LDAP

introduction to ldap {{ldap}} can be used as an identity provider for both grafana and factry historian it is a protocol that provides a standardized way to organize identity data stored in a hierarchical directory structure an ldap server keeps information about users, groups, and permissions in one central place allows for multiple applications to connect to the ldap server, check your identity and grant premissions is compatible with most identity services like active directory and others naming structure ldap identity data is organized in a hierarchical tree structure called the {{dit}} each entry in the dit (such as a user, group, or organizational unit) is uniquely identified by its {{dn}} a dn works like a file system path it is built from the entry’s own name (its relative distinguished name, or rdn) plus the chain of parent entries up to the root for example this dn uniquely identifies the single entry “john doe” in the users organizational unit {{ou}} of the example com domain groups in ldap are also entries, but instead of containing users directly inside their dn, they typically list the dns of their members 💡 example naming structure special characters when a dn holds a special character , it needs to be escaped for correct interpretation escape a special character by inserting a \ just before it for example the special character ; is written as \\; meaning a cn factry;s services in the dn, becomes more information on escaping special characters in ldap can be found here search ldap identities find below some key terms to understand when searching for ldap identities bind user dn the distinguished name of a user which is used to search (bind to the interface of) the ldap server set read only access for this user (recommended) base dn the starting point (base) for all ldap searches all users which are to be authenticated against the ldap server must be found within the dit starting from the base dn search filter defines the criteria for searching the dit from the base dn to match identities (users) for example, this search filter matches users where the cn = the username in the application (%s is replaced by username in factry historian/grafana) attributes each identity (user) holds the a set of properties that define a unique identity email the email of the identity firstname the first name of the identity lastname the last name of the identity memberof the group dn's the identity is part of locale the language/region of the identity requirements to successfully setup ldap authentication, the following requirements must be met ability to retrieve the connection details connection from factry historian/grafana to the ldap server setting up ldap authentication the setup process consists of two parts retrieving ldap connection details docid\ jhgoacgdowpr5dfb clis connection details are retrieved from the (cloud/local) {{ldap}} server configure authentication in each product configure connection details configuring ldap authentication in grafana docid\ t3zkm3zqfu2qws1tdpyjj configuring ldap authentication in factry historian docid\ o7hefiqupynjktokksom by completing these steps, both grafana and factry historian can share the same identity provider, reducing administrative overhead and improving security