Configuration (AEN 4.1.1)¶
LDAP Configuration¶
Anaconda Enterprise Notebooks does local authentication against accounts in the Anaconda Enterprise Notebooks database by default. To configure Anaconda Enterprise Notebooks to authenticate against accounts in a LDAP server, follow these instructions.
For more information about configuring AEN, please see the documentation on configuration files.
Install OpenLDAP Libraries¶
The system needs the OpenLDAP libraries installed and accessible by Anaconda Enterprise Notebooks. Anaconda Enterprise Notebooks uses the OpenLDAP libraries to establish an LDAP connection to your LDAP servers.
Centos/Redhat¶
To install openldap
on CentOS or Redhat, run the following commands:
sudo yum install openldap
Ubuntu/Debian¶
To install openldap
on Ubuntu or Debian, follow the official
OpenLDAP installation instructions:
https://wiki.debian.org/LDAP/OpenLDAPSetup
OpenLDAP¶
Next, edit the
/opt/wakari/wakari-server/etc/wakari/wk-server-config.json
file.
Add the LDAP settings as shown:
{
"accounts":"wk_server.plugins.accounts.ldap2",
"LDAP" : {
"URI": "ldap://openldap.EXAMPLE.COM",
"BIND_DN": "cn=Bob Jones,ou=Users,DC=EXAMPLE,DC=COM",
"BIND_AUTH": "secretpass",
"USER_SEARCH": {"base": "DC=EXAMPLE,DC=COM",
"filter": "(| (& (ou=Payroll)
(uid=%(username)s))
(& (ou=Facilities)
(uid=%(username)s)))"
},
"KEY_MAP": {"email": "mail",
"name": "cn"
}
}
}
URI¶
- The IP address or hostname of your OpenLDAP server. For
SSL/TLS, use the
ldaps://
prefix and specify aTLS_CACERT
as described in the SSL/TLS configuration section below.
BIND_DN¶
- The full directory path of the user you want AEN Server to bind as.
BIND_AUTH¶
- The password of the BIND_DN user.
USER_SEARCH¶
- base: the level at which you want to start the search.
- filter: default is to search for the sAMAccountName attribute, and use its value for the AEN Server username field.
KEY_MAP¶
- Map user attributes in AEN Server to LDAP user attributes (ex: the
mail
attribute in LDAP maps to theemail
attribute in AEN Server)
As soon as LDAP is installed LDAP takes over, so you need to add your admin account again:
/opt/wakari/wakari-server/bin/wk-server-admin superuser --add "jsmith"
Active Directory¶
Microsoft Active Directory is a server program that provides directory services and uses the open industry standard Lightweight Directory Access Protocol (LDAP).
To enable Active Directory support:
Edit the /opt/wakari/wakari-server/etc/wakari/wk-server-config.json
file.
Add the LDAP settings as shown:
{
"accounts":"wk_server.plugins.accounts.ldap2",
"LDAP" : {
"URI": "ldap://ad.EXAMPLE.COM",
"BIND_DN": "CN=Bind User,CN=Users,DC=EXAMPLE,DC=COM",
"BIND_AUTH": "secretpass",
"USER_SEARCH": {"base": "CN=Users,DC=EXAMPLE,DC=COM",
"filter": "sAMAccountName=%(username)s"
},
"KEY_MAP": {"email": "mail",
"name": "cn"
}
}
}
URI¶
- The IP address or hostname of your Active Directory server. For
SSL/TLS, use the
ldaps://
prefix and specify aTLS_CACERT
as described in the SSL/TLS configuration section below.
BIND_DN¶
- The full directory path of the user you want AEN Server to bind as.
BIND_AUTH¶
- The password of the BIND_DN user.
USER_SEARCH¶
- base: the level at which you want to start the search.
- filter: default is to search for the sAMAccountName attribute, and use its value for the AEN Server username field.
KEY_MAP¶
- Map user attributes in AEN Server to LDAP user attributes (ex: the
mail
attribute in LDAP maps to theemail
attribute in AEN Server)
As soon as LDAP is installed LDAP takes over, so you need to add your admin account again:
/opt/wakari/wakari-server/bin/wk-server-admin superuser --add "jsmith"
SSL/TLS configuration¶
Anaconda Enterprise Notebooks uses system-wide LDAP settings, including SSL/TLS support.
- On Redhat/CentOS systems, these settings are located in
/etc/openldap/ldap.conf
- On Ubuntu/Debian systems, these settings are located in
/etc/ldap/ldap.conf
Typically, the only option needed is:
TLS_CACERT /path/to/CA.cert
Where CA.cert is the CA used to sign the LDAP server’s SSL certificate. In the case of a self-signed SSL certificate, this is the path to the SSL certificate itself.
Test configuration with Flask LDAP Check¶
Finally, test the LDAP configuration with the flask-ldap-login-check
command:
/opt/wakari/wakari-server/bin/flask-ldap-login-check \
wk_server.wsgi:app \
-u [username] \
-p [password]
Where ``username`` is the username of a valid user and ``password`` is that user’s BIND_AUTH password.