LDAP Realms
To create a new realm, click the Create button. To edit an existing realm, click the realm name or select Edit from the options menu. Note that the internal fdRealm cannot be edited. Use the Active button to activate or inactivate a specific realm. You can use the Delete option in each row’s menu to completely remove a specific realm from FlexDeploy configurations.
Any changes to a realm's configuration will require the FlexDeploy application server to be restarted for the changes to take effect. This does not include updating group mappings. You can test realm configuration details by clicking the Test Connection button.
Enter the details for the LDAP realm as described in table of inputs below. Click the Save button to save your changes.
All LDAP realm users must be under a specific branch on the LDAP server, which is searched based on the User Search Base and User Search Filter on the general tab.
FlexDeploy uses the memberOf virtual attribute to derive a user's groups, so group mapping will not work if your LDAP does not support that attribute.
Configuring LDAP Realm
Only FlexDeploy Administrators can update Realm settings.
Click Create to create new LDAP realm.
Configure as explained below.
Field | Required | Description |
---|---|---|
Realm Name | Yes |
|
Description | No |
|
URL | Yes | URL to access LDAP server For example, ldap://localhost:10389 |
System Username | Yes | Read-only username to access LDAP server. This should be fully qualified username in LDAP. FlexDeploy will use the system username and system password to bind to LDAP for various operations. For example, uid=admin,ou=system |
System Password | Yes | Password for specified system user name. |
User Search Base | Yes | User base tree in LDAP server For example, ou=users,ou=system. |
User Search Filter | Yes | User search filter to find user records in user search base For example, (&(objectClass=*)(uid={0})), (&(objectClass=*)(sAMAccountName={0})) To restrict users able to login to FlexDeploy by membership within a particular LDAP group, you can use a search filter similar to the following. This assumes that your LDAP supports the memberOf virtual attribute. (objectClass=user)(sAMAccountName={0})(memberOf=CN=FDDevelopers,CN=Users,DC=flexagondev,DC=local) Similarly, more than one group would look like this. (&(objectClass=user)(sAMAccountName={0})(|(memberOf=CN=FDDevelopers,CN=Users,DC=flexagondev,DC=local)(memberOf=CN=FDAdmins,CN=Users,DC=flexagondev,DC=local)) |
Connect Timeout | No | A timeout, in seconds, for connecting to the external server. The default timeout is 30 seconds. If no value is provided, there is no timeout. |
Read Timeout | No | A timeout, in seconds, for LDAP read operations. The default timeout is 120 seconds. If no value is provided, there is no timeout. |
Follow Referrals | Yes | How to handle referrals (follow/ignore). The default is ignore. |
Group Mapping Enabled | Yes | Enable if you want to map LDAP groups to FlexDeploy groups. LDAP server must support memberOf attribute for group mapping in FlexDeploy. |
Group Search Base | No1 | Group base tree in LDAP server. For example, (ou=groups,ou=myrealm,dc=MyDomain) |
Group Search Filter | No1 | Search filter to find groups in group search base. For example, (objectClass=groupOfUniqueNames) |
1 - Required if group mapping is enabled.
Group Mapping with External Directory Servers
FlexDeploy provides features to map external directory server groups to FlexDeploy groups, which makes it very easy to manage FlexDeploy users in your environment. Fine-grained access to FlexDeploy features is still controlled by FlexDeploy groups, and by mapping external directory groups to FlexDeploy groups, you essentially control access to FlexDeploy features. You can configure FlexDeploy group permissions using the Permissions page and from the Security section of individual objects supporting object-level permissions (folders/projects, target groups, releases, etc.).
In order to set up group mapping, first make sure to enable group mapping from the realm’s group mapping tab and provide the group search base and filter. If you haven’t already loaded external groups for this realm or they need to be refreshed, click the Fetch External Groups button or the Refresh External Groups button.
Select a specific FlexDeploy group to work with first. Then, search and select external groups to map to the selected FlexDeploy Group. See the figure below, where we have mapped the LDAP group Enterprise Admins to the FlexDeploy FD Administrators group.
Realm configuration changes including the mapping configuration require a recycle of the FlexDeploy server process, but changes to the groups being mapped do not require a recycle.
Apache Directory Server Realm Example
Active Directory Realm Example
FlexDeploy will use the User logon name (pre-Windows 2000) username instead of the normal one for active directory. See this picture for an example.
Migrating from Active Directory/LDAP to SSO
Many customers are migrating from AD/LDAP to SSO to take advantage of Single sign on, MFA, etc.
SAML and External Realm users are compatible with each other, so existing users will work fine using SAML instead, as long as their username matches up. To modify the username that is received by FlexDeploy, change the Unique User Identifier (Name ID) claim in the SAML provider. No changes are needed in FlexDeploy for this. If the username format doesn’t match, users will be asked to setup new accounts. Have a downtime window and test with a known user. If the user gets to the new user screen, then it didn’t work. Don’t have them complete the screen, instead go back and work on the name claim again.
If you can’t get the names to match for your users, you can also run a sql update to modify the names already in FlexDeploy to match. If you prefer to do that, open a support ticket for assistance.
Additionally, ensure that you have claims for the the email, first, and last name. They are used to help setup new users.
However, if you have group mapping enabled with an LDAP realm, that isn’t yet supported on for SSO, with either SAML or OIDC. This is something that Flexagon is considering adding to our road map, but it isn’t there yet. If you want to transfer your current groups from your LDAP mapped groups, there is a sql query you can use to transfer data for this purpose. If you don’t do that, then the groups will be missing. Future groups won’t be added for you after the transition, so if group mapping is important to you, it may not be time to transition yet.
Using ldaps
A FlexDeploy realm can be configured to use ldaps protocol, which requires adding a server certificate to Java cacerts or the application server trust store.
You may encounter java.security.cert.CertificateException: No subject alternative names present when using SSL connection and the hostname in connection URL is not valid when compared to the SSL certificate of the server. This error occurs in java 1.8.0_181 or higher is because this update includes security improvements for LDAP support. Endpoint identification has been enabled on LDAPS connections. In this situation, you must regenerate the LDAP server certificate with the certificate’s SAN or CN matching the hostname of the LDAP server configured in connection URL. This is not recommended for production installation, but you can temporarily disable this by adding -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true to server startup arguments.
- style