---
myst:
html_meta:
"description lang=en": "Active Directory / OpenLDAP setup guide for Workspaces authentication."
"keywords": "Kasm, Active Directory, AD, LDAP, Open LDAP"
"property=og:locale": "en_US"
---
```{title} Active Directory / OpenLDAP
```
## Active Directory / OpenLDAP
The following section gives an example of a typical LDAP configuration of users and groups using Active Directory.
Consider the following domain “kasm.core” with the following structure
```{image} /images/ldap/fake_ldap_domain.jpg
:scale: 70%
```
- MyOrg
: Top level OU in the kasm.core domain
- all_kasm_app_users
: Security Group under the MyOrg OU that houses all users and groups that should be allowed access to the Kasm App. If a user is not a member of this group they should not be allowed to log into the app.
- kasm_group_1
: A Security group that is a member of the all_kasm_app_users Group. Members of this group should automatically be mapped to a group in Kasm named Ldap Group 1
- Test_user_1
: A user that is a member of kasm_group_1
- Test_user_2
: A user that is a member of all_kasm_app_users. This user should be allowed to access the Kasm app but is not automatically placed in to special groups
- test_user_3
: This user is not a member of the all_kasm_app_users group and therefore not be allowed to log in to the Kasm application
- ldap_service_account
: This user will be used as a service or ‘bot’ account do to LDAP queries
```{image} /images/ldap/ldap_domain.png
:scale: 70%
```
### Configure the LDAP Configuration (Active Directory)
* Log into the Kasm Web UI as an administrator
* Click Authentication -> LDAP
* Click Create New Configuration
* The configurations for Microsoft Active Directory are as follows
```{eval-rst}
+---------------------------+----------------------------------------------------------------------------------------------------------------------------+
| **Property** | **Value** |
+---------------------------+----------------------------------------------------------------------------------------------------------------------------+
| Name | Kasm Test LDAP Settings |
+---------------------------+----------------------------------------------------------------------------------------------------------------------------+
| URL | ldaps://ldap.kasm.core:636 |
+---------------------------+----------------------------------------------------------------------------------------------------------------------------+
| Search Base | OU=MyOrg,DC=kasm,DC=core |
+---------------------------+----------------------------------------------------------------------------------------------------------------------------+
| Search Filter | &(objectClass=user)(sAMAccountName={0})(memberof:1.2.840.113556.1.4.1941:=CN=all_kasm_app_users,OU=MyOrg,DC=kasm,DC=core) |
+---------------------------+----------------------------------------------------------------------------------------------------------------------------+
| Group Membership Filter | &(objectClass=group)(member:1.2.840.113556.1.4.1941:={0}) |
+---------------------------+----------------------------------------------------------------------------------------------------------------------------+
| Email Attribute | mail |
+---------------------------+----------------------------------------------------------------------------------------------------------------------------+
| Service Account DN | CN=ldap_service_account,OU=MyOrg,DC=kasm,DC=core |
+---------------------------+----------------------------------------------------------------------------------------------------------------------------+
| Service Account Password | password |
+---------------------------+----------------------------------------------------------------------------------------------------------------------------+
| Search Subtree | Checked |
+---------------------------+----------------------------------------------------------------------------------------------------------------------------+
| Auto Create App User | Checked |
+---------------------------+----------------------------------------------------------------------------------------------------------------------------+
| Enabled | Checked |
+---------------------------+----------------------------------------------------------------------------------------------------------------------------+
```
```{note}
1.2.840.113556.1.4.1941 is a special OID allowing for recursive enumeration of objects. Effectively this allows users
to be determined to members of members. Otherwise the user would need to be a direct member of the specified group.
See [Microsoft Docs](https://docs.microsoft.com/en-us/windows/desktop/adsi/search-filter-syntax) for details
```
### Configure the LDAP Configuration (OpenLDAP / IDM)
- Log into the Kasm Web UI as an administrator
- Click Authentication -> LDAP
- Click Create New Configuration
- The configurations for OpenLDAP or IDM are as follows
```{eval-rst}
+---------------------------+----------------------------------------------------------------------------------------------------------------------------+
| **Property** | **Value** |
+---------------------------+----------------------------------------------------------------------------------------------------------------------------+
| Name | Kasm Test LDAP Settings |
+---------------------------+----------------------------------------------------------------------------------------------------------------------------+
| URL | ldaps://ldap.kasm.core:636 |
+---------------------------+----------------------------------------------------------------------------------------------------------------------------+
| Search Base | OU=MyOrg,DC=kasm,DC=core |
+---------------------------+----------------------------------------------------------------------------------------------------------------------------+
| Search Filter | (&(objectClass=posixAccount)(uid={0}) |
+---------------------------+----------------------------------------------------------------------------------------------------------------------------+
| Group Membership Filter | (&(objectClass=groupOfNames)(member={0})) |
+---------------------------+----------------------------------------------------------------------------------------------------------------------------+
| Email Attribute | mail |
+---------------------------+----------------------------------------------------------------------------------------------------------------------------+
| Service Account DN | CN=ldap_service_account,OU=MyOrg,DC=kasm,DC=core |
+---------------------------+----------------------------------------------------------------------------------------------------------------------------+
| Service Account Password | password |
+---------------------------+----------------------------------------------------------------------------------------------------------------------------+
| Search Subtree | Checked |
+---------------------------+----------------------------------------------------------------------------------------------------------------------------+
| Auto Create App User | Checked |
+---------------------------+----------------------------------------------------------------------------------------------------------------------------+
| Enabled | Checked |
+---------------------------+----------------------------------------------------------------------------------------------------------------------------+
```
```{note}
Kasm only supports the "groupOfNames" or "groupOfUniqueNames" objectClasses in OpenLDAP/IDM, linking to a "posixGroup"
objectClass is not currently supported.
```
### Configure an LDAP Enabled Group
The following settings can be used to create a group in Kasm named **“LDAP Group 1”**. It will be mapped to LDAP group
**kasm_group_1**. When LDAP users that are members of **kasm_group_1** sign in they will automatically be put in the
**LDAP Group 1** Kasm group.
Settings for the group creation screen:
```{eval-rst}
+----------------+---------------------------------------------------+
| **Property** | **Description** |
+----------------+---------------------------------------------------+
| Name | LDAP Group 1 |
+----------------+---------------------------------------------------+
| Description | Group mapped to kasm_group_1 in Active Directory |
+----------------+---------------------------------------------------+
| Priority | 100 |
+----------------+---------------------------------------------------+
```
Settings for the **SSO Group Mapping** screen
```{eval-rst}
+------------------+---------------------------------------------------+
| **Property** | **Description** |
+------------------+---------------------------------------------------+
| SSO Provider | LDAP - Kasm Test LDAP Settings |
+------------------+---------------------------------------------------+
| Assign All Users | Unchecked |
+------------------+---------------------------------------------------+
| Group Attributes | CN=kasm_group_1,OU=MyOrg,DC=kasm,DC=core |
+------------------+---------------------------------------------------+
```
### Verifying Configurations
**Discovering and Authenticating Users**
- Log into the Kasm Web UI as an administrator
- Click Authentication -> LDAP
- Click the Test LDAP Connection icon for Kasm Test LDAP Settings
- Enter test_user_1@kasm.core and the correct password
- The test should succeed. test_user_1 is a member of kasm_group_1 which is a member of all_kasm_app_users
- Enter test_user_2@kasm.core and the correct password
- The test should succeed. test_user_2 is a member of all_kasm_app_users
- Enter test_user_3@kasm.core and the correct password
- The test should fail. test_user_3 is NOT a member of all_kasm_app_users group or any group that is a member of that group
### Group Assignment
- Log out of the Kasm Application and Log in as test_user_1@kasm.core
- Click Profile. Notice the user is a member of All Users ( set by default) and LDAP Group 1
- Log out of the Kasm Application and Log in as test_user_2@kasm.core
- Login will succeed.
- Click Profile. Notice the user is only a member of the All Users Group (Set by default) but is not a member of any additional groups
- Log out of the Kasm Application. Attempt to log in as test_user_3@kasm.core
- Access is denied. test_user_3 is not a member of the required all_kasm_app_user group so is denied access because the LDAP query cant find the user.