Integrations
Integrations
Breadcrumbs

LDAP / AD

Introduction

This plugin is used in coordination with the storage technology plugins connected to LDAP to provision the groups representing DSAs and additionally manages the memberships representing the acceptance of DSAs by users.

Services available in the plugin

  • Create groups: Allows creating groups with users.

  • Assign/unassign users: Used to add or remove users from groups created by the plugin.

  • Delete groups: Delete previously created groups.

Integration Model

Active governance of access permissions

In general terms, the DSA (Data Sharing Agreements) of Anjana Data Platform are represented in AD/LDAP as groups, and the users signing each agreement are managed as members of those groups. In this way, membership in the group materializes effective access to the data governed by the DSA.

Anjana Data Platform creates, updates and deletes these groups automatically, including or excluding users based on the adherence and de-adherence processes defined in the platform.

The groups created by Anjana Data Platform follow this naming convention:

<configurable prefix>_<DSA logical name>_v<DSA version number>

Where:

  • <configurable prefix>: prefix defined by the organization to identify the groups managed by Anjana Data Platform. Configurable in the plugin's YAML.

  • <DSA logical name>: functional name of the agreement as it appears in Anjana.

  • v<DSA version number>: DSA version number, which allows distinguishing active and historical versions.

Anjana Data Platform interacts with the corporate identity manager through the LDAP protocol, through which it executes the operations described for group provisioning and member management.

Required Credentials

The plugin requires a credential with the following permissions:

  • Creation, modification and deletion of groups (groupOfNames or groups) within the selected OU

  • Modification of group members

If used as a complementary plugin instance for another different plugin instance, it must be taken into account that each technology is different, therefore the configuration of each one may vary.

Limitations

  • The DSA name used to create the group must not exceed 60 characters, although the limitations of the particular AD implementation in use should be reviewed in case it varies.

  • In the path of the branch generated with the base configuration + baseUser, there must not be users with the same username value, even if they are in different sub-branches.

  • The class name used to create groups by default is groupOfNames. As explained further below, this type of class does not allow creating groups without users, so if, due to the configuration, no users are assigned as owners in the DSA, the group creation in LDAP will fail. 

However, there are other types of classes that do allow creating the group in LDAP without including users, such as the group type. 


TLS

Configuration availability, if required, under ldaps:// connection

Windows AD

When working with Windows AD it will be mandatory to include the sAMAccountName and  groupParam.instanceType properties (see in the example configuration) so that servers such as SQLServer can understand the AD group names.

Ranger Plugin

In the case where the Tot LDAP plugin is used together with Ranger and Active Directory, it should be noted that  a mechanism is needed to synchronize the changes made in the Active Directory groups and the groups used by HDFS, for example SSSD.

For that case where it is required to have the group identifier (the common name) in more than one place (for example the sAMAccountName because the mechanism for synchronizing changes made in Active Directory groups and groups used by HDFS reads that attribute for synchronization) the extraGroupCn can be used as detailed in the configuration example above.

That is, if user X has adhered to DSA D, the result observed in Active Directory will be the creation of a group D with one member, X.

Similarly in Ranger a policy will be created with group D and in HDFS when running for example  “hdfs  groups X” group D should appear.