LDAP

LDAP

Users in aqua can be authenticated via LDAP.
 
Precondition: the user has been created in aqua before, that is, the given username exists in both systems, in aqua and in LDAP. If you have a large number of users, you can also use the following script to initially or recurringly retrieve users from LDAP and create them in aqua. You can also create your own custom scripts via the aqua REST API to create the users.
 

Installation

First, stop the server. To do so, open the IIS-Manager on Microsoft Server.
.
Click on 'aquaAPIPool' and stop it with the button on the right side first.
After that please stop 'aquaFileServerPool', 'aquaWebservicePool' and (if installed) 'aquaWebNGAppPool'.
Your Server is stopped now.
 

Configuration

Open Web.config file of aqua Backend. It is usually located here:
 
C:\Program Files\andagon GmbH\aqua For IIS\Web\Webservice
 
Ensure that RemotingModules section is declared in <configSections>. Furthermore, define <RemotingModules> section and include reference to aquaLDAP. As a third step, add LDAP settings to <appSettings> section.
 
LDAP.ServerAddress
LDAP Server Address (IP or hostname without any prefixes)
LDAP.ServerPort
LDAP Server Port
LDAP.UseSSL
defines if communication should be SSL-encrypted (if supported by your LDAP-server)
LDAP.BaseDN
defines a distinguished-name of branch where to look for aqua users (recursively)
LDAP.UsernameFilter
Filter for username in LDAP
LDAP.DiscoveryUserDN
(optional) username to LDAP if authentication is required
LDAP.DiscoveryUserPassword
(optional) password to LDAP if authentication is required
 
  ...
  <configSections>
    <section name="CompatibleClients" type="aqua.Server.Configuration.CompatibleClientSection, aquaUtils" />
  </configSections>
 
  <appSettings>
    ...
    <add key="LDAP.ServerAddress" value="192.168.56.101" />
    <add key="LDAP.ServerPort" value="389" />
    <add key="LDAP.UseSSL" value="false" />
    <add key="LDAP.BaseDN" value="ou=aqua,dc=andagon,dc=com " />
    <add key="LDAP.UsernameFilter" value="uid={0}" />
    <add key="LDAP.DiscoveryUserDN" value="" />
    <add key="LDAP.DiscoveryUserPassword" value="" />
  </appSettings>
  ...
 
Save and close Web.config
 

Start aqua Server

After configuration, you can start your aqua server. Go back to IIS-Manager and start  'aquaAPIPool, 'aquaFileServerPool', 'aquaWebservicePool'.


Configuring multiple LDAP servers
You can connect up to 50 different LDAP servers with aqua. Each will be checked one-by-one, when authenticating the users.
 
The configuration can be extended by adding a proper index in the key names of the configuration . The indexes will define, in which order the servers are taken for authentication. You can give any index you like, from 1-50, for example:
 
    <add key="LDAP.1.ServerAddress" value="aquatest-ldap" />
    <add key="LDAP.1.ServerPort" value="389" />
    <add key="LDAP.1.UseSSL" value="false" />
    <add key="LDAP.1.BaseDN" value="ou=aqua,dc=aquatest-ldap,dc=andagon,dc=com" />
    <add key="LDAP.1.UsernameFilter" value="uid={0}" />
    <add key="LDAP.1.DiscoveryUserDN" value="" />
    <add key="LDAP.1.DiscoveryUserPassword" value="" />
 
In order to configure multiple servers, just copy the configuration as often as needed and change the indexes and addresses.
 
We keep backward compatibility with previous configuration. Old configurations will work without the necessity to change them.


    • Related Articles

    • Release Notes 22.132.0 - On Premise

      Release notes Version 22.132.0 Include all changes since 22.123.0 version New features and improvements: RQ048073 - Authentification | Option to disable internal aqua password when LDAP/SAML/oAuth is set up RQ048126 - New knowledge base in aqua Fixed ...
    • Release Notes 22.132.0 - SaaS

      Release notes Version 22.132.0 Include all changes since 22.123.0 version New features and improvements: RQ048073 - Authentification | Option to disable internal aqua password when LDAP/SAML/oAuth is set up RQ048126 - New knowledge base in aqua ...
    • Sample

      Sample Sample for an IdP-metadata file <?xml version="1.0"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://aquatest-ldap/simplesaml/saml2/idp/metadata.php">   ...
    • Feature Guidelines 22.132.0 - On Premise

      Guidelines Version 22.132.0 Date: 30.01.2023 Feature: Disable internal aqua authentication when SAML, LDAP or oAuth is set up Useful when: You have custom security rules in your external authentication system and want to prevent a user from bypassing ...
    • Feature Guidelines 22.132.0 - SaaS

      Guidelines Version 22.132.0 Date: 30.01.2023 Feature: Disable internal aqua authentication when SAML, LDAP or oAuth is set up Useful when: You have custom security rules in your external authentication system and want to prevent a user from bypassing ...