Configuring LDAP / Active Directory with Posit Team
Many Posit Team customers use LDAP or Active Directory to authenticate into their server. LDAP (Lightweight Directory Access Protocol) is a directory service, frequently used for authentication. Active Directory (AD) is a Microsoft directory service that implements LDAP.
The instructions below apply the same whether your implementation is Active Directory or some other LDAP implementation.
If you are using Azure Active Directory, you will want to configure Posit Team to use SAML authentication rather than LDAP.
Summary of using LDAP with Connect
To configure Connect with LDAP, you will
- Test that you have the proper LDAP server settings
- Configure the server with LDAP
- Restart Connect
- Test that your configuration works
1. Confirm LDAP Server Settings
The first step to successfully configuring Connect with LDAP is to check your LDAP server settings outside of Connect. If you cannot connect to your LDAP server from the command line, you will not be able to do so from Connect.
You will do all of the following from the command line after logging into the Connect server via SSH
.
In order to proceed, you will need to get the following, likely from your organization’s LDAP team.
- Your LDAP server information (host and port)
- The username and password of a normal user
- A Bind DN to use for a double-bind configuration (recommended)
- The user search base distinguished name
We recommend you configure LDAP in a double-bind configuration, or you will not be able to do anything other than confirm that a user is allowed access (use groups for example).
Check Networking
The first thing to ensure is that your networking is properly configured to allow Connect to access the LDAP server.
The command is
nc -vz <hostname> <port>
For LDAP, the standard port is 389
and LDAPS often uses 636
.
For example, if your LDAP server is configured on port 389
at ldap.example.org
, you would run
nc -vz ldap.example.org 389
A successful connection will return something like Connection to ldap.example.org port 389 succeeded!
LDAP Credentials
Your linux server probably has the command line utility ldapsearch
installed. If not, it can be apt
/yum
/zypper
installed.
The command to confirm your bind credentials is
ldapsearch -h <hostname> -p <port> -D <bind DN> -w <bind password> -b <user search DN>
You’ll need to use the full distinguished name (DN) for both the bind account and the user search in the command.
For example, for the LDAP server at ldap.example.org
on port 389
, if the bind DN were cn=admin,dc=example,dc=org
, the bind password was admin
, and the user search base DN was dc=example,dc=org
, you would run
ldapsearch -h ldap.example.org -p 389 -D "cn=admin,dc=example,dc=org" -w admin -b "dc=example,dc=org"
A proper configuration will return something like
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
If you are not using a double-bind configuration, sometimes called single or anonymous bind, you may be able to test using your own DN and password instead of the one for the bind account.
2. Configure the Server with LDAP
You will configure the server’s LDAP settings in an LDAP
block in the Connect config file, /etc/rstudio-connect/rstudio-connect.gfcg
.
For example, for the LDAP server at ldap.example.org
on port 389
, if the bind DN were cn=admin,dc=example,dc=org
and the bind password were admin
, the first few lines of the LDAP configuration would look like
; /etc/rstudio-connect/rstudio-connect.gcfg
[LDAP "My LDAP Config"]
ServerAddress = ldap.example.org:389
BindDN = "cn=admin,dc=example,dc=org"
BindPassword = admin
UserSearchBaseDN = "dc=example,dc=org"
The bind password can be encrypted in the config file using the included utility.
In the rest of the configuration, you’ll configure how Connect searches for users and map attributes like first and last name, unique id, and email from your LDAP server to Connect.
The exact names of attributes in your LDAP server may vary, but there are some common configurations for both Active Directory and Open LDAP. Example configurations are in the Connect admin guide.
There are many other LDAP configuration options for Connect. A complete list can be found in the admin guide.
3. Restart the Connect Service
Changes to the authentication mechanism will only be adopted when the server is stopped and restarted. If the server is on, restart it with sudo systemctl restart rstudio-connect
. If it is not, start it with sudo systemctl start rstudio-connect.
4. Test a User
To test that Connect is properly configured, attempt to login as a normal user. If the login succeeds, you have configured LDAP correctly in Connect.
You may also wish to publish a piece of content and add a group to the content to confirm groups are properly configured.