LDAP

SAYMON supports user authentication with the Directory Service Server using LDAP protocol (Active Directory, OpenLDAP, etc.)

LDAP Configuration

By default, LDAP authentication is disabled. Add the ldap section to the server configuration file to enable this functionality.

"ldap" : {
    "url" : "ldap://example.com:389",
    "suffix" : "dc=example,dc=com",
    "login" : "cn=users,dc=example,dc=com",
    "pass" : "password",
    "allow_self_signed": true,
    "create_user_for_existing_group_only": true,
    "import_non_existing_groups": false,
    "update_existing_groups": false,
}

System behavior during the user and group import is set in the following parameters:

  • ldap.create_user_for_existing_group_only – New user can log in with their LDAP account only if they are in the group on an LDAP server whose equivalent already exists in SAYMON.

  • ldap.import_non_existing_groups – When an LDAP user successfully logs in, SAYMON imports all groups of this user from an LDAP server. Existing groups will not be affected.

  • ldap.update_existing_groups – When an LDAP user successfully logs in, the system converts all SAYMON groups whose name match this user’s groups on an LDAP server to LDAP groups.

Restart saymon-server service to apply changes:

$sudo service saymon-server restart

LDAP server account, that is set in the configuration has to have administrator permissions. This account must have access to LDAP users and groups, that need to be imported into SAYMON.

LDAP authentication in SAYMON

Users and groups imported from an LDAP server have differences compared to the native SAYMON users.

LDAP users have a Source field with the value LDAP on the General tab. LDAP users are marked with the LDAP User icon in the list of all users.

LDAP groups (groups created or updated during LDAP users authorization) are marked with the LDAP Group icon. You cannot change the name of these groups and they have a Source field with the value LDAP.

You can add users from any source to LDAP groups, not just LDAP users.

Import LDAP users

During the first log in of the LDAP user, the system creates a SAYMON user associated with that LDAP user. The LDAP account is synchronized on every successful login.

If the login of the user attempting to authorize with LDAP account is the same as login of an existing SAYMON user, LDAP user wouldn’t be able to log in.

Newly created LDAP users have the same permissions as all new users. These permissions are specified in the user.template.permissions parameter of the server configuration.

Password Change tab is inaccessible to LDAP users, you have to configure their passwords on the LDAP server.

You can restrict access to the system for LDAP users who don’t have the SAYMON account yet. To do this, create groups in SAYMON with the same name as LDAP groups users in which you want to give access to SAYMON. Then, set the following parameter in SAYMON server configuration file:

{
  ...
  "ldap": {
     ...
     "create_user_for_existing_group_only": true,
     ...
  }
}
Don’t use together with the import_non_existing_groups parameter. If both parameters are set to true, the server will first import all groups that the user is in and then authorize them, as they are in an existing group.

Import LDAP groups

Import new groups

During the login of an LDAP user, SAYMON can import this user’s LDAP groups and automatically put this user into newly created groups.

{
  ...
  "ldap": {
     ...
     "import_non_existing_groups": true,
     ...
     }
}

Update existing groups

SAYMON groups that have the same name as groups on the LDAP server can be upgraded to LDAP groups in SAYMON. To do this, set the following parameter in the server configuration file:

{
  ...
  "ldap": {
     ...
     "update_existing_groups": true,
     ...
     }
}
If a user has been removed from the LDAP group in SAYMON, they will be automatically assigned to this group during the next log in.

Remove LDAP users

After removing account of an LDAP user, the user still can login to the system with their credentials. The account will be created again with default permissions, permissions got from groups will remain.

The create_user_for_existing_group_only parameter does not affect existing users. If the option is activated and there is no group in SAYMON with the same name as any of user’s groups in LDAP, the user will not be able to recreate their account.

In order to block login of an LDAP-user to the system it is sufficient to switch their status to Blocked.