In Unomaly 3.3, the entire authentication flow has been revamped. If you are using the built-in user system, everything will be migrated and you shouldn't notice anything. If you are using LDAP though, you will need to migrate the configuration manually. This is a guide to help you in that process.
First, look at the old configuration, which is located in /DATA/unomaly_ldap.php on the instance. It can look something like this:
'@example.com' => array( 'servers' => 'dc1.example.com', 'server_port' => '', 'server_security' => 'tls', 'server_version' => 3, 'server_referrals' => 0, 'username_mask' => '<USERNAME>@example.com', 'user_email' => 'mail', 'user_upn_attr' => 'userPrincipalName', 'require_group' => true, 'default_group' => 2, 'bind_mode' => 'auth', 'search_base' => 'cn=users,dc=example,dc=com', 'search_filter' => '(&(objectclass=user)(objectcategory=user)(userPrincipalName=<USERNAME>*))', 'search_user_dn' => '[email protected]', 'search_user_pwd' => '---', 'group_admin_dn' => 'cn=Unomaly Admins,cn=Users,dc=example,dc=com', 'group_user_dn' => 'cn=Unomaly Users,cn=users,dc=example,dc=com', 'group_limited_dn' => 'cn=Unomaly Limited Users,cn=users,dc=example,dc=com', 'group_member_attr' => 'memberOf', 'group_member_type' => 'dn' ),
To setup the new LDAP authentication, go to Settings --> Authentication in Unomaly and create a new LDAP configuration, and then press Edit to modify the settings.
Fill out the form similar to this if your configuration is like the above.
| Realm | example.com |
| URL | ldap://dc1.example.com:389 |
| bindDN | |
| bindCredentials |
--- |
| bindProperty |
dn |
| searchBase |
cn=users,dc=example,dc=com |
| searchFilter |
(&(objectclass=user)(objectcategory=user)(userPrincipalName={{USERNAME}})) |
| searchScope |
sub |
| Username property |
|
| User email property |
|
| groupSearchBase |
cn=users,dc=example,dc=com |
| groupSearchFilter |
(memberOf={{dn}}) |
| groupDnProperty |
dn |
| groupSearchScope |
sub |
| Default role |
Limited |
| Attribute that maps to role |
memberOf |
| Group DN for admin role |
cn=Unomaly Admins,cn=Users,dc=example,dc=com |
| Group DN for standard role |
cn=Unomaly Users,cn=users,dc=example,dc=com |
| Group DN for limited role |
cn=Unomaly Limited Users,cn=users,dc=example,dc=com |
| TLS CA certificate |
|
| TLS validate server identity | Check if you are using valid server certificates |
| TLS validate certficate | Check if you are using valid server certificates |
| TLS minimum protocol version | try with TLSv1.2 |
| TLS maximum protocol version | TLSv1.2 |
| Enable trace | false |
| Enable configuration | Enable |
To investigate any issues with the LDAP configuration, review the API log. This log contains the authentication procedure as well as a request log. It can be followed using this command:
unomaly logs api -f
Some of the more common error messages might be:
| INVALID_DN_SYNTAX |
Indicates that the syntax of the DN is incorrect. (If the DN syntax is correct, but the LDAP server's structure rules do not permit the operation, the server returns code 53: LDAP_UNWILLING_TO_PERFORM.) |
| INVALID_CREDENTIALS |
Indicates that during a bind operation one of the following occurred: The client passed either an incorrect DN or password, or the password is incorrect because it has expired, intruder detection has locked the account, or another similar reason. See the data code for more information. |
| NO_SUCH_ATTRIBUTE |
Indicates that the attribute specified in the modify or compare operation does not exist in the entry. |
| UNDEFINED_TYPE |
Indicates that the attribute specified in the modify or add operation does not exist in the LDAP server's schema. |