For the purpose of supporting LDAP authentication and (optional) authorization, we have built an auth module that is packaged with Memgraph Enterprise. For more information about auth modules see the reference guide.
The module supports two operation modes:
authentication only (LDAP bind request)
authentication and authorization (LDAP bind and search requests)
When using LDAP authentication the module builds the DN used for authentication using the user specified username and the following formula:
DN = prefix + username + suffix
In most common situations the
prefix will be
cn= and the
suffix will be
,dc=example,dc=com. With an example username
alice that would yield a DN equal to
cn=alice,dc=example,dc=com which will then be used for the LDAP bind operation with the user specified password.
Authentication is performed in the same way as above. After the user is authenticated, the module searches through the role mapping root DN object that contains role mappings. A role mapping object that has the current bound user as its
member attribute is used as the user's role. The role that is mapped to the user is the
CN attribute of the role mapping object. The attribute that contains the user DN in the mapping object, as well as the attribute that contains the role name, can be changed in the module configuration file to accommodate your LDAP schema.
Note: When searching for a role in directories that have thousands of roles, the search process could take a long time. That could cause long login times.
The module is written in Python 3 and it must be installed on the server for you to be able to use it. The Python version should be at least
3.5. Also, you must have the following Python 3 libraries installed:
ldap3 - used to communicate with the LDAP server
PyYAML - used to parse the configuration file
The module configuration file is
/etc/memgraph/auth_module/ldap.yaml. An initial example configuration file that has all settings documented and explained is
/etc/memgraph/auth_module/ldap.example.yaml. You can copy the example configuration file into the module configuration file to get you up and running quickly.
In order to enable use of the LDAP authentication and authorization module you have to specify to Memgraph to use it. You should specify the flag
Other flags that change the behavior of the database to module integration can be specified according to your needs.