Make sure that the ports are enabled for KaDeck Web.
389 | TCP/ UDP | LDAP |
636 | TCP | LDAP over SSL |
Configure LDAP Basic module
Active Directory (AD) and OpenLDAP are supported to authenticate users.
LDAP is only available to specific licenses.
To enable LDAP, the xeotek_kadeck_authentication_method parameter must be set from "internal" (no LDAP) to "ldap".
The UID of the user entity of the LDAP server is used as the user id in Kadeck. Additionally, an attribute for the full username can be specified using the xeotek_kadeck_authentication_ldap_user_fullname_attribute configuration parameter. The password to log in into Kadeck is the one found on the user entity of the LDAP server.
Group assignment
Group assignments can optionally also be made via the LDAP server. The internal assignment of users to groups is then no longer possible and will be overwritten. In Kadeck, roles can also be assigned directly (without groups) to users. This function remains untouched when using the assignment of groups via LDAP. So roles can still be assigned directly to users in Kadeck.
Group assignment via LDAP is controlled via the configuration parameter xeotek_kadeck_authentication_ldap_group_management (boolean; false by default) and must be set to true.
The group assignment is done via "memberOf" attributes. The group name is read via a Regular Expression from the Distinguished Name (DN) specification of the memberOf attributes. The roles assigned directly to a user are only managed internally by Kadeck.
Kadeck does not automatically create the groups from the memberOf attributes. Kadeck will check if a group with the same name that is extracted using the regular expression is present in Kadeck. If this is the case, Kadeck will assign the user to that group.
Group Mapping in Kadeck 5.3+
Kadeck provides a feature to map OpenID and LDAP groups to internal Kadeck groups:
- Navigate to the Kadeck administration section.
- Go to the Groups and click edit or add new.
- Look for the "External mapping" field.
- In this field, you can specify a name that should be used to match the groups from LDAP (e.g., the group ID) with the Kadeck group.
This mapping allows for flexible group management, especially when the group names or IDs in your LDAP directory service don't directly match the group names in Kadeck.
We recommend adding an external mapping for the Superusers group in Kadeck, especially when setting up LDAP authentication for the first time. This allows Kadeck administrators to log in and make further changes after LDAP is enabled.
Login process & synchronization
When Kadeck starts, users are retrieved via the configured Kadeck ldap service user (using the following startup parameters: xeotek_kadeck_authentication_ldap_user and xeotek_kadeck_authentication_ldap_password) and stored in Kadeck's database.
As soon as a user attempts to log in, the username and password are passed on to the configured LDAP server and the user information is retrieved with this user from the configured Kadeck base path xeotek_kadeck_authentication_ldap_base. If this is successful, it will be checked if the user already exists in Kadeck and stored if not.
The user mappings are updated continuously.
The synchronisation interval can be set by configuring the xeotek_kadeck_authentication_ldap_sync_interval_mins parameter. The default setting is 60 (= 1 hour).
Newly added group assignments or removed group assignments will thus only become visible after the configured interval has elapsed or after a restart of Kadeck.
If there aren't enough licenses for all users, the first n users will be activated in Kadeck in the order in which the users were stored in Kadeck's database. Where n stands for the number of existing user licenses.
Debugging
To find errors in the configuration, the debug mode can be activated for the LdapAuthProvider. This will provide additional INFO log level information when retrieving users and creating users and group assignments.
To enable the debug mode set the xeotek_kadeck_authentication_ldap_debug parameter to true.
Users in nested groups
Issue: An Active Directory (AD) user object filter that retrieves users from a specified group does not recursively search for groups nested under the specified group, even if recursion is enabled. A filter like the following is used:
(&(objectClass=person)(memberOf=cn=TestGroup,ou=Groups,ou=CompanyUsers,dc=test,dc=corp))By default, all searches with memberOf check only direct attributes, so AD returns only information to Kadeck based on direct attribute checks.
To get a recursive search, or to have AD check relations, extra properties need to be included to the filter. In this case, the string 1.2.840.113556.1.4.1941 will need to be added. Learn more here.
Modify the above filter to include the extended match operator:
- (&(objectClass=person)(memberOf:1.2.840.113556.1.4.1941:=CN=all_user_group,OU=test-ou,OU=test-ou2,OU=Groups,OU=Common,DC=my,DC=company,DC=com))
Note: the group names in the above filter cannot be wildcards. If you need to specify multiple groups, you can configure them as follows:
(&
(objectClass=person)
(|
(memberOf:1.2.840.113556.1.4.1941:=cn=UserGroup1,ou=Groups,ou=CompanyUsers,dc=test,dc=corp)
(memberOf:1.2.840.113556.1.4.1941:=cn=UserGroup2,ou=Groups,ou=CompanyUsers,dc=test,dc=corp)
....
)
)The full configuration list
Parameter | Description | Default value |
|---|---|---|
xeotek_kadeck_authentication_method | Set to ldap to enable the LDAP module or use the internal authentication provider. | internal |
xeotek_kadeck_authentication_ldap_url | The url of the LDAP server starting with ldap:// or ldaps:// |
|
xeotek_kadeck_authentication_ldap_user | The distinguished name (DN) of the KaDeck service user. Used to list users and their groups. |
|
xeotek_kadeck_authentication_ldap_password | The password for the KaDeck service user. |
|
xeotek_kadeck_authentication_ldap_debug | Output additional information for debugging purposes on log level INFO. | false |
xeotek_kadeck_authentication_ldap_sync_interval_mins | The time interval at which KaDeck updates the users and their group memberships. The first update takes place immediately after the start of KaDeck. | 60 |
xeotek_kadeck_authentication_ldap_base | The path to the KaDeck user accounts. |
|
xeotek_kadeck_authentication_ldap_filter | The query filter for querying the user accounts found under the base path. KaDeck retrieves all users that match this filter. | (objectClass=person) |
xeotek_kadeck_authentication_ldap_user_id_attribute | The attribute used for the userid in KaDeck (must be unique). This is the id that the user must enter when logging in. | cn |
xeotek_kadeck_authentication_ldap_user_fullname_attribute | The attribute is used for the username in KaDeck. This is the displayed name of the user in KaDeck (when editing views for example). Uses the value of the user_id_attribute by default. | the configured user_id_attribute |
xeotek_kadeck_authentication_ldap_group_attribute | The attribute is used to retrieve the user’s groups. | memberOf |
xeotek_kadeck_authentication_ldap_group_regex | A regular expression used to extract the group name from the DNs/names listed under the group_attribute. Only the first matching group of the regular expression is used to match the KaDeck groups. | (?i)cn=(\w+),ou=Groups.* |
xeotek_kadeck_authentication_ldap_group_management | Enables automatic group assignment of groups in KaDeck via the configured group_attribute. If not enabled, the groups have to be assigned to the users manually in KaDeck. | false |
Default ports
Related Articles
Advanced: LDAP Module for nested groups
Note: the basic LDAP module is sufficient in most cases. Use only this module if the basic LDAP module does not return all groups (especially nested groups). This module was created to work around the issue where the memberOf property doesn’t return ...Configure OpenId authentication
This guide outlines the process of setting up OpenID authentication in Kadeck. OpenID provides a secure and standardized way for users to authenticate across different platforms. To activate OpenID authentication, please configure and set the ...Configure a home path
The home path can be used to change the URL through which the Kadeck Teams UI and API are accessible. In the default configuration, all endpoints are exposed via the host domain (e.g. localhost:80/). The home path parameter can be used to append ...Configure a Kadeck cluster setup
This article describes how to configure multiple Kadeck instances that run as a cluster. Define master nodes First define a list of master nodes. In this example, we will configure 3 Kadeck instances running as a minimum (to handle 2 simultaneous ...Startup parameters for Desktop
You can pass any parameter to Kadeck's Java backend by adding them to the KA_DECK_OPTS environment variable. Windows cmd /c "SET KA_DECK_OPTS='-Xmx6G'&KaDeck.exe MacOS launchctl setenv KA_DECK_OPTS "-Xms6G" && open Kadeck.app/ Linux ...