LDAP Integration

Lightweight Directory Access Protocol (LDAP) is an application protocol for directory access (like a phone book) that provides authentication and membership information for users and groups within the directory. Yellowbrick can be configured to use directory service providers such as Microsoft Active Directory (AD) and OpenLDAP for authentication and group information.

LDAP (unencrypted), LDAPS (LDAP over SSL), and LDAP+TLS communication protocols are all supported. If you want to use LDAPS or LDAP+TLS, the first step is to import your security certificates.

Local Versus LDAP Users and Groups

Yellowbrick users and groups may be local to the Yellowbrick appliance, LDAP-based, or a combination of both. Enabling LDAP on your appliance does not prohibit the use of locally authenticated users and groups.
  • Local users are those who are authenticated by the database using a password stored in the database.
  • LDAP users are those authenticated by the LDAP database.
  • Local groups are those groups that have been created locally and are not being replicated from the LDAP server. An LDAP group is equivalent to a Yellowbrick database role.
  • LDAP groups are groups that you have designated within Yellowbrick to be replicated from the LDAP server.
Before any user can be authenticated, that user must exist within the Yellowbrick appliance. You can create users in two ways:
  • Manually within the database (via a CREATE USER command or the SMC)
  • Automatically as part of an LDAP synchronization operation (via the SMC, with user-defined filter criteria)

Yellowbrick distinguishes between local and LDAP users based on whether or not they have a local password. Local Yellowbrick users will have a password. If a local user is created without a password or a password that is subsequently set to null, the user can be authenticated only through LDAP. If LDAP is not enabled, no user with a null password will be granted database access. In either case, the authentication is transparent to users; a user will always see the same database-generated authentication regardless of where the authentication happens.

A superuser can convert an existing local user to an LDAP authenticated user by setting the user's password to null. A superuser can also change an existing LDAP authenticated user to a locally authenticated user by setting a non-null password for that user.

Getting Started with Yellowbrick and LDAP

The following sections explain the process of importing certificates (for SSL and TLS configurations), setting up LDAP authentication for superusers and regular users, and optionally synchronizing LDAP users and groups with database users and roles.