LDAP (Lightweight Directory Access Protocol)
LDAP (Lightweight Directory Access Protocol) is a directory access protocol used to query and manage information stored hierarchically, such as identity and user authentication information in corporate networks.
In this tutorial, we will demonstrate how to configure ParkPow to provide the option of user authentication through LDAP, leveraging the benefits of this protocol to efficiently and securely manage identity information.
LDAP configuration​
Follow the steps below to configure ParkPow on your LDAP server
To make this configuration, always have the latest version of ParkPow on-premises. Follow the procedure here to install the latest version
Go to Settings > Users > Configure LDAP​
To begin the configuration, go to Settings > Users. In the upper right corner, a "Configure LDAP" button should appear, as shown in the image below:
If the button is not available, please upgrade to the latest version of ParkPow on-premises.
Configure LDAP Settings​
Fill in the fields with the settings related to your server.
Server URL:​
This setting refers to the LDAP server address you want to access. Typically, the URL will include the protocol (LDAP or LDAPS), the domain name or IP address of the server, and the port if you're not using the default port.
Examples:
ldap://192.168.0.10:389
ldaps://192.168.0.10:636
Bind DN (Distinguished):​
The Bind DN is the Distinguished Name (DN) you use to authenticate initially to the LDAP server. Usually, it's the DN of a user with read permissions in the directory. This allows you to establish an initial connection to the server before performing user queries or authentications.
Example:
uid=admin,ou=system
The selected user should have the necessary permissions for accessing the directory hierarchy.
Bind Password:​
The password corresponding to the Bind DN. This password is used to authenticate the initial connection to the LDAP server.
User Attribute Mapping (User attr map):​
This setting specifies how user attributes in LDAP correlate with user attributes in your system. Since ParkPow authenticates users exclusively by email, the LDAP account must have an email attribute, and the email key must be mapped to it.
Example:
{
"email": "mail",
"username": "sAMAccountName",
"last_name": "sn",
"first_name": "cn"
}
The example above shows a standard configuration of an OpenLDAP server. Note that the attribute names (mail, sn, cn) may vary depending on your LDAP server.
The email field is mandatory. It must map to the LDAP attribute that holds the user's email address, as it is used for authentication.
User Search:​
User search configuration defines the parameters for locating and authenticating users in the LDAP directory. It includes information such as the base of search (Base DN), which is where the search begins in the directory hierarchy, and an optional search filter that restricts the results.
Example:
Connection options​
This parameter should be added if your server has any specific connection settings.
Start TLS​
Check this option if the server supports StartTLS. This upgrades a plain ldap:// connection to an encrypted one.
Do not enable Start TLS when using ldaps://. LDAPS connections are already encrypted from the start, so enabling Start TLS is unnecessary and will be ignored automatically.
Enable User Authentication​
Check this option to enable/disable LDAP authentication in ParkPow.
Step 3​
Save settings; Parkpow will attempt to connect to the LDAP server, and if everything goes well, the settings will be saved.
If the connection to the server is unsuccessful, the image below will be displayed.
Review the settings and try saving again.
Certificate validation (LDAPS and StartTLS)​
If your LDAP server requires certificate validation, make the CA certificate available to the ParkPow Docker container by declaring the LDAPTLS_CACERT environment variable and mounting the certificate file into the container using a volume in your Docker Compose file.
Below is an example of how to do this; be sure to add the volume and environment variable to the web service in your docker-compose.yml file:
services:
web:
environment:
- LDAPTLS_CACERT=/app/certs/CA.pem
volumes:
- /path/to/your/CA.pem:/app/certs/CA.pem
Replace /path/to/your/CA.pem with the actual path to your CA certificate on the host machine.
Both the environment variable and the volume mapping are required. Declaring only the environment variable without mounting the file will cause the connection to fail.
User configuration​
After configuring the server, users with permissions can log in to ParkPow, and they will receive the default permission level (Viewer).
If it's necessary to change user permissions, after the user's first login, access the user settings menu and modify the permissions as needed.