,dc=yellowbrick,dc=io and limit your searches to the OrgUsers branch only. Typically, it is best to pick the highest common branch: OrgUsers in this case, instead of test.yellowbrick.io.

The bind DN is the user who will search the LDAP directory, and must be either a fully distinguished name (or a UPN in the case of an AD environment).

For example:

uid=admin,ou=OrgUsers,dc=test,dc=yellowbrick,dc=io

or the UPN:

admin@test.yellowbrick.io

The search attribute is the LDAP attribute that defines the username. For example, in many UNIX-based directory servers, the attribute will be uid. For AD servers, it will be sAMAccountName.