6.1: Centralized Authentication

By default, Indeni stores authentication information in its local database. You can now also use an external LDAP (Lightweight Directory Access Protocol) repository to store this user information. With LDAP authentication, Indeni sends all login requests to the LDAP directory to process.

Please Note: This feature is available in version 6.2+, and only supports Microsoft Active Directory. Indeni email notifications will need to be set for a local user, so we suggest creating a generic email user and set your notification preferences there.


LDAP Setup

Configure the connection settings by navigating to the Settings Icon, selecting Authentication and clicking on CA (Centralized Authentication), and input the necessary settings to connect to your LDAP directory.

Service Endpoint: ldap://172.16.3.15:389
Username: indeni@ad.indeni.com
Password: ********
Base DN: dc=ad,dc=indeni,dc=com

Service Endpoint

The LDAP URL should have the following format – ldap://[:port]. For example, ldap://172.28.128.3:389

Username

Input the username of the LDAP server when querying the LDAP user database. Although Indeni requires read only access to the LDAP server, it is important to have read access to the required LDAP groups of users who require access to Indeni.

Password

The credentials of the user used to connect to the LDAP server when querying the LDAP user database.

Base DN (Distinguished Name)

Set the search parameters that Indeni uses when searching the LDAP directory for matching user entries. For example, dc=ad,dc=indeni,dc=com

Server Certificate (optional)

Upload your Active Directory SSL certificate, if applicable. If you do not leverage this, then please leave blank.

LDAP Groups

Your organization may have already created user groups in your LDAP directory with the users who will need to access Indeni. During the initial setup process, Indeni will retrieve the list of LDAP groups.

After the group has been retrieved, select the LDAP group(s) of users who will need access to Indeni. The members within these LDAP groups are authorized to access Indeni. Any changes made in the LDAP group members are automatically reflected in Indeni, without having to change the LDAP setup.

To view or update the LDAP groups, click the blue reload button and modify the setting.

User Login

Any time a user attempts to login to Indeni, if a LDAP server is configured, the username and password will be forwarded to the specified LDAP directory server to determine if the credentials are correct. Indeni does not store the LDAP usernames and passwords locally.

Indeni determines what LDAP groups the user belongs to with a simple search and then verifies that the user belongs to one of the selected LDAP groups. If the user does not belong to any one of the selected LDAP groups, Indeni will fail the authentication.

The diagram below summarizes the authentication process.

 

Authentication Fallback

If the LDAP directory does not successfully authenticate the username and password forwarded, Indeni will fall back to the local username and password. If the username and password credential do not exist in the local user store, Indeni will fail the authentication.