The can be configured to provide single sign-on (SSO) logins with Active Directory/Lightweight Directory Access Protocol (AD/LDAP). These steps allow you to enable auto-provisioning of new users to the platform if they can authenticate through LDAP.
Do not use this configuration for the following:
You have the following required pieces of LDAP information available:
Before you enable SSO to LDAP, you can use the following steps to verify that the is able to communicate with LDAP with the information provided by your LDAP administrator.
Steps:
To verify the above information, execute the following command:
ldapsearch -H ldaps://<LDAP_SERVER_HOSTNAME>:<PORT> -x -b '<BASE_DN>' -D '<BIND_DN>' -w '<BIND_PASSWORD>' '(objectClass=*)' ['<attribute-name>'] | less |
NOTE: Be sure to use single quotes ( |
where:
Parameter | Description |
---|---|
ldap(s)://<LDAP_SERVER_HOSTNAME>:<PORT> | Hostname and port number of the LDAP server, as provided by your LADP administrator. Please use ldaps as the protocol. |
<BASE_DN> | Base DN value provided by your LDAP administrator |
<BIND_DN> | Bind DN value provided by your LDAP administrator |
<BIND_PASSWORD> | Bind password value provided by your LADP administrator |
(objectClass=*) | Please include this string value. |
<attribute-name> | (Optional) Comma-separated list of attributes to include back from the LDAP server. |
| less | (Optional) Pipes lengthy output to page-by-page display tool. |
Anonymous binding: In the unlikely event that the LDAP server supports anonymous binding, the BIND_DN
and BIND_PASSWORD
values are not required, as in the following command:
ldapsearch -H ldaps://<LDAP_SERVER_HOSTNAME>:<PORT> -x -b '<BASE_DN>' '(objectClass=*)' ['<attribute-name>'] | less |
less
tool for display.To provision users, the requires user profile information from attributes. The following are the default mappings:
Platform User Profile Field | Default AD attribute | Default LDAP attribute |
---|---|---|
email address | userPrincipalName | |
sso-principal | uid | uid |
hadoop-principal | uid | uid |
userName | sAMAccountName | cn |
The following is an example output of ldapsearch:
# jguy, Users, 56bb81bb6782d97b5c37b0cb, example.com dn: uid=jguy,ou=Users,o=56bb81bb6782d97b5c37b0cb,dc=example,dc=com sn: Joe cn: Joe Guy objectClass: top loginShell: /bin/bash homeDirectory: /home/jguy uid: jguy gidNumber: 5143 mail: jguy@example.com givenName: Joe |
In the above output, the cn
, uid
and mail
attributes from LDAP are used by the platform. In this case, the sso-principal, email address, and name attribute are correct for use.
NOTE: If your output from ldapsearch indicates that you must use non-default attributes, you must modify the configuration based on your SSO method. Details are below. |
The supports the following methods for integrating with LDAP-AD SSO:
Native LDAP-AD support: Integrate to the enterprise SSO using platform-native configuration.
Tip: This method is recommended. |
Apache reverse proxy: Integrate the platform with an Apache reverse proxy server hosted on the . This node provides the connection to enterprise SSO.
NOTE: This older version of SSO integration is likely to be deprecated in a future release. |
This section covers setting up platform-native SSO integration with enterprise LDAP-AD.
Limitations:
The following limitations apply to the platform-native version of SSO for LDAP-AD. If these limitations apply to your environment, please use the reverse proxy version instead.
Please complete the following steps to enable native platform integration with your enterprise LDAP provider.
Steps:
The following settings do not apply to this method of SSO integration. However:
NOTE: If you are switching from the reverse proxy method to this method, please verify that these settings are set to the values listed in the New Value column. |
Setting | Description | New Value |
---|---|---|
"webapp.sso.enable" | Enables use of reverse proxy SSO by the | If changing SSO methods, set this value to false . |
"webapp.sso.disableAuthGateway" | When set to true , the reverse proxy server is disabled. | If changing SSO methods, set this value to true . |
"webapp.sso.enableAutoRegistration" | Enables users to auto-register an account with the platform when they connect to the login page. | To enable automatic access with SSO-authenticated users, set this value to true . To require administrator provisioning of user accounts, set this value to false . For more information, see Manage Users under SSO. |
Enable LDAP for the platform:
| Description |
---|---|
"webapp.ldap.enabled" | Set this value to |
Configure location and properties of the enterprise LDAP server:
| Description | |
---|---|---|
"webapp.ldap.server.url" | The URL of the LDAP server | |
"webapp.ldap.server.searchFilter" | The search filter to use when querying the LDAP server for users. Default value is:
| |
"webapp.ldap.server.searchBase" | The starting point on the LDAP server to begin the search for users. Example value:
| |
"webapp.ldap.server.searchAttributes" | Array of attributes to retrieve from the LDAP server for a user. Modify this value only if your identity provider is sending different attributes. | |
"webapp.ldap.server.internalCACertificatePath" | Path to the CA certificate to use when connecting to the LDAP server over | |
"webapp.ldap.server.bindDN" | The distinguished name used to bind to the LDAP directory. Example value:
| |
"webapp.ldap.server.bindCredentials" | Password for simple authentication to the LDAP server. |
Configure the LDAP property mappings:
| Description | LDAP Property | |
---|---|---|---|
"webapp.ldap.mapping.ssoPrincipal" | LDAP user property defining a user's ssoPrincipal. | uid | |
"webapp.ldap.mapping.name" | LDAP user property defining a user's name. | cn | |
"webapp.ldap.mapping.hadoopPrincipal" | LDAP user property defining a user's hadoopPrincipal.
| uid | |
"webapp.ldap.mapping.email" | LDAP user property defining a user's email. |
To enforce SSL connections to the platform, you can create and install an SSL certificate. This certificate is also used when platform-native LDAP integration is enabled. For more information, see Install SSL Certificate.
Defaults:
443
.3005
.If needed, you can change the listening port for the platform to match the port required for your deployment. For more information, see Change Listening Port.
Please complete the following steps to enable and configure the Apache reverse proxy server on the .
Steps:
Edit the following file:
/opt/trifacta/pkg3p/tripache/conf/conf.d/trifacta.conf |
Add values for your LDAP environment for the following settings. For an Active Directory configuration, remove the comment from the first Define
line and specify appropriate values for the following:
################################################################################## # Basic : LDAP Configuration # # Active Directory Mode. Uncomment below to enable Active Directory compatibility # Define ACTIVE_DIRECTORY "1" Define TF_LDAP_SERVER "ldap://SERVER:PORT" Define TF_LDAP_BASE_DN "<BASE_DN>" Define TF_LDAP_BIND_DN "<BIND_DN>" Define TF_LDAP_BIND_PASSWORD "<BIND_PASSWORD>" |
By default, SSO access occurs over port 2443
. If needed, you can set the port number for user access in the following setting:
NOTE: This value should not be set to any value that conflicts with other ports in use by the |
<VirtualHost *:2443> |
NOTE: To complete the configuration to change the listening port, additional configuration is required after you complete this section. Instructions are in the following section. |
Save the file.
Create an admin account. You can either:
Connect to the application using an AD-linked ID. The first AD account to connect to the application is auto-registered as an admin account.
Define an admin user under SSO. For more information, see Create Admin Account.
Save the file and restart the platform. See Start and Stop the Platform.
By default, SSO access uses port number 2443
. If you need to change that listening port, please complete the following steps.
NOTE: Please make sure that the listening port is not set to a value that conflicts with any of the other listening ports in use by the platform. For more information, see System Ports. |
Steps:
trifacta.conf
, please set the VirtualHost
value to the appropriate port number. See previous instructions.Edit the following file:
/opt/trifacta/pkg3p/tripache/conf/conf.d/httpd.conf |
Locate the following entries:
#Listen 12.34.56.78:80 Listen 2443 |
Change the value for 2443
to be the value you set in trifacta.conf
.
Save the file.
Perform any other necessary configuration before restarting the platform.
Please complete the following steps in the platform.
Steps:
Configure the following settings:
Setting | Description | Value |
---|---|---|
"webapp.ldap.enabled" | Enables platform-native LDAP integration. | For the reverse proxy method, set this value to false . |
"webapp.sso.enable" | Enables use of SSO by the | Set this value to true . |
"webapp.sso.disableAuthGateway" | This setting determines the SSO method to use. | Set this value to false . |
"webapp.sso.enableAutoRegistration" | Enables users to auto-register an account with the platform when they connect to the login page. | To enable automatic access with SSO-authenticated users, set this value to true . To require administrator provisioning of user accounts, set this value to false . For more information, see Manage Users under SSO. |
When SSO is enabled, the default presented to users who are authenticating is very plain. If desired, you can customize the form using the following steps.
Steps:
Modify the following file on the to suit your style for the login screen:
/opt/trifacta/pkg3p/tripache/htdocs/login.html |
NOTE: Do not modify the names of the form fields or the form action. |
Edit the following file:
/opt/trifacta/pkg3p/tripache/conf/conf.d/trifacta.conf |
Uncomment the line that contains the following:
Define FORM_AUTH "1" |
User access can be limited based on AD/LDAP attributes. Typical scenarios restrict access based on membership of a group or value of an attribute.
For more information, see Manage Users under SSO.