Remote directories

EDA supports the use of external directories that the system can use to authenticate users who were not created locally on the system.

Note:

EDA only supports unsynchronized mode for Keycloak federation providers. This mode imports users and groups into EDA's Keycloak database, but does not write local changes back to the Lightweight Directory Access Protocol (LDAP) server.

Federated users are imported the first time a user logs in or when the user list is read via the EDA API/UI. Additionally, periodic sync of created and updates users may be configured.

The EDA API does not expose the full synchronization options from Keycloak to the federation provider. If full synchronization is required, it can be triggered via the Keycloak Administration Console.

EDA API server blocks all edits to federated users except for adding or removing the user to local groups. Local changes to federated groups are not supported; federated group membership must be configured on the LDAP server.

Configuring remote directories

EDA supports:
  • the configuration of up to five directories
  • LDAP and Active Directory directories
  • user synchronization from the directory
  • group synchronization from the directory and user group membership mapping
  • limiting imported users and groups using LDAP filters

When a remote directory is configured, system administrators can continue to create local users in EDA.

Configuring TLS truststore for remote directories

When connecting a federation provider using LDAPS or STARTTLS, Keycloak must trust the server's TLS certificate authority. To add certificate authorities to the EDA Keycloak truststore, create a Kubernetes secret named ldap-ca-secret of type Opaque in the EDA base namespace with a base64 encoded PEM certificate in the ca field. For example:
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: ldap-ca-secret
  namespace: eda-system #Enter the base namespace of your EDA installation
data:
  ca: <base64(certificate authority)> # Base64 encoded PEM certificate
EDA monitors this secret and if it changes, EDA updates the certificate authority information used by Keycloak. Modifying the authority information results in a restart of the Keycloak server.

Configuring a federation

Use this procedure to integrate an LDAP server by creating a federation instance.

Under the System Administration > USER MANAGEMENT menu, select User Management. From the User Management drop-down list, select Federations.

  1. Click Create.
  2. Configure settings for the Federation instance.
    Set the following parameters:
    • Name
    • Vendor
    • Enabled
    • Import Users
      Note: By default, this field is set to True; this field is ready-only.
  3. Configure LDAP server settings.
    Set the following parameters:
    • Connection URL
    • Use TLS
      Note: If this field is set to True, the certificate should be established on the LDAP server side. After configuring certificate from LDAP server, create the LDAP CA secret (ldap-ca-secret) on the platform where EDA is managed.
    • Bind Type
    • User DN
    • Username LDAP Attribute
    • Timeout

      Click Test Connection to test the connection to the LDAP server.

    • RDN LDAP Attribute
    • ID Attribute
    • User Object Classes
    • User Search Filter
    • Search Scope
    • Pagination
    • Periodic Sync
    • Read Only
  4. Enable and configure support for bind credentials.
    Set the following parameters:
    • Bind Credential
    • Bind DN

    Click Test Authentication to verify that the credentials are valid.

  5. Enable and configure group federation support.
    If group support is disabled, groups are not synchronized with EDA. If group support is enabled, set the following parameters:
    • Object Classes
    • Group LDAP DN
    • Name LDAP Attribute
    • Member Attribute
    • Membership Attribute Type
    • Membership User Attribute
    • Filter
    • Retrieval Strategy
    • Member Of Attribute
  6. When you are finished, click Save.

Deleting a federation

You can delete federations from the System Administration > User Management menu. From the drop-down list, select Federations.
Note: When you delete a federation, LDAP groups imported from the LDAP server are not deleted; you must delete these imported user groups explicitly.
  • Locate the federation that you want to delete and at the end of its row, click the Table row actions menu. Select Delete, then click Save.
  • Alternatively, you can select more than one federation, then, click the Table settings & actions menu on the upper right of the page and select Delete. Click Save.