HOWTO: Integrate Inedo Products with LDAP/AD
  • 11 Jul 2022
  • 4 Minutes to read
  • Dark
    Light
  • PDF

HOWTO: Integrate Inedo Products with LDAP/AD

  • Dark
    Light
  • PDF

How to Configure Active Directory Domain Integration in an Inedo Product

Inedo products come with their own built-in user module, but they also allow integration with a third-party LDAP directory or Active Directory domain forest. Integrating active directory allows users from that directory to sign in and perform the tasks they are permitted to do.

This article will walk through how to configure an Inedo product to reference active directory, add users, and customize user permissions.

Advanced Active Directory Domain Integration

This tutorial is for a single domain and your server should be joined to that domain. If you are using more than one domain or your domain is not joined to your server, you should read our docs on advanced active directory configuration instead.

Step 1: Plan out Groups and Permissions

Integrating Active Directory will pull users and groups directly from it. Those users and groups will then need to be setup with the relevant permissions. We recommend planning out what groups you would like to add along with their permissions and restrictions before configuring Active Directory domain integration

Permission Best Practices

While individual users can be added, we strongly recommend setting up groups in your active directory instead. This allows for much easier scalability and management of permissions.

Available Permissions & Restrictions

When adding groups from your Active Directory they can be setup to be allowed or restricted from the following tasks:

Product Tasks
ProGet Administer, Manage Feed, Promote Packages, Publish Packages, View & Download Packages
BuildMaster Administer, Coordinate Releases, Deploy to Environment, Manage Application, View Application
Otter Administer, Create and Schedule Jobs, Manage Servers & Configuration, Remediate Configuration Drift, Run Jobs Using Templates

Administers not only have no restrictions, but are also able to add new users and groups from the active directory as well as permissions.

Example Scenario

To illustrate how groups and permissions can be utilized let’s consider the following scenario: A company called Kramerica wishes to integrate their active directory with ProGet. Kramerica wants to add the following groups and permissions from their active directory:

  • RetPS-JavaTeam (maven feed): View & Download Packages
  • RetPS-NodeTeam (nodejs feed): View & Download Packages
  • WHSE-Developers (nuget feed): Promote Packages
  • WHSE-DevLeads (nuget feed): Manage Feed
  • DevOps-Admins (all feeds): Administer

Active Directory Example Groups

ProGet was used as an example, but adding groups and permissions from an Active Directory can be done just as easily in any Inedo product.

Users & Groups Customization When Using Active Directory

After switching to an external directory, you won't be able to edit users and groups inside your Inedo product. While you can customize permissions and restrictions for users and groups you import from your active directory, you will need to make changes in your Active Directory if you wish to edit the users and groups themselves.

Step 2: Enable Active Directory Integration

Outdated Steps / Screenshots

This tutorial is for ProGet 6.0, BuildMaster 7.0, and Otter 3.0 and earlier. In v2022, the steps have been greatly simplified, and you can enable/disable and test directories without having to switch to them.

Now that you have planned your users, groups, and permissions you need to Change User Directory. To do this navigate to the settings page in your Inedo product and locate Change User Directory (LDAP).

Change User Directory

Step 3: Sign into your Active Directory

To enable Active Directory integration, you will need to sign in with a username from your Active Directory. Ideally you should sign in for the first time with the user that you want to be an administrator (see step 1).

Sign in to Active Directory in ProGet

Step 4: Sign in with your Active Directory login

After completing the last step, you will be logged out of your Inedo product, and you will need to login with the username and password you used in step 3. From now on you can only login using the username and password you setup in step 3 or as another user in your active directory that you will setup in step 5.

Active Directory Login

Step 5: Add Groups & Privileges

To add groups and privileges from your Active Directory navigate to Administration Over> Security & Authenticiation> Users & Tasks.

User & Tasks Settings

Next navigate to the Tasks tab and click on Add Permission. Depending on the product you’re using the following boxes will need to be filled out:

Field Notes
Principals The users and groups to grant the task to
Tasks The task the principals will be granted
Feed or groupP The feed or feed group the permission will be scoped to
Environment B,O The environment the permission will be scoped to
Application or group B The application or applciation group the permission will be scoped to

In the Principals box search for the group in your Active Directory you wish to add. Since your active directory is now connected, it should pop up automatically. Next, fill in the relevant information for your Inedo product. Finally, add the appropriate tasks for the group.

If you have completed step 1 then simply add the relevant groups from your Active Directory and the tasks you planned for them.

Using our example scenario from step 1 in ProGet:

Add Permission Active Directory

Active Directory Example Groups

Troubleshooting

If you run into any of the following errors, check out our troubleshooting documentation.

  • Locked out: Resetting the built-in user directory and Admin account
  • The Active Directory (New) user directory is not found/not selectable
  • Privileges assigned to the Domain Users group not working
  • Integrated Authentication Not Working
  • Behind The Scenes: Integrated Windows Authentication

Was this article helpful?