Skedler LDAP Authentication

The LDAP integration in Skedler allows your Skedler users to login with their LDAP credentials in 3 simple steps. You can also specify mappings between LDAP group memberships and Skedler Organization user roles.

Enable LDAP
The following document will walk you through 3 simple steps to integrate LDAP (Lightweight Directory Access Protocol) Authentication with skedler.

Step1: Add LDAP details to the reporting.yml file (LDAP Skedler Setup)

Basic configuration 

# Enable and configure only if you are using ldap authentication
 authType: 'ldap'

# Configure the ldap instance url, if you are using secured instance use 
 ldaps://<your-domain>:<port> else ldap://<your-domain>:<port>
 ldapUrl: 'ldaps://locahost:636'

# Set to true if your ldap instance use an encrypted tls connection
 useSsl: true

# Set to true if you want to skip the ldap ssl verification
 sslSkipVerify: false

# Authentication against ldap servers requiring client certificates
 clientCert: '/path/to/ldap_server.crt'
 clientKey: '/path/to/ldap_server.key'

# Set to the path to your root CA certificate
 rootCaCert: '/path/to/ca-certificates.crt'

# Search user bind dn
 bindDn: 'cn=admin,dc=skedler,dc=com'

# Search user bind password
 bindPassword:'1234'

# User search filter, for example "(cn={{username}})" or "(sAMAccountName={{username}})" or "(uid={{username}})"
 searchFilter: '(cn={{username}})'

# A base dn's to search through
 searchBaseDn: 'ou=people,dc=skedler,dc=com'

# Enable group search filter, if your ldap instance does not support posixGroup, configure accordingly
 groupSearchFilter: '(&(|(objectclass=group)(objectclass=groupofnames)        (objectclass=groupofuniquenames)(objectClass=posixGroup(|(member={{dn}})(memberUid={{username}})(uniquemember={{dn}})))'

# A group base dn's to search through
groupSearchBaseDn: 'dc=skedler,dc=com'

(Hint, You need to provide highlighted LDAP server details such as URL,client certificates etc in the above code)
With bindDn user and password combination, every user can access Skedler application.

Once we complete the basic configuration we can proceed with configuring the reporting.yml file for the below-mentioned LDAP server scenarios.

1. LDAP server with users and roles.
2. LDAP server with users, orgs, and roles.

         a. Ldap server with roles within orgs and users.

         b. Ldap server with orgs within roles and users.

       3. LDAP server with users, roles, orgs.

ℹ️ To learn more on How to configure your reporting.yml for the discussed scenarios scroll down in this document to the section "Setup LDAP server scenario(s)"

Step 2: Create a Skedler Admin account.

Admin account would be created as the default Skedler user. Skedler Admin username should not be same as a LDAP username. 

Visual representation of a super admin account

Step 3: Sign in with an LDAP user account.

ℹ️ Key Information

Skedler system validates the entered credentials with the LDAP server. Based on reporting.yml configuration, Skedler will map the user to the respective roles and organisations.

Visual representation of a user account mapped with different roles in different orgs

Setup LDAP server scenario(s)
 

 Scenario 1- reporting.yml configuration for LDAP role mapping for a user.

Please refer to the above mapping if you have named the users

In your reporting.yml (Hint, learn more about reporting.yml file) proceed with setting up the below-highlighted configuration as per your LDAP server and requirements.

# Map ldap groups to skedler rol
# Use '*' To add all user to a particular role
# Group dn to add user with Admin ro
 adminGroupdn:
  - "cn=superadmins,ou=groups,dc=skedler,dc=com"
  - "cn=org2,ou=groups,dc=skedler,dc=com"
# Group dn to add user with Editor role
 editorGroupdn:
 - "cn=developer,ou=groups,dc=skedler,dc=com"
# Group dn to add user with Viewer role
ViewerGroupdn:
 - "cn=csm,ou=groups,dc=skedler,dc=com"

Scenario 2a,2b,3-  Reporting.yml configuration for LDAP organization and role mapping for a user.

# Map ldap groups with orgs and roles for user
# Use '*' To add all user to a particular role


# Group dn and role dn to add user with Admin role with perspective org
mapAdminToOrgs:
  orgNames:
    - "cn=org1,ou=groups,dc=skedler,dc=com"
    - "cn=org2,ou=groups,dc=skedler,dc=com"
  admins:
    - "cn=admin,ou=rbac,dc=skedler,dc=com"


# Group dn and role dn to add user with Editor role with perspective org
mapEditorToOrgs:
 orgNames:
    - "cn=org2,ou=groups,dc=skedler,dc=com"
 editors:
    - "cn=editor,ou=rbac,dc=skedler,dc=com"


# Group dn and role dn to add user with Viewer role with perspective org
mapViewerToOrgs:
 orgNames:
    - "cn=org3,ou=groups,dc=skedler,dc=com"
 viewers:
    - "cn=viewer,ou=rbac,dc=skedler,dc=com"

❓Quick Troubleshooting

In case you see the above error it could be due to below-mentioned reasons: 

1. Ldap user is not mapped in LDAP Groups or roles.

Check user mapping with Orgs and roles in the LDAP server and configure reporting.yml accordingly.

2. User and group search filter information missing in reporting.yml configuration.

Here's documentation that helps you pick the right filters. Learn more

3. Group / orgs role mapping information missing in reporting.yml configuration.

To learn more on How to configure your reporting.yml for the discussed scenarios scroll up in this document to the section "Setup LDAP server scenario(s)"

4 If you see the below error in the Skedler logs. 

error={"generatedMessage":true,"code":"ERR_ASSERTION","actual":0,"expected":true,"operator":"=="}

As the next step refers to the change in the below-mentioned code.

groupSearchFilter: '(&(objectClass=group)(member={{dn}}))'

5 If there aree any other flavors in the active directory.

Here's documentation that helps you pick the right filters. Learn more