diff --git a/openmetadata-docs/content/deployment/security/ldap/bare-metal.md b/openmetadata-docs/content/deployment/security/ldap/bare-metal.md new file mode 100644 index 00000000000..94e73e1d336 --- /dev/null +++ b/openmetadata-docs/content/deployment/security/ldap/bare-metal.md @@ -0,0 +1,157 @@ +--- +title: Ldap Authentication for Bare Metal +slug: /deployment/security/ldap/bare-metal +--- + +# Ldap Authentication for Bare Metal + +## Set up Configurations in openmetadata.yaml + +### Authentication Configuration + +The following configuration controls the auth mechanism for OpenMetadata. Update the mentioned fields as required. + +```yaml +authenticationConfiguration: + provider: ${AUTHENTICATION_PROVIDER:-ldap} + publicKeyUrls: ${AUTHENTICATION_PUBLIC_KEYS:-[http://localhost:8585/api/v1/system/config/jwks]} + authority: ${AUTHENTICATION_AUTHORITY:-https://accounts.google.com} + enableSelfSignup : ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-false} + ldapConfiguration: + host: ${AUTHENTICATION_LDAP_HOST:-localhost} + port: ${AUTHENTICATION_LDAP_PORT:-10636} + dnAdminPrincipal: ${AUTHENTICATION_LOOKUP_ADMIN_DN:-"cn=admin,dc=example,dc=com"} + dnAdminPassword: ${AUTHENTICATION_LOOKUP_ADMIN_PWD:-"secret"} + userBaseDN: ${AUTHENTICATION_USER_LOOKUP_BASEDN:-"ou=people,dc=example,dc=com"} + mailAttributeName: ${AUTHENTICATION_USER_MAIL_ATTR:-email} + # Optional + maxPoolSize: ${AUTHENTICATION_LDAP_POOL_SIZE:-3} + sslEnabled: ${AUTHENTICATION_LDAP_SSL_ENABLED:-true} + truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-TrustAll} # {CustomTrustStore, HostName, JVMDefault, TrustAll} + trustStoreConfig: + customTrustManagerConfig: + trustStoreFilePath: ${AUTHENTICATION_LDAP_TRUSTSTORE_PATH:-} + trustStoreFilePassword: ${AUTHENTICATION_LDAP_KEYSTORE_PASSWORD:-} + trustStoreFileFormat: ${AUTHENTICATION_LDAP_SSL_KEY_FORMAT:-} + verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-} + examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-} + hostNameConfig: + allowWildCards: ${AUTHENTICATION_LDAP_ALLOW_WILDCARDS:-} + acceptableHostNames: ${AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES:-[]} + jvmDefaultConfig: + verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-} + trustAllConfig: + examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true} +``` + +For the LDAP auth we need to set: + +OpenMetadata Specific Configuration : + +- `provider`: ldap +- `publicKeyUrls`: {http|https}://{your_domain}:{port}}/api/v1/system/config/jwks +- `authority`: {your_domain} +- `enableSelfSignup`: This has to be false for Ldap. + + + +Mandatory LDAP Specific Configuration: + +- `host`: hostName for the Ldap Server (Ex - localhost). +- `port`: port of the Ldap Server to connect to (Ex - 10636). +- `dnAdminPrincipal`: This is the DN Admin Principal(Complete path Example :- cn=admin,dc=example,dc=com ) with a lookup access in the Directory. +- `dnAdminPassword`: Above Admin Principal Password. +- `userBaseDN`: User Base DN(Complete path Example :- ou=people,dc=example,dc=com). + + + +Please see the below image for a sample LDAP Configuration in ApacheDS. + +apache-ldap + +Advanced LDAP Specific Configuration (Optional): + +- `maxPoolSize`: Connection Pool Size to use to connect to LDAP Server. +- `sslEnabled`: Set to true if the SSL is enable to connect to LDAP Server. +- `truststoreConfigType`: Truststore type. It is required. Can select from {CustomTrustStore, HostName, JVMDefault, TrustAll} +- `trustStoreConfig`: Config for the selected truststore type. Please check below note for setting this up. + + + +Based on the different `truststoreConfigType`, we have following different `trustStoreConfig`. + +1. **TrustAll**: Provides an SSL trust manager which will blindly trust any certificate that is presented to it, although it may optionally reject certificates that are expired or not yet valid. It can be convenient for testing purposes, but it is recommended that production environments use trust managers that perform stronger validation. + +```yaml + truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-TrustAll} + trustStoreConfig: + trustAllConfig: + examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true} +``` + +- `examineValidityDates`: Indicates whether to reject certificates if the current time is outside the validity window for the certificate. + +2. **JVMDefault**: Provides an implementation of a trust manager that relies on the JVM's default set of trusted issuers. + +```yaml + truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-JVMDefault} + trustStoreConfig: + jvmDefaultConfig: + verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-true} +``` + +- `verifyHostname`: Controls using TrustAllSSLSocketVerifier vs HostNameSSLSocketVerifier. In case the certificate contains cn=hostname of the Ldap Server set it to true. + +3. **HostName**: Provides an SSL trust manager that will only accept certificates whose hostname matches an expected value. + +```yaml + truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-HostName} + trustStoreConfig: + hostNameConfig: + allowWildCards: ${AUTHENTICATION_LDAP_ALLOW_WILDCARDS:-false} + acceptableHostNames: ${AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES:-[localhost]} +``` + +- `allowWildCards`: Indicates whether to allow wildcard certificates which contain an asterisk as the first component of a CN subject attribute or dNSName subjectAltName extension. +- `acceptableHostNames`: The set of hostnames and/or IP addresses that will be considered acceptable. Only certificates with a CN or subjectAltName value that exactly matches one of these names (ignoring differences in capitalization) will be considered acceptable. It must not be null or empty. + +4. **CustomTrustStore**: Use the custom Truststore by providing the below details in the config. + +```yaml + truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-CustomTrustStore} + trustStoreConfig: + customTrustManagerConfig: + trustStoreFilePath: ${AUTHENTICATION_LDAP_TRUSTSTORE_PATH:-/Users/parthpanchal/trusted.ks} + trustStoreFilePassword: ${AUTHENTICATION_LDAP_KEYSTORE_PASSWORD:-secret} + trustStoreFileFormat: ${AUTHENTICATION_LDAP_SSL_KEY_FORMAT:-JKS} + verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-true} + examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true} +``` + +- `trustStoreFilePath`: The path to the trust store file to use. It must not be null. +- `trustStoreFilePassword`: The PIN to use to access the contents of the trust store. It may be null if no PIN is required. +- `trustStoreFileFormat`: The format to use for the trust store. (Example :- JKS, PKCS12). +- `verifyHostname`: Controls using TrustAllSSLSocketVerifier vs HostNameSSLSocketVerifier. In case the certificate contains cn=hostname of the Ldap Server set it to true. +- `examineValidityDates`: Indicates whether to reject certificates if the current time is outside the validity window for the certificate. + + + +### Authorizer Configuration + +This configuration controls the authorizer for OpenMetadata: + +```yaml +authorizerConfiguration: + adminPrincipals: ${AUTHORIZER_ADMIN_PRINCIPALS:-[admin]} + principalDomain: ${AUTHORIZER_PRINCIPAL_DOMAIN:-"openmetadata.org"} +``` + +For the Ldap we need to set: + +- `adminPrincipals`: This is the list of admin Principal for the OpenMetadata , if mail in ldap is example@openmetadata.org, then if we want this user to be admin in the OM, we should add 'example', in this list. +- `principalDomain`: Company Domain. + +## Metadata Ingestion + +For ingesting metadata when LDAP is enabled, it is mandatory to configure the `ingestion-bot` account with the JWT configuration. +To know how to enable it, you can follow the documentation of [Enable JWT Tokens](/deployment/security/enable-jwt-tokens). diff --git a/openmetadata-docs/content/deployment/security/ldap/docker.md b/openmetadata-docs/content/deployment/security/ldap/docker.md new file mode 100644 index 00000000000..4899f880a88 --- /dev/null +++ b/openmetadata-docs/content/deployment/security/ldap/docker.md @@ -0,0 +1,142 @@ +--- +title: Ldap Authentication for Docker +slug: /deployment/security/ldap/docker +--- + +# Ldap Authentication for Docker + +To enable LDAP for docker deployment, there are a couple of files/certificates which are required to carry out the process. +With the help of this documentation, we can provide those files/certificates to the docker container to use. +To enable security for the Docker deployment, follow the next steps: + +## Ways to configure LDAP using docker +* #### [**Using Volumes**](#configure-using-volumes) +* #### [**Extending docker image**](#extend-the-openmetadata-server-docker-image) + +## Configure Using Volumes +In `docker/docker-compose-quickstart/docker-compose.yml` file configure the volumes based on the `truststoreConfigType` + +**NO NEED TO ADD VOLUMES IF** `truststoreConfigType` **IS** `TrustAll` **OR** `HostName`. + +### **Using JVMDefault** +For docker container to access cacerts, copy the cacerts to `docker/ldap/config` and add the path in volumes. +```shell + volumes: + - docker/ldap/config/cacerts:/usr/lib/jvm/java-11-openjdk/lib/security/cacerts +``` + +### **Using CustomTrustStore** +For docker container to access your truststore, copy the truststore to `docker/ldap/config` and add the path in volumes. +```shell + volumes: + - docker/ldap/config/{YOUR_TRUSTSTORE}:/opt/openmetadata/ldap/truststore/{YOUR_TRUSTSTORE} +``` +## Extend the OpenMetadata server docker image + +Create a docker file and add the following details based on the `truststoreConfigType`. + + +**NO NEED TO CREATE THIS FILE IF** `truststoreConfigType` **IS** `TrustAll` **OR** `HostName`. +### **Using JVMDefault** + For docker container to access cacerts, copy the cacerts to `docker/ldap/config` as shown below. +```shell +FROM docker.getcollate.io/openmetadata/server:0.13.2 +COPY docker/ldap/config/cacerts /usr/lib/jvm/java-11-openjdk/lib/security/cacerts +``` + +### **Using CustomTrustStore** + For docker container to access your truststore, copy the truststore to `docker/ldap/config` as shown below. +```shell +FROM docker.getcollate.io/openmetadata/server:0.13.2 +COPY docker/ldap/config/{YOUR_TRUSTSTORE} /opt/openmetadata/ldap/truststore/{YOUR_TRUSTSTORE} +``` + +Run the following command from OpenMetadata root directory to create an image: +```text +docker build -f {DOCKER_FILE_PATH} -t {DOCKER_NAME}:{TAG} . +``` +**NOTE:** After the image is created, in `docker/docker-compose-quickstart/docker-compose.yml` file, under openmetadata-server service replace the image name with the above created docker image. +```shell + image: {DOCKER_NAME}:{TAG} +``` + +## Create an .env file + +Create an openmetadata_ldap.env file and add the following contents as an example. Use the information generated when setting up the account. + +Based on the different `truststoreConfigType`, we have following different `trustStoreConfig`. + +### Trust Store Config Type: TrustAll + +```shell +AUTHENTICATION_PROVIDER=ldap +AUTHENTICATION_LDAP_HOST={HOST} +AUTHENTICATION_LDAP_PORT={PORT} +AUTHENTICATION_LOOKUP_ADMIN_DN={ADMIN_DN} +AUTHENTICATION_LOOKUP_ADMIN_PWD={ADMIN_DN_PASSWORD} +AUTHENTICATION_USER_LOOKUP_BASEDN={USER_DN} +AUTHENTICATION_USER_MAIL_ATTR={MAIL_ATTRIBUTE} +AUTHENTICATION_LDAP_POOL_SIZE=3 +AUTHENTICATION_LDAP_SSL_ENABLED=true +AUTHENTICATION_LDAP_TRUSTSTORE_TYPE=TrustAll +AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES=true +``` + +### Trust Store Config Type: JVMDefault + +```shell +AUTHENTICATION_PROVIDER=ldap +AUTHENTICATION_LDAP_HOST={HOST} +AUTHENTICATION_LDAP_PORT={PORT} +AUTHENTICATION_LOOKUP_ADMIN_DN={ADMIN_DN} +AUTHENTICATION_LOOKUP_ADMIN_PWD={ADMIN_DN_PASSWORD} +AUTHENTICATION_USER_LOOKUP_BASEDN={USER_DN} +AUTHENTICATION_USER_MAIL_ATTR={MAIL_ATTRIBUTE} +AUTHENTICATION_LDAP_POOL_SIZE=3 +AUTHENTICATION_LDAP_SSL_ENABLED=true +AUTHENTICATION_LDAP_TRUSTSTORE_TYPE=TrustAll +AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST=true +``` + +### Trust Store Config Type: HostName + +```shell +AUTHENTICATION_PROVIDER=ldap +AUTHENTICATION_LDAP_HOST={HOST} +AUTHENTICATION_LDAP_PORT={PORT} +AUTHENTICATION_LOOKUP_ADMIN_DN={ADMIN_DN} +AUTHENTICATION_LOOKUP_ADMIN_PWD={ADMIN_DN_PASSWORD} +AUTHENTICATION_USER_LOOKUP_BASEDN={USER_DN} +AUTHENTICATION_USER_MAIL_ATTR={MAIL_ATTRIBUTE} +AUTHENTICATION_LDAP_POOL_SIZE=3 +AUTHENTICATION_LDAP_SSL_ENABLED=true +AUTHENTICATION_LDAP_TRUSTSTORE_TYPE=TrustAll +AUTHENTICATION_LDAP_ALLOW_WILDCARDS=false +AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES={[ACCEPTABLE_HOSTNAMES]} +``` + +### Trust Store Config Type: CustomTrustStore + +```shell +AUTHENTICATION_PROVIDER=ldap +AUTHENTICATION_LDAP_HOST={HOST} +AUTHENTICATION_LDAP_PORT={PORT} +AUTHENTICATION_LOOKUP_ADMIN_DN={ADMIN_DN} +AUTHENTICATION_LOOKUP_ADMIN_PWD={ADMIN_DN_PASSWORD} +AUTHENTICATION_USER_LOOKUP_BASEDN={USER_DN} +AUTHENTICATION_USER_MAIL_ATTR={MAIL_ATTRIBUTE} +AUTHENTICATION_LDAP_POOL_SIZE=3 +AUTHENTICATION_LDAP_SSL_ENABLED=true +AUTHENTICATION_LDAP_TRUSTSTORE_TYPE=TrustAll +AUTHENTICATION_LDAP_TRUSTSTORE_PATH={TRUSTSTORE_FILEPATH} +AUTHENTICATION_LDAP_KEYSTORE_PASSWORD={TRUSTSTORE_PASSWORD} +AUTHENTICATION_LDAP_SSL_KEY_FORMAT={FORMAT} # JKS, PKCS12 +AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST=true +AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES=true +``` + +## Start Docker + +```commandline +docker compose --env-file ~/openmetadata_ldap.env up -d +``` diff --git a/openmetadata-docs/content/deployment/security/ldap/index.md b/openmetadata-docs/content/deployment/security/ldap/index.md index 22fc4809dfc..a094e0455bd 100644 --- a/openmetadata-docs/content/deployment/security/ldap/index.md +++ b/openmetadata-docs/content/deployment/security/ldap/index.md @@ -4,157 +4,39 @@ slug: /deployment/security/ldap --- # Setting up Ldap Authentication + + +Security requirements for your **production** environment: +- **DELETE** the admin default account shipped by OM in case you had [Basic Authentication](/deployment/security/basic-auth) + enabled before configuring the authentication with Auth0 SSO. +- **UPDATE** the Private / Public keys used for the [JWT Tokens](/deployment/security/enable-jwt-tokens). The keys we provide + by default are aimed only for quickstart and testing purposes. They should NEVER be used in a production installation. + + OpenMetadata allows using LDAP for validating email and password authentication. Once setup successfully, the user should be able to sign in to OpenMetadata using the Ldap credentials. -Below are the required steps to set up the LDAP Authentication: +Below are the configuration types to set up the LDAP Authentication: -## Set up Configurations in openmetadata.yaml - -### Authentication Configuration - -The following configuration controls the auth mechanism for OpenMetadata. Update the mentioned fields as required. - -```yaml -authenticationConfiguration: - provider: ${AUTHENTICATION_PROVIDER:-ldap} - publicKeyUrls: ${AUTHENTICATION_PUBLIC_KEYS:-[http://localhost:8585/api/v1/system/config/jwks]} - authority: ${AUTHENTICATION_AUTHORITY:-https://accounts.google.com} - enableSelfSignup : ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-false} - ldapConfiguration: - host: ${AUTHENTICATION_LDAP_HOST:-localhost} - port: ${AUTHENTICATION_LDAP_PORT:-10636} - dnAdminPrincipal: ${AUTHENTICATION_LOOKUP_ADMIN_DN:-"cn=admin,dc=example,dc=com"} - dnAdminPassword: ${AUTHENTICATION_LOOKUP_ADMIN_PWD:-"secret"} - userBaseDN: ${AUTHENTICATION_USER_LOOKUP_BASEDN:-"ou=people,dc=example,dc=com"} - mailAttributeName: ${AUTHENTICATION_USER_MAIL_ATTR:-email} - # Optional - maxPoolSize: ${AUTHENTICATION_LDAP_POOL_SIZE:-3} - sslEnabled: ${AUTHENTICATION_LDAP_SSL_ENABLED:-true} - truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-TrustAll} # {CustomTrustStore, HostName, JVMDefault, TrustAll} - trustStoreConfig: - customTrustManagerConfig: - trustStoreFilePath: ${AUTHENTICATION_LDAP_TRUSTSTORE_PATH:-} - trustStoreFilePassword: ${AUTHENTICATION_LDAP_KEYSTORE_PASSWORD:-} - trustStoreFileFormat: ${AUTHENTICATION_LDAP_SSL_KEY_FORMAT:-} - verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-} - examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-} - hostNameConfig: - allowWildCards: ${AUTHENTICATION_LDAP_ALLOW_WILDCARDS:-} - acceptableHostNames: ${AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES:-[]} - jvmDefaultConfig: - verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-} - trustAllConfig: - examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true} -``` - -For the LDAP auth we need to set: - -OpenMetadata Specific Configuration : - -- `provider`: ldap -- `publicKeyUrls`: {http|https}://{your_domain}:{port}}/api/v1/system/config/jwks -- `authority`: {your_domain} -- `enableSelfSignup`: This has to be false for Ldap. - - - -Mandatory LDAP Specific Configuration: - -- `host`: hostName for the Ldap Server (Ex - localhost). -- `port`: port of the Ldap Server to connect to (Ex - 10636). -- `dnAdminPrincipal`: This is the DN Admin Principal(Complete path Example :- cn=admin,dc=example,dc=com ) with a lookup access in the Directory. -- `dnAdminPassword`: Above Admin Principal Password. -- `userBaseDN`: User Base DN(Complete path Example :- ou=people,dc=example,dc=com). - - - -Please see the below image for a sample LDAP Configuration in ApacheDS. - -apache-ldap - -Advanced LDAP Specific Configuration (Optional): - -- `maxPoolSize`: Connection Pool Size to use to connect to LDAP Server. -- `sslEnabled`: Set to true if the SSL is enable to connect to LDAP Server. -- `truststoreConfigType`: Truststore type. It is required. Can select from {CustomTrustStore, HostName, JVMDefault, TrustAll} -- `trustStoreConfig`: Config for the selected truststore type. Please check below note for setting this up. - - - -Based on the different `truststoreConfigType`, we have following different `trustStoreConfig`. - -1. **TrustAll**: Provides an SSL trust manager which will blindly trust any certificate that is presented to it, although it may optionally reject certificates that are expired or not yet valid. It can be convenient for testing purposes, but it is recommended that production environments use trust managers that perform stronger validation. - -```yaml - truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-TrustAll} - trustStoreConfig: - trustAllConfig: - examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true} -``` - -- `examineValidityDates`: Indicates whether to reject certificates if the current time is outside the validity window for the certificate. - -2. **JVMDefault**: Provides an implementation of a trust manager that relies on the JVM's default set of trusted issuers. - -```yaml - truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-JVMDefault} - trustStoreConfig: - jvmDefaultConfig: - verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-true} -``` - -- `verifyHostname`: Controls using TrustAllSSLSocketVerifier vs HostNameSSLSocketVerifier. In case the certificate contains cn=hostname of the Ldap Server set it to true. - -3. **HostName**: Provides an SSL trust manager that will only accept certificates whose hostname matches an expected value. - -```yaml - truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-HostName} - trustStoreConfig: - hostNameConfig: - allowWildCards: ${AUTHENTICATION_LDAP_ALLOW_WILDCARDS:-false} - acceptableHostNames: ${AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES:-[localhost]} -``` - -- `allowWildCards`: Indicates whether to allow wildcard certificates which contain an asterisk as the first component of a CN subject attribute or dNSName subjectAltName extension. -- `acceptableHostNames`: The set of hostnames and/or IP addresses that will be considered acceptable. Only certificates with a CN or subjectAltName value that exactly matches one of these names (ignoring differences in capitalization) will be considered acceptable. It must not be null or empty. - -4. **CustomTrustStore**: Use the custom Truststore by providing the below details in the config. - -```yaml - truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-CustomTrustStore} - trustStoreConfig: - customTrustManagerConfig: - trustStoreFilePath: ${AUTHENTICATION_LDAP_TRUSTSTORE_PATH:-/Users/parthpanchal/trusted.ks} - trustStoreFilePassword: ${AUTHENTICATION_LDAP_KEYSTORE_PASSWORD:-secret} - trustStoreFileFormat: ${AUTHENTICATION_LDAP_SSL_KEY_FORMAT:-JKS} - verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-true} - examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true} -``` - -- `trustStoreFilePath`: The path to the trust store file to use. It must not be null. -- `trustStoreFilePassword`: The PIN to use to access the contents of the trust store. It may be null if no PIN is required. -- `trustStoreFileFormat`: The format to use for the trust store. (Example :- JKS, PKCS12). -- `verifyHostname`: Controls using TrustAllSSLSocketVerifier vs HostNameSSLSocketVerifier. In case the certificate contains cn=hostname of the Ldap Server set it to true. -- `examineValidityDates`: Indicates whether to reject certificates if the current time is outside the validity window for the certificate. - - - -### Authorizer Configuration - -This configuration controls the authorizer for OpenMetadata: - -```yaml -authorizerConfiguration: - adminPrincipals: ${AUTHORIZER_ADMIN_PRINCIPALS:-[admin]} - principalDomain: ${AUTHORIZER_PRINCIPAL_DOMAIN:-"openmetadata.org"} -``` - -For the Ldap we need to set: - -- `adminPrincipals`: This is the list of admin Principal for the OpenMetadata , if mail in ldap is example@openmetadata.org, then if we want this user to be admin in the OM, we should add 'example', in this list. -- `principalDomain`: Company Domain. + + + Configure LDAP for your Docker Deployment. + + + Configure LDAP for your Bare Metal Deployment. + + ## Metadata Ingestion diff --git a/openmetadata-docs/content/menu.md b/openmetadata-docs/content/menu.md index 85a0c860aaa..d6be5dd50a7 100644 --- a/openmetadata-docs/content/menu.md +++ b/openmetadata-docs/content/menu.md @@ -61,6 +61,10 @@ site_menu: url: /deployment/security/basic-auth - category: Deployment / Enable Security / Ldap Authentication url: /deployment/security/ldap + - category: Deployment / Enable Security / Ldap Authentication / Docker + url: /deployment/security/ldap/docker + - category: Deployment / Enable Security / Ldap Authentication / Bare Metal + url: /deployment/security/ldap/bare-metal - category: Deployment / Enable Security / Auth0 SSO url: /deployment/security/auth0 - category: Deployment / Enable Security / Auth0 SSO / Docker diff --git a/openmetadata-service/src/main/java/org/openmetadata/service/resources/system/ConfigResource.java b/openmetadata-service/src/main/java/org/openmetadata/service/resources/system/ConfigResource.java index d4b17867d28..ac90da8f972 100644 --- a/openmetadata-service/src/main/java/org/openmetadata/service/resources/system/ConfigResource.java +++ b/openmetadata-service/src/main/java/org/openmetadata/service/resources/system/ConfigResource.java @@ -66,6 +66,7 @@ public class ConfigResource { AuthenticationConfiguration authenticationConfiguration = new AuthenticationConfiguration(); if (openMetadataApplicationConfig.getAuthenticationConfiguration() != null) { authenticationConfiguration = openMetadataApplicationConfig.getAuthenticationConfiguration(); + authenticationConfiguration.setLdapConfiguration(null); } return authenticationConfiguration; }