LDAP Authentication - Overview

Conjur supports integration with an existing corporate Active Directory or POSIX LDAP directory for defining and authenticating Conjur users.

With LDAP Authentication, users log into Conjur with the same login credentials that they use for their corporate accounts. There is no need to manage a password in multiple places. The password exists in a single location.

When LDAP authentication is enabled in Conjur:

  • All Web interface users must use LDAP credentials. LDAP authentication becomes the one and only way to authenticate to the web interface. Every Conjur UI user must have an LDAP account.

  • CLI and API users may choose which authentication type to use. A Conjur Server may have several authentication methods enabled simultaneously. API and CLI users can individually choose which authentication they want to use from all enabled authentication methods. If LDAP authentication is enabled, CLI and API users can optionally use that method. See Configure Developer Environment to Use LDAP Authentication. The default authentication method for the CLI and API is the Conjur authenticator, using passwords maintained in Conjur.

 

For general information about Conjur authentication and configuring multiple authentication methods, see Configure authentication.

LDAP authentication does not eliminate the requirement to add user accounts into Conjur. For each LDAP user that needs access to Conjur, there must be a corresponding user account declared in a security policy in Conjur. Conjur user accounts are required to manage the RBAC authorization model on Conjur resources. The Conjur authorization model permits users (or more typically, groups of users) to access and update Conjur resources.

With LDAP authentication, the corporate LDAP directory handles authentication, while Conjur is responsible for authorization.

 

LDAP authentication does not automatically incorporate subsequent changes made in the LDAP directory. To ensure that a disabled account can no longer access Conjur, see Disabled user accounts.

How it works

LDAP authentication is a built-in Conjur service (authn-ldap) that authenticates users to Conjur using their LDAP credentials. The LDAP authenticator uses configuration settings to connect to an LDAP server and bind against a directory using an LDAP username and password.

When the LDAP authenticator receives an authentication request, it attempts to perform an LDAP bind operation with the given credentials. If the request succeeds, it responds as an authorization (authn) service, with an API key or a signed bearer token.

The authn-ldap service is used either to log in via basic authentication (GET /authn-ldap/users/login) or to authenticate by posting the password or API key, obtaining a bearer token (POST /authn-ldap/users/:user/authenticate). These functions are the same as those used by the default Conjur authenticator (authn). The difference is that authn-ldap uses LDAP credentials rather than a Conjur password.

Configuration settings provide the LDAP server connection and filter information. The method of configuration differs depending on the Conjur version. For more information, see Step 1: Configure the LDAP connection and filter information.

Benefits of LDAP Authentication

LDAP Authentication lets users log in to Conjur using LDAP credentials. Specific advantages are: 

  • LDAP Authentication enables Conjur to authenticate users against credentials stored in an LDAP directory.

  • The configuration lets you define a subset of groups and users in the LDAP  directory who can authenticate to Conjur. You do not need to give all users in your LDAP directory access to Conjur.

  • By supporting only one source of valid users, ongoing maintenance is easier.

  • From a security perspective, it is more secure to monitor and maintain one source of valid users.

  • LDAP Authentication does not override the Conjur RBAC authorization model. If there is not a matching user account in the security policy, an LDAP user with all of the correct credentials is denied access to Conjur.

  • Users do not need to maintain passwords in two places.

  • Flexibility is offered for Conjur CLI and API users. These users can decide on an individual basis whether to authenticate using the LDAP Directory or other supported Conjur authenticators. All users logging in to the Conjur UI must use their LDAP credentials when LDAP authentication is configured.

The LDAP filter template

One of the required configuration settings for LDAP authentication is the filter_template. The filter_template is a template string used to translate a Conjur user ID into an LDAP bind expression. The template must include the expression %s which represents the Conjur username provided by the authenticator.

At a minimum, the value of filter_template can be the following, which matches a Conjur user name to a user name in the LDAP Directory: 

  
(uid=%s)

The filter_template does not need to include exclusions for disabled users. LDAP servers reject requests to bind from disabled users.

LDAP servers support strong search capabilities for filtering user accounts. Conjur passes the filter_template that you configure to the LDAP server to implement as a search string. If you verify that a search string works on your LDAP server, it is valid in the filter_template.

Ultimately, the contents of the filter_template should support your organization's security policies and comply with the requirements of your particular LDAP server implementation.