LDAP Authentication

Create an LDAP Configuration

The first step in configuring Kasm to use LDAP for authentication is to set up an LDAP configuration.

  • Log into the Kasm Web UI as an administrator

  • Click Authentication -> LDAP

  • Click Create New Configuration

../_images/ldap_config.JPG

Property

Description

Name

A name given to the configuration

URL

The LDAP connection URL to the LDAP server

Search Base

The Base OU used for searching for objects. Kasm will use the search base DCs to identify users to the applicable LDAP Configuration. i.e DC=kasm,DC=core will map to <user>@kasm.core

Search Filter

The search filter used to identify user account names

Group Membership Filter

This query is used to identify if the user is a member of a particular group. Used for Kasm group to LDAP group mapping

Email Attribute

The user attribute used to denote the users email address

Service Account DN

The service or ‘bot’ account used to issue queries to the LDAP server

Service Account Password

The service or ‘bot’ account password

Search Subtree

If enabled, objects beneath the Search Base will be discovered

Auto Create App User

If enabled, Kasm will create an associated user account inside the application when the user first logs in.

Enabled

Enable or disable this configuration

Note

In order for password resets to work with LDAP accounts, the service account must be provided the authority to reset user passwords in Active Directory.

Test Authentication

After creating an LDAP configuration, you can test the settings by clicking the Test LDAP Connection icon on the LDAP Configurations Page.

../_images/test_ldap.jpg

Enter known valid user credentials

Common Errors

Error

Notes

Authentication Error : socket connection error while opening: timed out

The Kasm API server cannot make a connection to the specified LDAP URL. Verify the URL is correct, and network connectivity between the two end points.

Authentication Error : automatic bind not successful - invalid Credentials

The password for the LDAP service account is invalid. Verify the password is correct and that the account is not locked out. Verify the Service Account DN is correct

Authentication Error : socket ssl wrapping error : [Errno 104] Connection reset by peer

LDAPS was specified in the LDAP URL but the LDAP server is not communicating over SSL

Authentication Error : error recieving data : [Errno 104] Connection reset by peer

The LDAP server rejected the connection. Verify that the port specified in the URL is correct. Verify that protocol LDAP or LDAPS is correct in the URL

Unable to locate user (test@kasm.local)

The user could not be located. Verify the Search Base and Search Filter parameters are correct

LDAP Login failed for user (test@kam.local) : ({‘message’:’80090308: LdapErr:DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839x00’,’saslCreds’: None, ‘result’:49,’dn’:”, ‘description’: ‘InvalidCredentials’,’type’: ‘bindResponse’,’refferals’:None})

The provided credentials are invalid or the account is locked out.

Create LDAP linked Group

Kasm Workspaces can be configured to automatically map LDAP users to specific Kasm application groups via their LDAP group membership. The mapping is updated for each user when the user logs into the Kasm Web Application. The mapping functionality can be accessed by using the three dot menu and selecting view for the group you want to add a the mapping. Then scroll to the bottom of the screen where the SSO Group Mappings section is and click Add SSO Mapping. The Add SSO Mapping Screen is presented the following fields are available to be filled in:

../_images/view_group.png ../_images/sso_group_mappings.png ../_images/add_sso_group_mapping_config.png

Property

Description

SSO Provider

A dropdown of the available SSO identity providers (LDAP, SAML, OpenID) configured in the system.

Assign All Users

A checkbox that indicates any user that authenticates with the defined SSO provider will be added to the Kasm group

Group Attributes

The LDAP DN to the desired group

LDAP Attribute Mapping

Additional LDAP user attributes are returned by the authentication request to the LDAP server. These LDAP user attributes can be mapped to Kasm User fields. Every time the user logs in, the Kasm user fields will be updated with the values returned by the LDAP server. See the documentation for your LDAP provider for a listing of user attributes.

These can be configured by editing an existing LDAP Authentication configuration, if creating a new configuration you will need to submit and edit to add them.

The following Kasm User fields can be populated with values from LDAP user attributes.

  • First Name

  • Last Name

  • Phone

  • Organization

  • Notes

  • City

  • State

  • Country

  • Email

  • Custom Attribute 1

  • Custom Attribute 2

  • Custom Attribute 3

../_images/ldap_attribute_mapping.png

Note

Kasm can log all LDAP user attributes present in the login event, this is helpful for determining the attribute names. Add a LDAP Attribute Mapping with an attribute name of ‘debug’ and target any user field. The next time a user logs in, all LDAP user attributes and values will be logged by Kasm.

Configuration Examples