Cloud customer?
Start for Free>
Upgrade in MyJFrog >
What's New in Cloud >





Introduction

The JFrog Platform Deployment (JPD) supports integration with an Active Directory server to authenticate users and synchronize groups.

When authentication using Active Directory is configured and active, JPD first attempts to authenticate the user against the Active Directory server. If the authentication fails, JPD tries to authenticate via its internal database.

For every externally authenticated user configured in your Active Directory server, JPD creates a new user in the internal database (provided the user does not already exist), and automatically assigns that user to the default groups.

WebUI Changes implemented in Artifactory 7.38.x and above

Security is now called Authentication Providers. All the relevant text and images on this page have been updated to reflect this change.

Page Contents



Working With Active Directory

WebUI Changes implemented in Artifactory 7.38.x and above

Security is now called Authentication Providers. All the relevant text and images on this page have been updated to reflect this change.

We will describe how to configure the JPD to work with Active Directory using an example.

Consider an Active Directory server that must support the following conditions:

  • Users are located in two geographically separated sites. Some are in the US (designated as "us"), while others are in Israel (designated as "il").
  • Each site defines users and groups in different places in the Active Directory tree as displayed below.

Active Directory Structure

To configure Active Directory authentication, in theAdminmodule, go toAuthentication Providers | LDAPand clickNew.

The configuration parameters are as follows:

Settings Name
The unique ID of the Active Directory setting.
Enabled

When set, these settings are enabled.

LDAP URL

Location of the Active Directory server LDAP access point in the following format:ldap://myserver:myport/dc=sampledomain,dc=com.

The URL may include the base DN used to search for and/or authenticate users. If not specified, theSearch Basefield is required.

Auto Create System Users
When set, the JPD will automatically create new users for those who have logged in using Active Directory. Any newly created users will be associated to the default groups.
Allow Created Users Access to Profile Page
When set, users created automatically will have access to their profile page and perform actions such as generating an API key.
User DN Pattern

A DN pattern used to log users directly in tot he LDAP database.

活跃的导演y,we recommendleaving this field blanksincethisonly works if anonymous binding is allowed and a direct user DN can be used, which is not the default case in Active Directory.

Email Attribute

An attribute that can be used to map a user's email to a user created automatically by JPD.

This corresponds to themailfield in Active Directory.

Search Filter

A filter expression used to search for the user DN that is used in Active Directory authentication.
This is an LDAP search filter (as defined in 'RFC 2254') with optional arguments. In this case, theusernameis the only argument, denoted by'{0}'.

活跃的导演y, the corresponding field should besAMAccountName={0}.

Search Base

The Context name in which to search relative to the base DN in the Active Directory URL. This parameter is optional, but if possible, we highly recommend that you set it to prevent long searches on the Active Directory tree. Leaving this field blank will significantly slow down the Active Directory integration.

The configuration in the example below indicates that search should only be performed under "frogs/il" or "frogs/us". This improves search performance since the JPD will not search outside the scope of the "frogs" entry.

Manager DN

The full DN of a user with permissions that allow querying the Active Directory server. When working with LDAP Groups, the user should have permissions for any extra group attributes such asmemberOf.

Manager Password

The password of the user binding to the Active Directory server when using "search" authentication.

Search Sub Tree
当设置,使搜索子树的深度of the Active Directory URL + Search Base. True by default.

Importing Active Directory Groups

Active Directory groups can be imported using either aStatic映射策略或Dynamicone (Active Directory works for both).

The only difference is in the attribute defined on the corresponding Active Directory entry:

  • The Static mapping strategy defines a "member" multi-value attribute on thegroupentry containing user DNs of the group members
  • The "Dynamic" configuration defines a "memberOf" multi-valueattribute on theuserentry containing group DNs ofthe groups the user is a member of.

Active Directory supports both configurations, so you can choose the one which fits your organization's structure.

Support for Nested Groups

The JFrog Platform supports synchronization with Active Directory "Nested Groups".

From Artifactory7.3, an improvedActive Directory "Nested Groups" search is supported, providing performance improvements when working with LDAP.

Prerequisite

This feature requires that Active Directory run on Windows Server 2012 R2 version or later. There are no additional requirements for the Active Directory Windows Server side.

To enable the feature:

  • Set the Dynamic Strategy with a group setting definition
  • Set themsds-memberOfTransitivevalue for the membership attribute.

Mapping Strategy: Dynamic
Group Membership Attribute:msds-memberOfTransitive
Group Name Attribute:cn
Filter: (objectClass=group)

Microsoft provides a unique OID for rule chain matching as part of thesearch filter syntax, as a result when executing an LDAP Query to the Active Directory using this OID, the Active Directory will return a list of all the groups according to the user's main group membership.

Mapping Strategy:Static
Group Membership Attribute:member:1.2.840.113556.1.4.1941:
Group Name Attribute:cn
Filter:(objectClass=group)

The following displays the settings.


Using Secure Active Directory

To use Secure Active Directory with a valid certificate from a CA trusted by Java, all you need to do us use a secure Active Directory URL in your settings, e.g.ldaps://secure_ldap_host:636/dc=sampledomain,dc=com.

If you want to use Secure Active Directory with a non-trusted (self-signed) certificate, please follow the steps described inManaging TLS Certificates.

Manager DN

To construct the Manager DN string according to your Active Directory server, navigate to a user with administrator privileges (e.g. Administrator (1)), and then construct the Manager DN in reverse order (2,3) from the User, up the folder hierarchy.

For example, in this simple configuration, the Manager DN here should be
cn=Administrator,cn=Users,dc=alljfrog,dc=org

Notice that the domain (3) is split in reverse order to
dc=alljfrog,dc=org

Manager DN
Copyright © 2022 JFrog Ltd.