Indyco Support Center

Introduction

Integrating Indyco with LDAP simplifies user management by eliminating the need to manually create individual user accounts. 

LDAP integration allows users to access Indyco using their corporate password, making authentication seamless and efficient.

All LDAP configuration options are available in the "Settings => LDAP Integration" section of the application.

By default, LDAP is disabled:

Once enabled, you can choose between two integration modes: BindOnly and SecurityDomains, each offering distinct features to suit your organization's needs.

BindOnly Mode

This mode is designed to provide basic access for all users who have an LDAP account.

If a user with valid LDAP credentials logs in but does not yet have an account in Indyco, the system will automatically create one. 

This ensures that all LDAP users can access Indyco without requiring manual account creation, further simplifying the onboarding process.

Configuration Requirements

• Server Address: The IP or hostname of the LDAP server.
• Port: The port number on which the LDAP server is running.
• SSL Support: Specify whether to use SSL for secure connections (see the last chapter custom certificates).

Optional Settings

• Prefix: A string to prepend to the username during authentication.
• Postfix: A string to append to the username during authentication.

Example of configuration in BindOnly mode:

Security Domains

To provide more granular control over user access, Indyco allows you to restrict LDAP authentication to users belonging to specific Security Domains.

A Security Domain is an entity defined by two key attributes:

UserBase: The directory path where LDAP should perform its searches.

UserFilter: The criteria that users must meet to gain access.

Note that in the UserFilter field, you can access the username specified in the login form using the %s placeholder.

For example, consider the following Security Domain configuration:

UserBase: OU=Delivery,OU=Users,DC=alfaspa,DC=com

UserFilter: (&(sAMAccountName=%s)(memberOf=CN=GroupIndyco,OU=Groups,DC=alfaspa,DC=com))

In this case, the UserBase specifies that only users within the Delivery directory can access Indyco. The UserFilter further narrows the criteria by requiring that:

The user’s sAMAccountName matches the %s placeholder (which will be replaced by the username entered during login).

The user must be a member of the group GroupIndyco, located in the path CN=GroupIndyco,OU=Groups,DC=alfaspa,DC=com.

Configuration Requirements

When using this mode, in addition to parameters provided for BindOnly mode, you must configure at least one Security Domain and you are required to provide a service account that Indyco will use to query the LDAP directory (how is the password managed?). 

This service account must not have an expiration date.

By leveraging Security Domains, you gain greater flexibility in segmenting the authentication permission granted to users, ensuring access is tailored to specific organizational needs.

Example of configuration in Security Domains mode:

Note that due to absence of added Security Domains, Save button is disabled and there is a warning sign next to "Security Domains" tab name .

Example of adding a Security Domain:

Custom certificates

You may need to enable the use of custom SSL certificates when querying LDAP servers that use self-signed certificates.

Configuration on IIS

To configure custom SSL certificates on IIS you simply need to install them in the Windows certificate store.

Configuration on Docker

To configure custom SSL certificates in the containerized version you have different options:

Configuration via environment variable

You can pass to the container, via environment variable, up to 9 different certificates.

Simply define up to 9 environment variables with the following name: LDAP_CERT_N (where N can go from 1 to 9) containing the certificate in the Base64 format.

Example:

        LDAP_CERT_1=
        -----BEGIN CERTIFICATE-----
        MIIDZjCCAk6gAwIBAgIQHeHfN1k8EJNBP/ojhRvV0TANBgkqhkiG9w0BAQsFADAz
        ...
        ...
        ...
        WlooX91akYAPDtABzt6dPfS63jrQYN8bnPnPMffu/jTIiEuS7lWa7Kud4rAP28oU
        UdT6xfJvTRlhtQ==
        -----END CERTIFICATE-----

Configuration via secret

Configuration via secrets is especially useful when using a compose type of deployment.

Similarly to the environment variable configuration, define up to 9 secrets with the following name: LDAP_CERT_N (where N can go from 1 to 9) either containing the certificate in the Base64 format or pointing to a file with such content. (Docker secret configuration)

If you are having problem with certificate validation on Docker you can pass the environment variable LDAPTLS_REQCERT=never to disable certificate validation.

When defining custom certificates either via environment variables or via secret, the container will print information regarding the certificates found.