yujunjun/OpenMetadata
1
0
Fork 0
mirror of https://github.com/open-metadata/OpenMetadata.git synced 2025-08-22 16:08:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added ldap docker documentation (#10641)

Browse Source
This commit is contained in:
Parth Panchal 2023-03-17 14:23:02 +05:30 committed by GitHub
parent aeec285901
commit 796fb8e768
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 332 additions and 146 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

157
openmetadata-docs/content/deployment/security/ldap/bare-metal.md Normal file
View File

@ -0,0 +1,157 @@
---
title: Ldap Authentication for Bare Metal
slug: /deployment/security/ldap/bare-metal
---
# Ldap Authentication for Bare Metal
## Set up Configurations in openmetadata.yaml
### Authentication Configuration
The following configuration controls the auth mechanism for OpenMetadata. Update the mentioned fields as required.
```yaml
authenticationConfiguration:
provider: ${AUTHENTICATION_PROVIDER:-ldap}
publicKeyUrls: ${AUTHENTICATION_PUBLIC_KEYS:-[http://localhost:8585/api/v1/system/config/jwks]}
authority: ${AUTHENTICATION_AUTHORITY:-https://accounts.google.com}
enableSelfSignup : ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-false}
ldapConfiguration:
host: ${AUTHENTICATION_LDAP_HOST:-localhost}
port: ${AUTHENTICATION_LDAP_PORT:-10636}
dnAdminPrincipal: ${AUTHENTICATION_LOOKUP_ADMIN_DN:-"cn=admin,dc=example,dc=com"}
dnAdminPassword: ${AUTHENTICATION_LOOKUP_ADMIN_PWD:-"secret"}
userBaseDN: ${AUTHENTICATION_USER_LOOKUP_BASEDN:-"ou=people,dc=example,dc=com"}
mailAttributeName: ${AUTHENTICATION_USER_MAIL_ATTR:-email}
# Optional
maxPoolSize: ${AUTHENTICATION_LDAP_POOL_SIZE:-3}
sslEnabled: ${AUTHENTICATION_LDAP_SSL_ENABLED:-true}
truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-TrustAll} # {CustomTrustStore, HostName, JVMDefault, TrustAll}
trustStoreConfig:
customTrustManagerConfig:
trustStoreFilePath: ${AUTHENTICATION_LDAP_TRUSTSTORE_PATH:-}
trustStoreFilePassword: ${AUTHENTICATION_LDAP_KEYSTORE_PASSWORD:-}
trustStoreFileFormat: ${AUTHENTICATION_LDAP_SSL_KEY_FORMAT:-}
verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-}
examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-}
hostNameConfig:
allowWildCards: ${AUTHENTICATION_LDAP_ALLOW_WILDCARDS:-}
acceptableHostNames: ${AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES:-[]}
jvmDefaultConfig:
verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-}
trustAllConfig:
examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true}
```
For the LDAP auth we need to set:
OpenMetadata Specific Configuration :
- `provider`: ldap
- `publicKeyUrls`: {http|https}://{your_domain}:{port}}/api/v1/system/config/jwks
- `authority`: {your_domain}
- `enableSelfSignup`: This has to be false for Ldap.
<Note>
Mandatory LDAP Specific Configuration:
- `host`: hostName for the Ldap Server (Ex - localhost).
- `port`: port of the Ldap Server to connect to (Ex - 10636).
- `dnAdminPrincipal`: This is the DN Admin Principal(Complete path Example :- cn=admin,dc=example,dc=com ) with a lookup access in the Directory.
- `dnAdminPassword`: Above Admin Principal Password.
- `userBaseDN`: User Base DN(Complete path Example :- ou=people,dc=example,dc=com).
</Note>
Please see the below image for a sample LDAP Configuration in ApacheDS.
<Image src="/images/deployment/security/ldap/Ldap_ScreenShot1.png" alt="apache-ldap"/>
Advanced LDAP Specific Configuration (Optional):
- `maxPoolSize`: Connection Pool Size to use to connect to LDAP Server.
- `sslEnabled`: Set to true if the SSL is enable to connect to LDAP Server.
- `truststoreConfigType`: Truststore type. It is required. Can select from {CustomTrustStore, HostName, JVMDefault, TrustAll}
- `trustStoreConfig`: Config for the selected truststore type. Please check below note for setting this up.
<Note>
Based on the different `truststoreConfigType`, we have following different `trustStoreConfig`.
1. **TrustAll**: Provides an SSL trust manager which will blindly trust any certificate that is presented to it, although it may optionally reject certificates that are expired or not yet valid. It can be convenient for testing purposes, but it is recommended that production environments use trust managers that perform stronger validation.
```yaml
truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-TrustAll}
trustStoreConfig:
trustAllConfig:
examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true}
```
- `examineValidityDates`: Indicates whether to reject certificates if the current time is outside the validity window for the certificate.
2. **JVMDefault**: Provides an implementation of a trust manager that relies on the JVM's default set of trusted issuers.
```yaml
truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-JVMDefault}
trustStoreConfig:
jvmDefaultConfig:
verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-true}
```
- `verifyHostname`: Controls using TrustAllSSLSocketVerifier vs HostNameSSLSocketVerifier. In case the certificate contains cn=hostname of the Ldap Server set it to true.
3. **HostName**: Provides an SSL trust manager that will only accept certificates whose hostname matches an expected value.
```yaml
truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-HostName}
trustStoreConfig:
hostNameConfig:
allowWildCards: ${AUTHENTICATION_LDAP_ALLOW_WILDCARDS:-false}
acceptableHostNames: ${AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES:-[localhost]}
```
- `allowWildCards`: Indicates whether to allow wildcard certificates which contain an asterisk as the first component of a CN subject attribute or dNSName subjectAltName extension.
- `acceptableHostNames`: The set of hostnames and/or IP addresses that will be considered acceptable. Only certificates with a CN or subjectAltName value that exactly matches one of these names (ignoring differences in capitalization) will be considered acceptable. It must not be null or empty.
4. **CustomTrustStore**: Use the custom Truststore by providing the below details in the config.
```yaml
truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-CustomTrustStore}
trustStoreConfig:
customTrustManagerConfig:
trustStoreFilePath: ${AUTHENTICATION_LDAP_TRUSTSTORE_PATH:-/Users/parthpanchal/trusted.ks}
trustStoreFilePassword: ${AUTHENTICATION_LDAP_KEYSTORE_PASSWORD:-secret}
trustStoreFileFormat: ${AUTHENTICATION_LDAP_SSL_KEY_FORMAT:-JKS}
verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-true}
examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true}
```
- `trustStoreFilePath`: The path to the trust store file to use. It must not be null.
- `trustStoreFilePassword`: The PIN to use to access the contents of the trust store. It may be null if no PIN is required.
- `trustStoreFileFormat`: The format to use for the trust store. (Example :- JKS, PKCS12).
- `verifyHostname`: Controls using TrustAllSSLSocketVerifier vs HostNameSSLSocketVerifier. In case the certificate contains cn=hostname of the Ldap Server set it to true.
- `examineValidityDates`: Indicates whether to reject certificates if the current time is outside the validity window for the certificate.
</Note>
### Authorizer Configuration
This configuration controls the authorizer for OpenMetadata:
```yaml
authorizerConfiguration:
adminPrincipals: ${AUTHORIZER_ADMIN_PRINCIPALS:-[admin]}
principalDomain: ${AUTHORIZER_PRINCIPAL_DOMAIN:-"openmetadata.org"}
```
For the Ldap we need to set:
- `adminPrincipals`: This is the list of admin Principal for the OpenMetadata , if mail in ldap is example@openmetadata.org, then if we want this user to be admin in the OM, we should add 'example', in this list.
- `principalDomain`: Company Domain.
## Metadata Ingestion
For ingesting metadata when LDAP is enabled, it is mandatory to configure the `ingestion-bot` account with the JWT configuration.
To know how to enable it, you can follow the documentation of [Enable JWT Tokens](/deployment/security/enable-jwt-tokens).

142
openmetadata-docs/content/deployment/security/ldap/docker.md Normal file
View File

@ -0,0 +1,142 @@
---
title: Ldap Authentication for Docker
slug: /deployment/security/ldap/docker
---
# Ldap Authentication for Docker
To enable LDAP for docker deployment, there are a couple of files/certificates which are required to carry out the process.
With the help of this documentation, we can provide those files/certificates to the docker container to use.
To enable security for the Docker deployment, follow the next steps:
## Ways to configure LDAP using docker
* #### [**Using Volumes**](#configure-using-volumes)
* #### [**Extending docker image**](#extend-the-openmetadata-server-docker-image)
## Configure Using Volumes
In `docker/docker-compose-quickstart/docker-compose.yml` file configure the volumes based on the `truststoreConfigType`
**NO NEED TO ADD VOLUMES IF** `truststoreConfigType` **IS** `TrustAll` **OR** `HostName`.
### **Using JVMDefault**
For docker container to access cacerts, copy the cacerts to `docker/ldap/config` and add the path in volumes.
```shell
volumes:
- docker/ldap/config/cacerts:/usr/lib/jvm/java-11-openjdk/lib/security/cacerts
```
### **Using CustomTrustStore**
For docker container to access your truststore, copy the truststore to `docker/ldap/config` and add the path in volumes.
```shell
volumes:
- docker/ldap/config/{YOUR_TRUSTSTORE}:/opt/openmetadata/ldap/truststore/{YOUR_TRUSTSTORE}
```
## Extend the OpenMetadata server docker image
Create a docker file and add the following details based on the `truststoreConfigType`.
**NO NEED TO CREATE THIS FILE IF** `truststoreConfigType` **IS** `TrustAll` **OR** `HostName`.
### **Using JVMDefault**
For docker container to access cacerts, copy the cacerts to `docker/ldap/config` as shown below.
```shell
FROM docker.getcollate.io/openmetadata/server:0.13.2
COPY docker/ldap/config/cacerts /usr/lib/jvm/java-11-openjdk/lib/security/cacerts
```
### **Using CustomTrustStore**
For docker container to access your truststore, copy the truststore to `docker/ldap/config` as shown below.
```shell
FROM docker.getcollate.io/openmetadata/server:0.13.2
COPY docker/ldap/config/{YOUR_TRUSTSTORE} /opt/openmetadata/ldap/truststore/{YOUR_TRUSTSTORE}
```
Run the following command from OpenMetadata root directory to create an image:
```text
docker build -f {DOCKER_FILE_PATH} -t {DOCKER_NAME}:{TAG} .
```
**NOTE:** After the image is created, in `docker/docker-compose-quickstart/docker-compose.yml` file, under openmetadata-server service replace the image name with the above created docker image.
```shell
image: {DOCKER_NAME}:{TAG}
```
## Create an .env file
Create an openmetadata_ldap.env file and add the following contents as an example. Use the information generated when setting up the account.
Based on the different `truststoreConfigType`, we have following different `trustStoreConfig`.
### Trust Store Config Type: TrustAll
```shell
AUTHENTICATION_PROVIDER=ldap
AUTHENTICATION_LDAP_HOST={HOST}
AUTHENTICATION_LDAP_PORT={PORT}
AUTHENTICATION_LOOKUP_ADMIN_DN={ADMIN_DN}
AUTHENTICATION_LOOKUP_ADMIN_PWD={ADMIN_DN_PASSWORD}
AUTHENTICATION_USER_LOOKUP_BASEDN={USER_DN}
AUTHENTICATION_USER_MAIL_ATTR={MAIL_ATTRIBUTE}
AUTHENTICATION_LDAP_POOL_SIZE=3
AUTHENTICATION_LDAP_SSL_ENABLED=true
AUTHENTICATION_LDAP_TRUSTSTORE_TYPE=TrustAll
AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES=true
```
### Trust Store Config Type: JVMDefault
```shell
AUTHENTICATION_PROVIDER=ldap
AUTHENTICATION_LDAP_HOST={HOST}
AUTHENTICATION_LDAP_PORT={PORT}
AUTHENTICATION_LOOKUP_ADMIN_DN={ADMIN_DN}
AUTHENTICATION_LOOKUP_ADMIN_PWD={ADMIN_DN_PASSWORD}
AUTHENTICATION_USER_LOOKUP_BASEDN={USER_DN}
AUTHENTICATION_USER_MAIL_ATTR={MAIL_ATTRIBUTE}
AUTHENTICATION_LDAP_POOL_SIZE=3
AUTHENTICATION_LDAP_SSL_ENABLED=true
AUTHENTICATION_LDAP_TRUSTSTORE_TYPE=TrustAll
AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST=true
```
### Trust Store Config Type: HostName
```shell
AUTHENTICATION_PROVIDER=ldap
AUTHENTICATION_LDAP_HOST={HOST}
AUTHENTICATION_LDAP_PORT={PORT}
AUTHENTICATION_LOOKUP_ADMIN_DN={ADMIN_DN}
AUTHENTICATION_LOOKUP_ADMIN_PWD={ADMIN_DN_PASSWORD}
AUTHENTICATION_USER_LOOKUP_BASEDN={USER_DN}
AUTHENTICATION_USER_MAIL_ATTR={MAIL_ATTRIBUTE}
AUTHENTICATION_LDAP_POOL_SIZE=3
AUTHENTICATION_LDAP_SSL_ENABLED=true
AUTHENTICATION_LDAP_TRUSTSTORE_TYPE=TrustAll
AUTHENTICATION_LDAP_ALLOW_WILDCARDS=false
AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES={[ACCEPTABLE_HOSTNAMES]}
```
### Trust Store Config Type: CustomTrustStore
```shell
AUTHENTICATION_PROVIDER=ldap
AUTHENTICATION_LDAP_HOST={HOST}
AUTHENTICATION_LDAP_PORT={PORT}
AUTHENTICATION_LOOKUP_ADMIN_DN={ADMIN_DN}
AUTHENTICATION_LOOKUP_ADMIN_PWD={ADMIN_DN_PASSWORD}
AUTHENTICATION_USER_LOOKUP_BASEDN={USER_DN}
AUTHENTICATION_USER_MAIL_ATTR={MAIL_ATTRIBUTE}
AUTHENTICATION_LDAP_POOL_SIZE=3
AUTHENTICATION_LDAP_SSL_ENABLED=true
AUTHENTICATION_LDAP_TRUSTSTORE_TYPE=TrustAll
AUTHENTICATION_LDAP_TRUSTSTORE_PATH={TRUSTSTORE_FILEPATH}
AUTHENTICATION_LDAP_KEYSTORE_PASSWORD={TRUSTSTORE_PASSWORD}
AUTHENTICATION_LDAP_SSL_KEY_FORMAT={FORMAT} # JKS, PKCS12
AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST=true
AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES=true
```
## Start Docker
```commandline
docker compose --env-file ~/openmetadata_ldap.env up -d
```

174
openmetadata-docs/content/deployment/security/ldap/index.md
View File

@ -4,157 +4,39 @@ slug: /deployment/security/ldap
---
# Setting up Ldap Authentication
<Important>
Security requirements for your **production** environment:
- **DELETE** the admin default account shipped by OM in case you had [Basic Authentication](/deployment/security/basic-auth)
enabled before configuring the authentication with Auth0 SSO.
- **UPDATE** the Private / Public keys used for the [JWT Tokens](/deployment/security/enable-jwt-tokens). The keys we provide
by default are aimed only for quickstart and testing purposes. They should NEVER be used in a production installation.
</Important>
OpenMetadata allows using LDAP for validating email and password authentication.
Once setup successfully, the user should be able to sign in to OpenMetadata using the Ldap credentials.
Below are the required steps to set up the LDAP Authentication:
Below are the configuration types to set up the LDAP Authentication:
## Set up Configurations in openmetadata.yaml
### Authentication Configuration
The following configuration controls the auth mechanism for OpenMetadata. Update the mentioned fields as required.
```yaml
authenticationConfiguration:
provider: ${AUTHENTICATION_PROVIDER:-ldap}
publicKeyUrls: ${AUTHENTICATION_PUBLIC_KEYS:-[http://localhost:8585/api/v1/system/config/jwks]}
authority: ${AUTHENTICATION_AUTHORITY:-https://accounts.google.com}
enableSelfSignup : ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-false}
ldapConfiguration:
host: ${AUTHENTICATION_LDAP_HOST:-localhost}
port: ${AUTHENTICATION_LDAP_PORT:-10636}
dnAdminPrincipal: ${AUTHENTICATION_LOOKUP_ADMIN_DN:-"cn=admin,dc=example,dc=com"}
dnAdminPassword: ${AUTHENTICATION_LOOKUP_ADMIN_PWD:-"secret"}
userBaseDN: ${AUTHENTICATION_USER_LOOKUP_BASEDN:-"ou=people,dc=example,dc=com"}
mailAttributeName: ${AUTHENTICATION_USER_MAIL_ATTR:-email}
# Optional
maxPoolSize: ${AUTHENTICATION_LDAP_POOL_SIZE:-3}
sslEnabled: ${AUTHENTICATION_LDAP_SSL_ENABLED:-true}
truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-TrustAll} # {CustomTrustStore, HostName, JVMDefault, TrustAll}
trustStoreConfig:
customTrustManagerConfig:
trustStoreFilePath: ${AUTHENTICATION_LDAP_TRUSTSTORE_PATH:-}
trustStoreFilePassword: ${AUTHENTICATION_LDAP_KEYSTORE_PASSWORD:-}
trustStoreFileFormat: ${AUTHENTICATION_LDAP_SSL_KEY_FORMAT:-}
verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-}
examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-}
hostNameConfig:
allowWildCards: ${AUTHENTICATION_LDAP_ALLOW_WILDCARDS:-}
acceptableHostNames: ${AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES:-[]}
jvmDefaultConfig:
verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-}
trustAllConfig:
examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true}
```
For the LDAP auth we need to set:
OpenMetadata Specific Configuration :
- `provider`: ldap
- `publicKeyUrls`: {http|https}://{your_domain}:{port}}/api/v1/system/config/jwks
- `authority`: {your_domain}
- `enableSelfSignup`: This has to be false for Ldap.
<Note>
Mandatory LDAP Specific Configuration:
- `host`: hostName for the Ldap Server (Ex - localhost).
- `port`: port of the Ldap Server to connect to (Ex - 10636).
- `dnAdminPrincipal`: This is the DN Admin Principal(Complete path Example :- cn=admin,dc=example,dc=com ) with a lookup access in the Directory.
- `dnAdminPassword`: Above Admin Principal Password.
- `userBaseDN`: User Base DN(Complete path Example :- ou=people,dc=example,dc=com).
</Note>
Please see the below image for a sample LDAP Configuration in ApacheDS.
<Image src="/images/deployment/security/ldap/Ldap_ScreenShot1.png" alt="apache-ldap"/>
Advanced LDAP Specific Configuration (Optional):
- `maxPoolSize`: Connection Pool Size to use to connect to LDAP Server.
- `sslEnabled`: Set to true if the SSL is enable to connect to LDAP Server.
- `truststoreConfigType`: Truststore type. It is required. Can select from {CustomTrustStore, HostName, JVMDefault, TrustAll}
- `trustStoreConfig`: Config for the selected truststore type. Please check below note for setting this up.
<Note>
Based on the different `truststoreConfigType`, we have following different `trustStoreConfig`.
1. **TrustAll**: Provides an SSL trust manager which will blindly trust any certificate that is presented to it, although it may optionally reject certificates that are expired or not yet valid. It can be convenient for testing purposes, but it is recommended that production environments use trust managers that perform stronger validation.
```yaml
truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-TrustAll}
trustStoreConfig:
trustAllConfig:
examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true}
```
- `examineValidityDates`: Indicates whether to reject certificates if the current time is outside the validity window for the certificate.
2. **JVMDefault**: Provides an implementation of a trust manager that relies on the JVM's default set of trusted issuers.
```yaml
truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-JVMDefault}
trustStoreConfig:
jvmDefaultConfig:
verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-true}
```
- `verifyHostname`: Controls using TrustAllSSLSocketVerifier vs HostNameSSLSocketVerifier. In case the certificate contains cn=hostname of the Ldap Server set it to true.
3. **HostName**: Provides an SSL trust manager that will only accept certificates whose hostname matches an expected value.
```yaml
truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-HostName}
trustStoreConfig:
hostNameConfig:
allowWildCards: ${AUTHENTICATION_LDAP_ALLOW_WILDCARDS:-false}
acceptableHostNames: ${AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES:-[localhost]}
```
- `allowWildCards`: Indicates whether to allow wildcard certificates which contain an asterisk as the first component of a CN subject attribute or dNSName subjectAltName extension.
- `acceptableHostNames`: The set of hostnames and/or IP addresses that will be considered acceptable. Only certificates with a CN or subjectAltName value that exactly matches one of these names (ignoring differences in capitalization) will be considered acceptable. It must not be null or empty.
4. **CustomTrustStore**: Use the custom Truststore by providing the below details in the config.
```yaml
truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-CustomTrustStore}
trustStoreConfig:
customTrustManagerConfig:
trustStoreFilePath: ${AUTHENTICATION_LDAP_TRUSTSTORE_PATH:-/Users/parthpanchal/trusted.ks}
trustStoreFilePassword: ${AUTHENTICATION_LDAP_KEYSTORE_PASSWORD:-secret}
trustStoreFileFormat: ${AUTHENTICATION_LDAP_SSL_KEY_FORMAT:-JKS}
verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-true}
examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true}
```
- `trustStoreFilePath`: The path to the trust store file to use. It must not be null.
- `trustStoreFilePassword`: The PIN to use to access the contents of the trust store. It may be null if no PIN is required.
- `trustStoreFileFormat`: The format to use for the trust store. (Example :- JKS, PKCS12).
- `verifyHostname`: Controls using TrustAllSSLSocketVerifier vs HostNameSSLSocketVerifier. In case the certificate contains cn=hostname of the Ldap Server set it to true.
- `examineValidityDates`: Indicates whether to reject certificates if the current time is outside the validity window for the certificate.
</Note>
### Authorizer Configuration
This configuration controls the authorizer for OpenMetadata:
```yaml
authorizerConfiguration:
adminPrincipals: ${AUTHORIZER_ADMIN_PRINCIPALS:-[admin]}
principalDomain: ${AUTHORIZER_PRINCIPAL_DOMAIN:-"openmetadata.org"}
```
For the Ldap we need to set:
- `adminPrincipals`: This is the list of admin Principal for the OpenMetadata , if mail in ldap is example@openmetadata.org, then if we want this user to be admin in the OM, we should add 'example', in this list.
- `principalDomain`: Company Domain.
<InlineCalloutContainer>
<InlineCallout
color="violet-70"
icon="celebration"
bold="Docker Security"
href="/deployment/security/ldap/docker"
>
Configure LDAP for your Docker Deployment.
</InlineCallout>
<InlineCallout
color="violet-70"
icon="storage"
bold="Bare Metal Security"
href="/deployment/security/ldap/bare-metal"
>
Configure LDAP for your Bare Metal Deployment.
</InlineCallout>
</InlineCalloutContainer>
## Metadata Ingestion

4
openmetadata-docs/content/menu.md
View File

@ -61,6 +61,10 @@ site_menu:
url: /deployment/security/basic-auth
- category: Deployment / Enable Security / Ldap Authentication
url: /deployment/security/ldap
- category: Deployment / Enable Security / Ldap Authentication / Docker
url: /deployment/security/ldap/docker
- category: Deployment / Enable Security / Ldap Authentication / Bare Metal
url: /deployment/security/ldap/bare-metal
- category: Deployment / Enable Security / Auth0 SSO
url: /deployment/security/auth0
- category: Deployment / Enable Security / Auth0 SSO / Docker

1
openmetadata-service/src/main/java/org/openmetadata/service/resources/system/ConfigResource.java
View File

@ -66,6 +66,7 @@ public class ConfigResource {
AuthenticationConfiguration authenticationConfiguration = new AuthenticationConfiguration();
if (openMetadataApplicationConfig.getAuthenticationConfiguration() != null) {
authenticationConfiguration = openMetadataApplicationConfig.getAuthenticationConfiguration();
authenticationConfiguration.setLdapConfiguration(null);
}
return authenticationConfiguration;
}