cloudbeaver icon indicating copy to clipboard operation
cloudbeaver copied to clipboard

Published 20 hours ago verified publisher icon dbeaver

LDAP integration question

Open euanmacinnes opened this issue 3 years ago • 15 comments

One of the biggest headaches of database admin, and infrastructure is the separate account management of individual apps. Is there a plan to add LDAP support for CloudBeaver, so that we can give consistent account logging information to users, as well as map connections to LDAP roles for centralized security management? 2-4 users isn't much of a problem, but 40-50 users most definitely is, just to give an idea of scale.

euanmacinnes avatar Apr 06 '21 05:04 euanmacinnes

Thank you for the idea. We will think what can be done.

kseniiaguzeeva avatar Apr 08 '21 13:04 kseniiaguzeeva

Hi, this would be an important feature for us, too. Without it is hard to handle. We want to use it inside of a kubernetes.

Thank you. Best regards. Simon

simonpinnow avatar May 03 '21 18:05 simonpinnow

hello,

some news of the ldap integration ?

Thank you

Geronium avatar Jun 21 '21 23:06 Geronium

Could you please give more details and examples how do you use LDAP? Do you use it for Active Directory only? As I see different cases exist and we should understand what way will be the best to integrate it. Thank you in advance for your help.

kseniiaguzeeva avatar Jul 07 '21 05:07 kseniiaguzeeva

hello,

in my case, we use openldap to authenticate on the applications. Either directly or through the system (which allows it to authenticate via openldap).

you can see an exemple of the entry inside the ldap

dn: uid=test,ou=users,idPF=prod,ou=enterprise,c=com cn: test gidnumber: 1000 givenname: test homedirectory: /home/test loginshell: /bin/bash mail: [email protected] objectclass: top objectclass: person objectclass: inetOrgPerson objectclass: posixAccount sn: test uid: test uidnumber: 1000 userpassword: test

and an exemple of application configuration directly

import ldap import django_auth_ldap.config from django_auth_ldap.config import LDAPSearch

AUTH_LDAP_SERVER_URI = "ldap://172.222.1.254:389" AUTH_LDAP_BIND_DN = "cn=Manager,ou=enteprise,c=com" AUTH_LDAP_BIND_PASSWORD = "***" AUTH_LDAP_USER_SEARCH = django_auth_ldap.config.LDAPSearch( "ou=users,idPF=prod,ou=enterprise,c=com", ldap.SCOPE_SUBTREE, "uid=%(user)s" )

if we pass by the system, we need to authorize the system to authenticate with the ldap, for that i use nslcd and i add the rights in the pam.d configuration for this application

-(mer. juil. 07 10:22:47)--(myserver:/etc/pam.d)- [root] # cat application #%PAM-1.0 auth sufficient pam_ldap.so auth requisite pam_succeed_if.so quiet auth required pam_unix.so nodelay account required pam_unix.so

i don't know what is better, to authenticate by the system (if it's possible) or directly with the ldap, but it's what we need, in my case.

Thank you.

Geronium avatar Jul 07 '21 08:07 Geronium

we aslo need ldap to countrol develper access connections

dawsongzhao avatar Jul 26 '21 12:07 dawsongzhao

@dawsongzhao thank you for voting. Could you please also give more details and examples how do you use LDAP?

kseniiaguzeeva avatar Aug 02 '21 07:08 kseniiaguzeeva

Hey, sorry for delay because of holiday.

For us it would be nice to have:

  1. a simple ldap bind with the user credentials given during authentication
  2. a configured ldap group of which the user must be a member of

configuration:

  • ldap-server-hostname
  • ldap port
  • ssl certificate (optional)
  • ldap group

best regards Simon

simonpinnow avatar Aug 02 '21 08:08 simonpinnow

piling on (for better or for worse). I'd like to use an IBM i server for LDAP authentication (so people can log into DBeaver with their IBM i username/pw).

^^ The above is probably non-useful feedback, but I can say that the LDAP support/design in the gitbucket project works great for this use case.

ThePrez avatar Mar 31 '22 14:03 ThePrez

It's quite difficult to implement the feature, because different cases exist how LDAP can be used. Thank you for the provided link, we are going to investigate it. An implimentation is going to be after 21.1 release.

kseniiaguzeeva avatar Apr 20 '22 12:04 kseniiaguzeeva

Hello,

we are at the 22.1.0 version, we have exceeded the 21.1 release and i don't see the ldap fonctionnality. In the millestone

https://github.com/dbeaver/cloudbeaver/milestones

the ldap fonctionnality is not planned.

I noticed that in the last release there was the addition of "authentication via nginx" ?

"Users can login to the application via Nginx."

can we use it to connect via ldap ?

Thank you

Geronium avatar Jun 12 '22 19:06 Geronium

@Geronium Hello, yes, it is potentially possible if you can integrate nginx with ldap and send the correct authorization headers when opening Cloudbeaver. You can read more about required headers and how to set it up on the Cloudbever side on our wiki page - Reverse proxy authentication

alexander-skoblikov avatar Jul 06 '22 14:07 alexander-skoblikov

We use LDAP as a way to connect to Oracle databases, without needing to distribute TNS Names file to all users. LDAP simply allows easier administration of Oracle DB connections. Seems like that would be a simple and helpful addition to DBeaver...!

bsteinweg avatar Sep 12 '22 20:09 bsteinweg

Would be great to know if this feature planned only for EE or also in Community edition?

jonsbun avatar Apr 05 '24 16:04 jonsbun

@jonsbun We plan to add this functionality to all versions.

EvgeniaBzzz avatar Apr 08 '24 13:04 EvgeniaBzzz