Introduction
The Terraform Enterprise installer dashboard(Replicated) uses password authentication by default, but can be configured to use LDAP authentication.
Use Case
This article details how to configure LDAP authentication on an existing Terraform Enterprise installer dashboard(Replicated), after having initially configured the instance to use password authentication.
Procedure
To configure LDAP authentication for the installer dashboard, perform the following steps:
- Navigate to the installer dashboard at
https://<TFE_HOSTNAME>:8800
. - Click the gear icon at the top right of the page.
- Select
Console Settings
from the menu that appears. - In the
Security
section, click onChange console security settings
underneathConsole password
. - Select
LDAP
from the options list, and then configure your LDAP connection as appropriate.
LDAP Settings
Server settings
- Server Type: OpenLDAP, Active Directory or Other
- Hostname: Hostname of LDAP server, port and encryption
- Search username: User to log into LDAP server
- Search password: Password of the login username
LDAP schema
- Base DN: Root node in LDAP tree to find users and groups.
-
User search DN: Additional fields from
Base DN
to specifically search for users, optional if user search DN is already included in theBase DN
. -
Restricted user group: Optionally specifying group name to filter for particular LDAP user,
cn
, andmemberuid
where occurrences of%s
represent username and group name respectively. -
Advanced Search Options
-
User Query: LDAP query used to lookup users. The query should contain a
{{username}}
placeholder that will be replaced with the actual user name that is being looked up. e.g.(cn={{username}})
-
Restricted User Group Query: LDAP query used to validate user group membership. The query may container two placeholders:
{{userdn}}
(the found users DN), and{{username}}
the user name that was looked up. e.g.(&(cn=Accounting)(memberuid={{username}}))
-
User Query: LDAP query used to lookup users. The query should contain a
- Username field: Optional LDAP attribute that represent username.
Login user
- Username: The username, without Base DN, for one-off validation performed each time when update LDAP configuration. The username will not be persisted in the system.
- Password: The password for the validating username.
NOTES
-
In the situation where encounter the error
Error validating LDAP schema: User not found
on saving the LDAP settings, this means the Username specified under Login user section can not be found. Please revisit the settings under LDAP schema section and make correction accordingly. -
In the situation where encounter the error
Error validating LDAP schema: LDAP Result Code 200 "": dial tcp: lookup <DNS NAME> on 168.63.129.16:53: no such host
, on saving the LDAP settings, this likely means the Hostname: under Server settings is invalid or having DNS problem. -
In the situation where encounter the error
Error applying security settings Console auth validation failed for type ldap: Error validating LDAP schema: LDAP Result Code 200 "": dial tcp <IP ADDRESS>:389: i/o timeout
, on saving the LDAP settings, this likely means the LDAP port is not reachable from Terraform Enterprise to LDAP server, possibly related to network setting or providing incorrect Hostname: under Server settings.
Additional Information
If you have any trouble configuring LDAP authentication, please contact HashiCorp support.