LDAP Authentication

Kasm Workspaces can be configured to use your organizations existing LDAP services for centralized authentication and authorization.

Create an LDAP Configuration

The first step in configuring Kasm to use LDAP for authentication is to set up an LDAP configuration.

  • Log into the Kasm Web UI as an administrator

  • Click Authentication -> LDAP

  • Click Create New Configuration

../_images/ldap_config.JPG

Property

Description

Name

A name given to the configuration

URL

The LDAP connection URL to the LDAP server

Search Base

The Base OU used for searching for objects. Kasm will use the search base DCs to identify users to the applicable LDAP Configuration. i.e DC=kasm,DC=core will map to <user>@kasm.core

Search Filter

The search filter used to identify user account names

Group Membership Filter

This query is used to identify if the user is a member of a particular group. Used for Kasm group to LDAP group mapping

Email Attribute

The user attribute used to denote the users email address

Service Account DN

The service or ‘bot’ account used to issue queries to the LDAP server

Service Account Password

The service or ‘bot’ account password

Search Subtree

If enabled, objects beneath the Search Base will be discovered

Auto Create App User

If enabled, Kasm will create an associated user account inside the application when the user first logs in.

Enabled

Enable or disable this configuration

Test Authentication

After creating an LDAP configuration, you can test the settings by clicking the Test LDAP Connection icon on the LDAP Configurations Page.

../_images/test_ldap.jpg

Enter known valid user credentials

Common Errors

Error

Notes

Authentication Error : socket connection error while opening: timed out

The Kasm API server cannot make a connection to the specified LDAP URL. Verify the URL is correct, and network connectivity between the two end points.

Authentication Error : automatic bind not successful - invalid Credentials

The password for the LDAP service account is invalid. Verify the password is correct and that the account is not locked out. Verify the Service Account DN is correct

Authentication Error : socket ssl wrapping error : [Errno 104] Connection reset by peer

LDAPS was specified in the LDAP URL but the LDAP server is not communicating over SSL

Authentication Error : error recieving data : [Errno 104] Connection reset by peer

The LDAP server rejected the connection. Verify that the port specified in the URL is correct. Verify that protocol LDAP or LDAPS is correct in the URL

Unable to locate user (test@kasm.local)

The user could not be located. Verify the Search Base and Search Filter parameters are correct

LDAP Login failed for user (test@kam.local) : ({‘message’:’80090308: LdapErr:DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839x00’,’saslCreds’: None, ‘result’:49,’dn’:”, ‘description’: ‘InvalidCredentials’,’type’: ‘bindResponse’,’refferals’:None})

The provided credentials are invalid or the account is locked out.

Create LDAP linked Group

Kasm Workspaces can be configured to automatically map LDAP users to specific Kasm application groups via their LDAP group membership. The mapping is updated for each user when the user logs into the Kasm Web Application. The mapping functionality can be accessed by using the three dot menu and selecting view for the group you want to add a the mapping. Then scroll to the bottom of the screen where the SSO Group Mappings section is and click Add SSO Mapping. The Add SSO Mapping Screen is presented the following fields are available to be filled in:

../_images/view_group.png ../_images/sso_group_mappings.png ../_images/add_sso_group_mapping_config.png

Property

Description

SSO Provider

A dropdown of the available SSO identity providers (LDAP, SAML, OpenID) configured in the system.

Assign All Users

A checkbox that indicates any user that authenticates with the defined SSO provider will be added to the Kasm group

Group Attributes

The LDAP DN to the desired group

Example LDAP Configuration

The following section gives an example of a typical LDAP configuration of users and groups using Active Directory.

Consider the following domain “kasm.core” with the following structure

../_images/fake_ldap_domain.jpg
  • MyOrg

    Top level OU in the kasm.core domain

  • all_kasm_app_users

    Security Group under the MyOrg OU that houses all users and groups that should be allowed access to the Kasm App. If a user is not a member of this group they should not be allowed to log into the app.

  • kasm_group_1

    A Security group that is a member of the all_kasm_app_users Group. Members of this group should automatically be mapped to a group in Kasm named Ldap Group 1

  • Test_user_1

    A user that is a member of kasm_group_1

  • Test_user_2

    A user that is a member of all_kasm_app_users. This user should be allowed to access the Kasm app but is not automatically placed in to special groups

  • test_user_3

    This user is not a member of the all_kasm_app_users group and therefore not be allowed to log in to the Kasm application

  • ldap_service_account

    This user will be used as a service or ‘bot’ account do to LDAP queries

../_images/ldap_domain.png

Configure the LDAP Configuration (Active Directory)

  • Log into the Kasm Web UI as an administrator

  • Click Authentication -> LDAP

  • Click Create New Configuration

  • The configurations for Microsoft Active Directory are as follows

Property

Value

Name

Kasm Test LDAP Settings

URL

ldaps://ldap.kasm.core:636

Search Base

OU=MyOrg,DC=kasm,DC=core

Search Filter

&(objectClass=user)(sAMAccountName={0})(memberof:1.2.840.113556.1.4.1941:=CN=all_kasm_app_users,OU=MyOrg,DC=kasm,DC=core)

Group Membership Filter

&(objectClass=group)(member:1.2.840.113556.1.4.1941:={0})

Email Attribute

mail

Service Account DN

CN=ldap_service_account,OU=MyOrg,DC=kasm,DC=core

Service Account Password

password

Search Subtree

Checked

Auto Create App User

Checked

Enabled

Checked

Note

1.2.840.113556.1.4.1941 is a special OID allowing for recursive enumeration of objects. Effectively this allows users to be determined to members of members. Otherwise the user would need to be a direct member of the specified group. See Microsoft Docs for details

Configure the LDAP Configuration (OpenLDAP / IDM)

  • Log into the Kasm Web UI as an administrator

  • Click Authentication -> LDAP

  • Click Create New Configuration

  • The configurations for OpenLDAP or IDM are as follows

Property

Value

Name

Kasm Test LDAP Settings

URL

ldaps://ldap.kasm.core:636

Search Base

OU=MyOrg,DC=kasm,DC=core

Search Filter

(&(objectClass=posixAccount)(uid={0})

Group Membership Filter

(&(objectClass=groupOfNames)(member={0}))

Email Attribute

mail

Service Account DN

CN=ldap_service_account,OU=MyOrg,DC=kasm,DC=core

Service Account Password

password

Search Subtree

Checked

Auto Create App User

Checked

Enabled

Checked

Note

Kasm only supports the “groupOfNames” or “groupOfUniqueNames” objectClasses in OpenLDAP/IDM, linking to a “posixGroup” objectClass is not currently supported.

Configure an LDAP Enabled Group

The following settings can be used to create a group in Kasm named “LDAP Group 1”. It will be mapped to LDAP group kasm_group_1. When LDAP users that are members of kasm_group_1 sign in they will automatically be put in the LDAP Group 1 Kasm group.

Settings for the group creation screen:

Property

Description

Name

LDAP Group 1

Description

Group mapped to kasm_group_1 in Active Directory

Priority

100

Settings for the SSO Group Mapping screen

Property

Description

SSO Provider

LDAP - Kasm Test LDAP Settings

Assign All Users

Unchecked

Group Attributes

CN=kasm_group_1,OU=MyOrg,DC=kasm,DC=core

Verifying Configurations

Discovering and Authenticating Users

  • Log into the Kasm Web UI as an administrator

  • Click Authentication -> LDAP

  • Click the Test LDAP Connection icon for Kasm Test LDAP Settings

  • Enter test_user_1@kasm.core and the correct password

  • The test should succeed. test_user_1 is a member of kasm_group_1 which is a member of all_kasm_app_users

  • Enter test_user_2@kasm.core and the correct password

  • The test should succeed. test_user_2 is a member of all_kasm_app_users

  • Enter test_user_3@kasm.core and the correct password

  • The test should fail. test_user_3 is NOT a member of all_kasm_app_users group or any group that is a member of that group

Group Assignment

  • Log out of the Kasm Application and Log in as test_user_1@kasm.core

  • Click Profile. Notice the user is a member of All Users ( set by default) and LDAP Group 1

  • Log out of the Kasm Application and Log in as test_user_2@kasm.core

  • Login will succeed.

  • Click Profile. Notice the user is only a member of the All Users Group (Set by default) but is not a member of any additional groups

  • Log out of the Kasm Application. Attempt to log in as test_user_3@kasm.core

  • Access is denied. test_user_3 is not a member of the required all_kasm_app_user group so is denied access because the LDAP query cant find the user.