Search code examples
active-directoryldapartifactory

LDAP authentification from Artifactory

For a while I was trying to authenticate to an "LDAP server" ,implemented by Apache DS, from the Artifactory LDAP interface.

I use Artifactory 6.1.0, the Apache DS and LDAP perspective on Eclipse Oxygen.

The DIT(Directory Information Tree) as you see there are two users (admin and user1) under the organizational unit called system: DIT of the LDAP connexion

1-When I authenticate from the "user DN pattern" (uid=admin,ou=system) and I test the connexion to the server, the test user should be the same as the specified user in the "user DN pattern", if I try with another user(user1 for example) the connexion to the server is established but the authentification fails.

Part1: Part1

Part2: Part2

Artifactory cmd error message: Artifactory cmd error message

=>The test user should be the same as specified in "user DN pattern"

2-If I use the "Manager DN" field and enter the password, even when I use the same user specified in the "Manager DN" as a test user, the authentifacation fails.

Part1: Part1

Part2: Part2

=>Even if the test user is the same, it's unable to authenticate.

A lot of confusion: Which method I have to use to establish connexion to LDAP server? Is there Any difference between connecting through User DN pattern and Manager DN? Which fields(Search Filter, Search Base...) should not be kept empty for each method? And what to do to authenticate with a different test user?

In the tutoriel provided by the Jfrog, the authentification using the "Manager DN method" with a different test user that is already created in the DIT works normally. =>The tutoriel: https://www.youtube.com/watch?v=_nT76RgXA2c

Finally I want to ask if to create LDAP groups I need the pro version of Artifactory, because it's disabled in the oss version? Can I get that module for free?!

I need a clear explanation please, thank you.

Solution

  • There are two "methods" of authentication you can choose from, or you can configure both:

    • "Search-based" authentication requires you to fill in Search Filter and Manager DN/Password, and optionally Search Base. Artifactory will connect to LDAP using the Manager DN user, and run a search for Search Filter. The LDAP server finds the appropriate user DN (Distinguished Name, basically a unique user id), and sends it back to Artifactory. Then Artifactory logs in using that user's DN.

    • "Direct" authentication requires you to only fill in the User DN Pattern field. This method skips the user search step, and just logs in with whatever DN is in the User DN Pattern field.

    Both the User DN Pattern and Search Filter fields are patterns. Specifically, if these fields contain a "{0}", this gets replaced with the name of the user trying to authenticate.

    The reason your User DN Pattern only allowed you to log in with the user admin is because it was hardcoded to always authenticate as admin regardless of which user was actually trying to log in. Instead of uid=admin,ou=system, the value should be uid={0},ou=system.

    The reason your Manager DN was failing is probably because your Search Filter is wrong. Its value is sAMAccountName={0}, but I'm not seeing any property called sAMAccountName in your LDAP configuration. Instead, try setting the Search Filter to uid={0} (or alternatively, add a sAMAccountName field to each of your users in LDAP). Your Manager DN/Password and your Search Base seem fine as they are I think.

    Finally I want to ask if to create LDAP groups I need the pro version of Artifactory, because it's disabled in the oss version? Can I get that module for free?!

    LDAP groups synchronization is a Pro feature, and is unavailable in OSS, so you do need to buy a Pro license to use it. You can't get it for free.