Soffid LDAP

Soffid LDAP

Introduction to Soffid LDAP

What is Soffid LDAP?

Soffid LDAP is a complete LDAP Server based on OpenLDAP. It is always distributed as a docker container. The proposed system architecture is as follows:

image-1654607834304.png

The SoffidLDAP is not directly using  Soffid database. Instead, it is using its own database, that can contain a subset or superset of the information stored in Soffid database.

The integrations work as follows:

How to install Soffid LDAP?

Installation

Prerequisites

To install Soffid LDAP, you must install Docker. Despite Docker desktop can be used for testing purposes, Docker container runtime usage is recommended.

Installation

To start Soffid LDAP, execute:

docker volume create ldapconf
docker volume creade ldapdata
docker run --name soffidldap -p 1389:389 -v ldapconf:/etc/ldap/slapd.d -v ldapdata:/var/lib/ldap -d -e SOFFID_SERVER=https://<SYNCSERVERNAME>:760 -e SOFFID_AGENT=<SOFFID_AGENT> -e USER=<ADMIN_USERNAME> -e PASSWORD=<ADMIN_PASSWORD> -e DN=<YOUR_BASE_DN> soffidldap:latest
💻 Image

image-1654601131618.png

Now, you can connect to the LDAP Server using the user name and password used to create the docker instance.

Docker commands

Stop the service
docker stop soffidldap
Start the service
docker start soffidldap
Remove the service
docker rm soffidldap

Docker Volumes

How to debug Soffid LDAP?

Installation

Prerequisites

To install Soffid LDAP, you must install Docker. Despite Docker desktop can be used for testing purposes, Docker container runtime usage is recommended.

Steps to debug

1.- First of all, you have to add the DEBUG environment variable to your container

-e DEBUG: 65535

2.- You need to restart the Soffid LDAP container

sudo docker restart <YOUR_CONTAINER>

3.- In this point, you can check your LDAP

4.- Retrieve the log

5.- Delete the DEBUG environment variable

6.- Restart the Soffid LDAP container

Log level

Multiple log levels may be used and the levels are additive. To display what numbers correspond to what kind of debugging, consult the table below. The possible values for <integer> are:

Level Description
-1 enable all debugging
0 no debugging
1 trace function calls
2 debug packet handling
4 heavy trace debugging
8 connection management
16 print out packets sent and received
32 search filter processing
64 configuration processing
128 access control list processing
256 stats log connections/operations/results
512 stats log entries sent
1024 print communication with shell backends
2048 print entry parsing debugging
16384 syncrepl consumer processing
32768 only messages that get logged whatever log level is set

The desired log level can be input as a single integer that combines the (ORed) desired levels.

Connecting to the LDAP using user short names

Connecting to the LDAP 

The Soffid LDAP accepts the usual way to connect to the LDAP service using the distinguished name and password for the user.

Additionally, one can use the uid attribute to login. Then for the user:

dn: cn=user,ou=test,dc=soffid,dc=com

cn: user

givenName: John

sn: Snow

uid: jsnow

userPassword: secret

The user can use one of these two ways to login to the LDAP server:

  1. USER: cn=user,ou=test,dc=soffid,dc=com   PASSWORD: secret
  2. USER: uid=jsnow,dc=soffid,dc=com PASSWORD: secret

Seamless authentication

The password authentication process is redesigned to allow users to connect to Soffid LDAP using their internally stored password, or a password trusted by Soffid.

  1. The first attempt is to check the password against the local userPassword attribute. If it fails, Soffid LDAP will connect any of the configured sync servers, and will let the sync server validate the password.
  2. Then, the sync server will check the password against Soffid internal tables.
  3. If the password is not accepted according to Soffid internal tables, the authentication request will be forwarded to any trusted target systems. The trusted flag is enabled or disabled on a per-agent basis, at the agents configuration page
  4. If everything fails, the login is rejected


Anyway, whenever a password change is detected by Soffid, the attribute userPassword can be updated. This is done by means of the LDAP connector.

The opposite way also works for password changes. Whenever the user attribute userPassword is updated, SoffidLDAP does:

  1. Generates a secure hash using SSHA-256, and replaces the provided value for the corresponding hash
  2. Notifies Soffid sync server the password has been changed
  3. Adds an additional value {SOFFID} to the userPassword attribute. Now, the userPassword attribute has two values: the SSHA hash and the Soffid marker
  4. Soffid sync server, in turn, validates the received passwords and stores it in Soffid database and other target systems. This only happens if the trusted flag is enabled for the Soffid LDAP agent

Soffid overlay configuration

The communication channel from Soffid LDAP to Soffid sync server is configured by the Soffid overlay. The overlay configuration object looks like this:

#
# Soffid overlay
dn: olcOverlay=soffid,olcDatabase={1}mdb,cn=config
olcOverlay: soffid
objectClass: olcOverlayConfig
objectClass: olcSoffidConfig
olcDomain: soffidldap
olcSoffidServer: https://soffid.bubu.lab:760


The two configuration parameters are olcDomain and olcSoffidServer.

olcSoffidServer is a multivalued attribute that hosts the list of Soffid sync servers that will receive password change notifications. They will be used for authentication purposes as well.

olcDomain is the agent name used in Soffid console to manage the current Soffid LDAP Database