• Integrations

LDAP Authentication

What Are Some Advantages to LDAP Integration?

LDAP integration leverages your existing user management infrastructure, eliminating the need to set up and maintain a separate user store for Kindling. Once integrated, Kindling is even in tune with your organization’s group assignments, so permissions can be inherited directly from LDAP profiles.

LDAP integration also lowers the barrier of entry for Kindling participants, who can log into without having to keep track of yet another Username and password.

How Do I Set Up LDAP integration?

There are three steps to getting LDAP authentication running:

  1. Configure your company's firewall

    If your LDAP server is configured to restrict access by IP, you‘ll need to open a hole in your firewall to allow our system to access it. Kindling‘s application servers are currently located at this IP range:

    23.21.224.0/28

    Opening up this range will allow Kindling to authenticate against your LDAP server. The port number that will need access depends on the LDAP Security type you choose (see Item 3).

  2. Make sure your LDAP server is accessible by SSL

    AD needs to be able to connect securely, which means it needs a certificate set up for it. Whether you get your certificate signed by a certificate authority, use an internally signed CA, or a self-signed certificate, Kindling will be able to make a secure connection. If you have not yet set up a certificate, this article may be helpful: http://support.microsoft.com/kb/321051

  3. Configure Kindling to use LDAP authentication

    The Kindling support team will set up your LDAP/AD connection. The following information is required:

    • LDAP Security Type

      • The type of security to use. Kindling supports establishing a TLS or LDAPS (encrypted SSL) connection for LDAP. TLS links are negotiated over port 389, while LDAPS uses port 636.
    • LDAP Server

      • The address of your LDAP server. Enter the value without a protocol. For example: ldap.yourcompany.org.

        SaaS customers using a VPN: You must use our VPN bouncer host as your LDAP Server. Kindling will provide that information during the setup process.

    • Bind DN

      • The User credentials to authenticate to your LDAP server. Typically something like: cn=administrator,cn=Users,dc=domain,dc=com.
    • Bind Password

      • The password the admin uses to authenticate to your LDAP server.
    • Base DN

      • The subsection under which your Users are stored. Typically something like: cn=Users,dc=domain,dc=com. (Advanced Note: If you have multiple base DNs to search within, you can split them via a pipe ('|') character.)
    • Search Filter

      • How to find your Users by their ID. %s below represents the name of your unique user ID field. This is typically something like: (samAccountName=%s) for Active Directory, or (uid=%s) for OpenLDAP, but it can be any arbitrary field, based on how your users are organized. This is also what is used by your Users to log into Kindling.

Once Kindling has entered your settings, you will be asked to verify your Authentication Settings by logging into the system with a valid User from your LDAP/AD directory. This will ensure that the settings you entered are allowing a valid User to authenticate against your server.

Once validated, all your LDAP Users can begin to login.

How Do LDAP Users Log In to Kindling?

LDAP Users log into Kindling via the native login screen but using their LDAP credentials.

ldap login plain

Kindling Administrators can customize the login screen to indicate to Users that they should enter their LDAP Username and password. New LDAP users are made known to Kindling upon successful authentication against the LDAP server.

What Information Does Kindling Retrieve from LDAP?

Kindling stores the Username, email, first name, and last name fields from LDAP, as well as any Group affiliations.

How Does Kindling Handle LDAP Groups?

One powerful advantage of integrating your LDAP service with Kindling is that you can leverage your existing LDAP Groups. Once Kindling is made aware of an LDAP Group, you have the option of creating an equivalent Smart Group in Kindling.

Kindling imports LDAP groups by retrieving them when a member of the Group logs in for the first time. In other words, to make Kindling aware of an LDAP Group, a member of that Group must log into Kindling. When you roll Kindling out to your organization, have one or more Users who are members of the Groups you‘d like to use log into the system, so that Kindling is made aware of the Groups and you can assign Category access to them.

To create a Kindling “Smart Group” from a LDAP Group, select “Manage” (gear icon in the top menu) -> “Groups”. Then click the “Create” button.

Manage Groups

Create Groups

Enter a unique Group name; it cannot be the same as any other Group in your organization’s Kindling. A description is optional but strongly recommended. (Neither the title nor the description will be displayed to the members of the Group). Then select “I want to add people by criterion” beneath the description box.

smartgroups creation

Move to “step 2: Select Members” and select the Group of Users “All Users associated with an external Group (AD, SAML)”. Then, a new selection box will appear and will contain all LDAP Groups that Kindling is aware of.

smartgroups select users

Alternatively, you can use pattern matching against the LDAP Group names to identify members of a Group. To do this, select the criterion “All Users associated with an external Group (AD, SAML) that matches:”. A textbox will appear, allowing you to enter a regular expression that you‘d like to use for matching.

LDAP groups with pattern matching

Follow the steps enumerated to complete the Group setup. Once the Smart Group is created, all Users who log in with the corresponding LDAP Group will automatically be a part of this new Smart Group.

How Do I Modify My LDAP Setup?

To modify your LDAP setup, have an administrator of your Kindling contact Kindling Support.

Do I Need to Take Any Action When I Add a New User to My LDAP System?

As long as the new User is within the same DN as the current settings account for, no action is needed to allow them to log into Kindling. If the new User is part of a different DN, please contact the Kindling Support team to add the additional DN to your LDAP setup.

Do I Need to Notify Kindling If There Are Changes to an LDAP User Profile (E.G. New Email Address)?

Kindling will automatically discover changes to an LDAP profile as long as the Username (as defined by the Search Filter given at setup) does not change. If your team is expecting to change the Username of an LDAP user, or have a User move across Base DNs, please let Kindling Support know.