LDAP Security (Enterprise)
For the purpose of supporting LDAP authentication and (optional) authorization, we have built an auth module that is packaged with Memgraph Enterprise. For more information about auth modules see the reference guide.
The module supports two operation modes:
- authentication only (LDAP bind request)
- authentication and authorization (LDAP bind and search requests)
Authentication​
When using LDAP authentication the module builds the DN used for authentication using the user specified username and the following formula:
DN = prefix + username + suffix
In most common situations the prefix
will be cn=
and the suffix
will be
,dc=example,dc=com
. With an example username alice
that would yield a DN
equal to cn=alice,dc=example,dc=com
which will then be used for the LDAP bind
operation with the user specified password.
Authorization​
Authentication is performed in the same way as above. After the user is
authenticated, the module searches through the role mapping root DN object that
contains role mappings. A role mapping object that has the current bound user
as its member
attribute is used as the user's role. The role that is mapped
to the user is the CN
attribute of the role mapping object. The attribute
that contains the user DN in the mapping object, as well as the attribute that
contains the role name, can be changed in the module configuration file to
accommodate your LDAP schema.
Note: When searching for a role in directories that have thousands of roles, the search process could take a long time. That could cause long login times.
Module requirements​
The module is written in Python 3 and it must be installed on the server for
you to be able to use it. The Python version should be at least 3.5
. Also,
you must have the following Python 3 libraries installed:
ldap3
- used to communicate with the LDAP serverPyYAML
- used to parse the configuration file
Module configuration​
The module configuration file is /etc/memgraph/auth_module/ldap.yaml
. An
initial example configuration file that has all settings documented and
explained is /etc/memgraph/auth_module/ldap.example.yaml
. You can copy the
example configuration file into the module configuration file to get you up and
running quickly.
Database configuration​
In order to enable use of the LDAP authentication and authorization module you
have to specify to Memgraph to use it. You should specify the flag
--auth-module-executable /usr/lib/memgraph/auth_module/ldap.py
.
Other flags that change the behavior of the database to module integration can be specified according to your needs.