Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Active Directory of TLS/SSl #601

Closed
brymon68 opened this issue Apr 4, 2020 · 4 comments
Closed

Support Active Directory of TLS/SSl #601

brymon68 opened this issue Apr 4, 2020 · 4 comments
Labels
feature use for describing a new feature to develop solved use to identify issue that has been solved (must be linked to the solving PR)
Milestone
Release 3.3.0

Comments

@brymon68
Copy link

brymon68 commented Apr 4, 2020

Problem to Solve

passport-ldapauth allows for ldap access over TLS:
https://www.npmjs.com/package/passport-ldapauth#active-directory-over-ssl-example

Our ldap provider uses TLS. Our OpenCTI instance is configured to connect to our LDAP but seems to hang when clicking on 'Sign In' on the login page. Without proper debugging, I am taking a huge guess that this is due to the fact that we are not providing our cert.

Current Workaround

No workaround other than using local auth.

Proposed Solution

Support a method to pass via environment variable (Docker) for a path to the cert and then mount the cert via data volume.

Additional Information

We are using OpenCTI's docker installation.
Here is an example of a similar docker-compose.yml with envioronment variables we are using:

-PROVIDERS__LDAP_STRATEGY=LdapStrategy
-PROVIDERS__LDAP_CONFIG_URL=ldap://sec-ldap.mycompany.com
-PROVIDERS__LDAP_BIND_CREDENTIALS=password
-PROVIDERS__LDAP_SEARCH_BASE=ou=co,dc=company,dc=com,dc=com
-PROVIDERS__LDAP_SEARCH_FILTER=(uid={{username}})
-PROVIDERS__LDAP_EMAIL_ATTRIBUTE=uid
-PROVIDERS__LDAP_ACCOUNT_ATTRIBUTE=uid

{ Any additional information, including logs or screenshots if you have any. }
@richard-julien richard-julien added the feature use for describing a new feature to develop label Apr 6, 2020
@richard-julien
Copy link
Member

Hi @brymon68, can you provide a test environment for that? Let continue the discussion on Slack. Thanks.

@SamuelHassine
Copy link
Member

Hi @brymon68 LDAPS is now fully operational on OpenCTI, you can connect to your LDAP/AD over TLS.

@SamuelHassine SamuelHassine added this to the Release 3.3.0 milestone May 26, 2020
@SamuelHassine SamuelHassine added the solved use to identify issue that has been solved (must be linked to the solving PR) label May 26, 2020
@CRAI-Ruzila
Copy link

@SamuelHassine Where is the documentation to implement LDAP/AD in OpenCTI? I can't find anything. I'm assuming just add the following based on what I've been able to find.

  • PROVIDERS__LDAP__STRATEGY=LdapStrategy
  • PROVIDERS__LDAP__CONFIG__URL=ldap://dc01:389
  • PROVIDERS__LDAP__CONFIG__BIND_DN=CN=Opencti,OU=Administration,DC=abc,DC=com
  • PROVIDERS__LDAP__CONFIG__BIND_CREDENTIALS=XXXXX
  • PROVIDERS__LDAP__CONFIG__SEARCH_BASE=OU=User Account,DC=abc,DC=com
  • PROVIDERS__LDAP__CONFIG__SEARCH_FILTER=(SAMAccountName={{username}})"
  • PROVIDERS__LDAP__CONFIG__MAIL_ATTRIBUTE=mail
  • PROVIDERS__LDAP__CONFIG__ALLOW_SELF_SIGNED=true
  • PROVIDERS__LOCAL__STRATEGY=LocalStrategy

@SamuelHassine
Copy link
Member

@CRAI-Ruzila:

https://luatix.notion.site/Configuration-a568604c46d84f39a8beae141505572a#085c93182b244ec4afdc5dd0266795cc.

Kind regards,
Samuel

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature use for describing a new feature to develop solved use to identify issue that has been solved (must be linked to the solving PR)
Projects
None yet
Milestone
Release 3.3.0
Development

No branches or pull requests
4 participants
@richard-julien @SamuelHassine @brymon68 @CRAI-Ruzila