Skip to main content

LDAP / AD Configuration

Brandon Langley
Updated

Diskover Admin setup:

  1. Navigate to Diskover Admin → Web → LDAP

  2. Enable LDAP logins with the button at the top of the screen

  3. Host: URI domain/server - e.g. ldap://ldap.mycompany.com:port

    1. You must have the :port added onto the host

  4. Port: Port used to connect to the domain server - e.g. 389 for unencrypted / 636 encrypted

  5. Domain: Name of the domain - e.g. mycompany.com

  6. Base Distinguished Name (DN): Base DN for the domain - e.g. dc=mycompany,dc=com

  7. User DN: If left blank, it will search the entire domain to look for users.

  8. Group DN: If left blank, it will search the entire domain to look for groups.

  9. Select an Alt Bind Profile based on your configuration needs.

    1. Alt Bind 1: This profile might be necessary in environments with multiple domains, specific access controls, or complex directory structures.

    2. Alt Bind 2: This profile is very similar to Alt Bind 1 but heavily focused on complex multiple domain configurations.

    3. Alt Bind 3: This profile is commonly used on newer LDAP implementations that leverage “groupOfNames”.

    4. LDAP Nested Groups: This profile is used when your LDAP structure is configured primarily as AD.

  10. Enter the different group names in their respective boxes:

    1. Admin Groups: Have access to the Search page, Task Panel, and Diskover Admin

    2. User Groups: Only have access to the Search page. They do not have access to the Task Panel.

    3. Task Panel Groups: Have access to the Search page and Task Panel. They do not have access to Diskover Admin.

    4. LDAP API Groups: Have access to run API calls via their user but are not explicitly grated Diskover UI access without being a member of one of the other groups.

    5. Please note that capitalization does matter. Logins will not work if its not a 1:1 match between whats configured in the domain and Diskover Admin.

  11. Configure the service account that’s used to do the LDAP lookups. -- This is optional but recommended to increase the speed of login queries.

Logging in:

With LDAP logins enabled in Diskover Admin, users should now be able to log in with the user that is returned with the sAMAccountName above.

LDAP Debugging Tool:

In /var/www/diskover-web/public there is a file called login.php within is a debug setting for LDAP:

vi /var/www/diskover-web/public/login.php
// ====================================================
// LDAP DEBUG OUTPUT
// ====================================================
// Set ldapdebug to TRUE to turn on ldap debug output
$ldapdebug = FALSE;

If this is set to True, when logging in to Diskover you will get a troubleshooting page with LDAP debugging information:

image-20251016-154240.png

Packages needed:

  • openldap-clients – This provides the ldapsearch utility seen below

dnf install openldap-clients

  • python-ldap – This allows for the Test button to work in the Diskover Admin UI. NOTE: This button only sees if Diskover can communicate with the LDAP server host.

python3 -m pip install python-ldap

Useful commands to run on the backend before configuring Diskover Admin:

Performing an ldap query of the entire domain:

  • Non SSL query:

ldapsearch -x -H ldap://ip-or-hostname -D "ldap_service_user@domain.com" -W -b "dc=domain,dc=com"

  • SSL query:

    • -W will prompt you for a password instead of exposing it

    • -w “password” will expose your password but it passed in as part of the command

ldapsearch -x -H ldaps://hostname -D "ldap_service_user@domain.com" -W -b "dc=domain,dc=com"

Seeing what groups a user is part of:

  • The Following command will display Distinguished Name (dn):

ldapsearch -x -H ldap://ip-or-hostname -D "ldap_service_user@domain.com" -W -b "dc=domain,dc=com" "(sAMAccountName=account.name)" memberOf

  • If you do not see the user part of any groups, Diskover logins will not work.

  • If this returns groups that the user is part of, most of the time you have enough info to continue with the Diskover Admin section.

Finding members of a specific group:

  • LDAP Query:

ldapsearch -x -H ldap://ip-or-hostname -D "ldap_service_user@domain.com" -W -b "dc=domain,dc=com" "(cn=Group Name Here)" member

If you’re still having issues and need more information:

  • Looking up details on the groups and associated members:

ldapsearch -x -H ldap://ip-or-hostname -D "ldap_service_user@domain.com" -W -b "dc=domain,dc=com" "(objectClass=group)"

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk