HOWTO: Integrate Inedo Products with LDAP/AD
- 11 Jul 2022
- 4 Minutes to read
-
Print
-
DarkLight
-
PDF
HOWTO: Integrate Inedo Products with LDAP/AD
- Updated on 11 Jul 2022
- 4 Minutes to read
-
Print
-
DarkLight
-
PDF
How to Configure Active Directory Domain Integration in an Inedo Product
Inedo products come with their own built-in user module, but they also allow integration with a third-party LDAP directory or Active Directory domain forest. Integrating active directory allows users from that directory to sign in and perform the tasks they are permitted to do.
This article will walk through how to configure an Inedo product to reference active directory, add users, and customize user permissions.
Advanced Active Directory Domain Integration
This tutorial is for a single domain and your server should be joined to that domain. If you are using more than one domain or your domain is not joined to your server, you should read our docs on advanced active directory configuration instead.
Step 1: Plan out Groups and Permissions
Integrating Active Directory will pull users and groups directly from it. Those users and groups will then need to be setup with the relevant permissions. We recommend planning out what groups you would like to add along with their permissions and restrictions before configuring Active Directory domain integration
Permission Best Practices
While individual users can be added, we strongly recommend setting up groups in your active directory instead. This allows for much easier scalability and management of permissions.
Available Permissions & Restrictions
When adding groups from your Active Directory they can be setup to be allowed or restricted from the following tasks:
| Product | Tasks |
|---|---|
| ProGet | Administer, Manage Feed, Promote Packages, Publish Packages, View & Download Packages |
| BuildMaster | Administer, Coordinate Releases, Deploy to Environment, Manage Application, View Application |
| Otter | Administer, Create and Schedule Jobs, Manage Servers & Configuration, Remediate Configuration Drift, Run Jobs Using Templates |
Administers not only have no restrictions, but are also able to add new users and groups from the active directory as well as permissions.
Example Scenario
To illustrate how groups and permissions can be utilized let’s consider the following scenario: A company called Kramerica wishes to integrate their active directory with ProGet. Kramerica wants to add the following groups and permissions from their active directory:
- RetPS-JavaTeam (maven feed): View & Download Packages
- RetPS-NodeTeam (nodejs feed): View & Download Packages
- WHSE-Developers (nuget feed): Promote Packages
- WHSE-DevLeads (nuget feed): Manage Feed
- DevOps-Admins (all feeds): Administer
ProGet was used as an example, but adding groups and permissions from an Active Directory can be done just as easily in any Inedo product.
Users & Groups Customization When Using Active Directory
After switching to an external directory, you won't be able to edit users and groups inside your Inedo product. While you can customize permissions and restrictions for users and groups you import from your active directory, you will need to make changes in your Active Directory if you wish to edit the users and groups themselves.
Step 2: Enable Active Directory Integration
Outdated Steps / Screenshots
This tutorial is for ProGet 6.0, BuildMaster 7.0, and Otter 3.0 and earlier. In v2022, the steps have been greatly simplified, and you can enable/disable and test directories without having to switch to them.
Now that you have planned your users, groups, and permissions you need to Change User Directory. To do this navigate to the settings page in your Inedo product and locate Change User Directory (LDAP).
Step 3: Sign into your Active Directory
To enable Active Directory integration, you will need to sign in with a username from your Active Directory. Ideally you should sign in for the first time with the user that you want to be an administrator (see step 1).
Step 4: Sign in with your Active Directory login
After completing the last step, you will be logged out of your Inedo product, and you will need to login with the username and password you used in step 3. From now on you can only login using the username and password you setup in step 3 or as another user in your active directory that you will setup in step 5.
Step 5: Add Groups & Privileges
To add groups and privileges from your Active Directory navigate to Administration Over> Security & Authenticiation> Users & Tasks.
Next navigate to the Tasks tab and click on Add Permission. Depending on the product you’re using the following boxes will need to be filled out:
| Field | Notes |
|---|---|
| Principals | The users and groups to grant the task to |
| Tasks | The task the principals will be granted |
| Feed or groupP | The feed or feed group the permission will be scoped to |
| Environment B,O | The environment the permission will be scoped to |
| Application or group B | The application or applciation group the permission will be scoped to |
In the Principals box search for the group in your Active Directory you wish to add. Since your active directory is now connected, it should pop up automatically. Next, fill in the relevant information for your Inedo product. Finally, add the appropriate tasks for the group.
If you have completed step 1 then simply add the relevant groups from your Active Directory and the tasks you planned for them.
Using our example scenario from step 1 in ProGet:
Troubleshooting
If you run into any of the following errors, check out our troubleshooting documentation.
- Locked out: Resetting the built-in user directory and Admin account
- The Active Directory (New) user directory is not found/not selectable
- Privileges assigned to the Domain Users group not working
- Integrated Authentication Not Working
- Behind The Scenes: Integrated Windows Authentication
Was this article helpful?
