FossID Documentation

Overview

You can connect FossID Workbench to a Directory Services server via LDAP to make the user administration easier. With the LDAP integration enabled, users can log in with their domain credentials and FossID Workbench accounts are automatically created for them at their first login.

Note that FossID Workbench uses LDAP only for authentication purposes. Permissions and roles need to be managed inside the Workbench. The default role assigned to each newly created user is the Licensing Officer role.

Configuring FossID

Things to know before turning the integration on

FossID Workbench users are matched with the LDAP users by their username. Prior to making the changes below, please make sure that there is at least one admin user in FossID Workbench that also exists on the Directory Services server.

; When a user is added via LDAP/OAuth login and these conditions are fulfilled:
; - it has the username specified in webapp_default_admin_username
; - the total number of users in the webapp is less than three
; grant them admin role as part of user creation
;webapp_default_admin_username='admin'

Users created before setting up the LDAP integration will not be able to log in.

Additionally, it is highly recommended that FossID Workbench is accessed via HTTPS only as the login credentials are sent to the web server unencrypted.

For users created from LDAP users, you will need to set their surnames and email addresses manually.

Note:

The Workbench can be configured to allow local login as fallback when LDAP authentication is not possible by setting this parameter

webapp_fallback_local_login=1

Basic Connection Settings

LDAP integration can be configured using the following configuration options in the fossid.conf file:

Enable LDAP authentication:

webapp_use_ldap_auth=1

Set the LDAP server address:

webapp_ldap_connection="ldap.example.com"

If needed, configure a different port for the LDAP server. The default is 389:

webapp_ldap_port=389

Optionally, set the key for the user identifier and a string for the base DN:

webapp_ldap_dn_ukey=uid
webapp_ldap_dn=

Example #1:

With the options below, login [ukey] will be replaced by webapp_ldap_dn_ukey value and [uvalue] by the username when user starts logging into FossID Workbench.

webapp_ldap_dn_ukey=uid
webapp_ldap_dn=[ukey]=[uvalue],cn=read-only-admin,dc=example,dc=com

Example #2:

The following example is for the Domain\sAMAccountName authentication.

webapp_ldap_dn_ukey=none
webapp_ldap_dn=SomeDomain\[uvalue]

If you need to use multiple values of webapp_ldap_dn, separate the webapp_ldap_dn_ukey by comma (,) and webapp_ldap_dn by ###.

Make sure the order of the values is correct and the number of them is the same in both configuration options, otherwise the authentication will not work!

Example #3 - Combine the previous two examples in one configuration:

webapp_ldap_dn_ukey=uid,none
webapp_ldap_dn=[ukey]=[uvalue],cn=read-only-admin,dc=example,dc=com###SomeDomain\[uvalue]

Setup without a Distinguished Name

If for any reason a DN cannot be provided, an alternative setup can be used:

Use one account (LDAP manager) that will query the LDAP for the user trying to login. After getting the user DN from the LDAP response, authenticate user with DN and password. The configuration option webapp_ldap_manager_dn needs to be set together with webapp_ldap_manager_password, webapp_ldap_search_base and webapp_ldap_search_field_from_result.

Note: When using this option the parameters from webapp_ldap_dn_ukey and webapp_ldap_dn will be ignored.

Example:

; LDAP manager DN
webapp_ldap_manager_dn="uid=manager,DC=users,DC=com"

; LDAP manager password
webapp_ldap_manager_password=

; LDAP search base. When querying for users in LDAP specify a search base
; This parameter is used together with webapp_ldap_manager_dn, webapp_ldap_manager_password and
; webapp_ldap_search_field_from_result
;
webapp_ldap_search_base="dc=example,dc=com"

; Name of the field from the LDAP search result which represents the DN of the user
; This parameter is used together with webapp_ldap_manager_dn, webapp_ldap_manager_password and
; webapp_ldap_search_base
;
webapp_ldap_search_field_from_result="dn"

Limiting the access to FossID Workbench based on a Directory Services group

With the settings above and the webapp_ldap_search_base set, it is possible to limit the access to FossID Workbench based on a group membership using the webapp_ldap_search_filter option. Use the ##username## as a placeholder for the user account name: