Skip to content
To Legacy DocumentationTo Comet website
Doc version: 3.0.30

LDAP

Comet SSO LDAP integration

This document outlines the configuration settings for integrating an application with LDAP as a Single Sign-On (SSO) solution. The configuration can be applied to both single server/VM and Kubernetes deployments.

The following sections provide configuration examples for LDAP, organized by deployment type.

In the final section, you will find a comprehensive list of LDAP variables, with descriptions of their functions.

Linux Server Deployment / All In One example

Run cometctl aio update-config and add the following values:

environment_token: "onprem-ldap"

ldap_enabled: "True"
ldap_domain: "ldap.jumpcloud.com"
ldap_or_ldaps: "ldaps"
ldap_ports: 636
ldap_format: "uid=%s,ou=Users,o=2141242,dc=jumpcloud,dc=com"
ldap_dcstr: "ou=Users,o=2141242,dc=jumpcloud,dc=com"
ldap_search_filter: "cn=%s"
ldap_allowed_groups: "['cn=mygroup,ou=Users,o=2141242,dc=jumpcloud,dc=com']"
ldap_group_object_class: "inetOrgPerson"
# Optional bind user config
ldap_bind_dn: "uid=ldapadmin,ou=Users,o=5b1804cb68264f1c4d6b3193,dc=jumpcloud,dc=com"
ldap_bind_password: "password"

Once you have finished, save your file.

If you are using an older version of the installer, you can overcome this issue by adding the following variables directly to the /etc/default/comet-ml file.

If you edit this file, run cometctl aio restart-services afterward to apply your changes.

ENVIRONMENT_TOKEN="onprem-ldap"
LDAP_ENABLED="True"
LDAP_DOMAIN="ldap.jumpcloud.com"
LDAP_OR_LDAPS="ldaps"
LDAP_PORT=636
LDAP_FORMAT=”uid=%s,ou=Users,o=2141242,dc=jumpcloud,dc=com"
LDAP_DCSTR="ou=Users,o=2141242,dc=jumpcloud,dc=com"
LDAP_SEARCH_FILTER="cn=%s"
LDAP_ALLOWED_GROUPS="['cn=mygroup,ou=Users,o=2141242,dc=jumpcloud,dc=com']"
LDAP_GROUP_OBJECT_CLASS="inetOrgPerson"
# Optional bind user config:
LDAP_BIND_DN="uid=ldapadmin,ou=Users,o=5b1804cb68264f1c4d6b3193,dc=jumpcloud,dc=com"
LDAP_BIND_PASSWORD="password"

Note

If you encounter any issues with the LDAP configuration, you can check the /opt/comet-ml/logs/server-react.log for troubleshooting.

Kubernetes Manifest Files example (backend-configmap.yaml)

When working directly with Kubernetes manifest files, the following variables need to be set in the backend-configmap.yaml

LDAP_ENABLED: "True"
LDAP_DOMAIN: "ldap.jumpcloud.com"
LDAP_OR_LDAPS: "ldaps"
LDAP_PORT: 636
LDAP_FORMAT: "uid=%s,ou=Users,o=2141242,dc=jumpcloud,dc=com"
LDAP_DCSTR: "ou=Users,o=2141242,dc=jumpcloud,dc=com"
LDAP_SEARCH_FILTER: "cn=%s"
LDAP_ALLOWED_GROUPS: "[cn=mygroup,ou=Users,o=2141242,dc=jumpcloud,dc=com]"
LDAP_ALLOWED_GROUPS="['cn=testgroup1,ou=Users,o=5b1804cb68264f1c4d6b3193,dc=jumpcloud,dc=com']"
LDAP_GROUP_OBJECT_CLASS: "inetOrgPerson"
# Optional bind user config
LDAP_BIND_DN: "uid=ldapadmin,ou=Users,o=5b1804cb68264f1c4d6b3193,dc=jumpcloud,dc=com"
LDAP_BIND_PASSWORD: "password"
In order to enable LDAP Authentication for the UI, it is also necessary to modify the file frontend-nginx/frontend-nginx-configmap.yaml and set ENVIRONMENT_TOKEN: onprem-ldap
apiVersion: v1
kind: ConfigMap
metadata:
  name: frontend-nginx-configmap
data:
  ENVIRONMENT_TOKEN: onprem-ldap

Kubernetes - Helm Charts

If using Helm charts, the following configurations need to be set in the values.yaml file.

frontend:
  environmentToken: "onprem-ldap"

comet:
  login:
    ldap:
      enabled: true
      domain: ""
      orLDAPS: "ldaps"
      port: 636
      format: ""
      dcstr: ""
      searchFilter: ""
      allowedGroups: ""
      groupObjectClass: "inetOrgPerson"
      bindDN: ""
      bindPassword: ""

Synchronization of Directory Groups and Comet Workspaces

Comet allows the synchronization of LDAP/AD groups with Comet workspaces. When enabled, every time a user logs in, Comet will scan all of the user's permitted Directory groups and automatically assign the user to the corresponding workspaces.

Our synchronization of workspaces is supported through the following methods:

  • Whitelisting specific group names
  • Identifying groups by prefix
  • Identifying groups by suffix"

Enabling synchronization:

LDAP_GROUP_WORKSPACE_SYNC="true"
LDAP_GROUP_PREFIX="comet1" //optional
LDAP_GROUP_SUFFIX="et1" // optional
LDAP_ALLOWED_GROUPS="['cn=testgroup1,ou=Users,o=5b1804cb68264f1c4d6b3193,dc=jumpcloud,dc=com']" // optional
  • LDAP_GROUP_WORKSPACE_SYNC: Set to "true" to enable the synchronization feature.
  • LDAP_GROUP_PREFIX: Optional. Specifies a prefix for identifying groups to be synchronized.
  • LDAP_GROUP_SUFFIX: Optional. Specifies a suffix for identifying groups to be synchronized.
  • LDAP_ALLOWED_GROUPS: Optional. A list of specific groups that are allowed to be synchronized.

Disabling Collaboration

Comet Enterprise provides the option to disable collaboration features. If disabled, the following functionality will be inaccessible:

  • Inviting members to a workspace
  • Removing members from a workspace
  • Public projects
  • Shareable links

By default, collaboration is enabled. To disable it, please set the following:

FEATURES_COLLABORATION_DISABLED="true"

Configuration file: config.js, set

DISABLE_CREATE_WORKSPACE="True"

Please note that disabling collaboration will affect all users and workspaces within the organization."

Overview of Configurable Variables

  • LDAP_ENABLED: This setting controls whether or not LDAP authentication is enabled for the application. If set to "True", users will be able to log in with their LDAP credentials. If set to "False", the application will not attempt to authenticate users with LDAP.

  • LDAP_DOMAIN: This setting specifies the domain name of the LDAP server. As example, the domain can be "ldap.jumpcloud.com".

  • LDAP_OR_LDAPS: This setting specifies whether to use LDAP or LDAPS protocol to connect to the server. Ldaps means secure (over TLS).

  • LDAP_PORT: This setting specifies the port number to use when connecting to the LDAP server. In this example, the port number is 636, which is the standard port for LDAPS.

  • LDAP_FORMAT: This setting specifies the format of the Distinguished Name (DN) for the user. The %s placeholder is used to indicate where the username should be inserted. In this example, the format is "uid=%s,ou=Users,o=2141242,dc=jumpcloud,dc=com".

  • LDAP_DCSTR: This setting specifies the Distinguished Name (DN) of the search base for the LDAP directory. In this example, the search base is "ou=Users,o=2141242,dc=jumpcloud,dc=com".

  • LDAP_SEARCH_FILTER: This setting specifies the search filter to use when looking up a user in the LDAP directory. The %s placeholder is used to indicate where the username should be inserted. In this example, the filter is "cn=%s"

  • LDAP_ALLOWED_GROUPS: This setting specifies the DN of the groups that are allowed to log in to the application. This can be a list of DNs of the allowed groups. In this example, the allowed group is "cn=mygroup,ou=Users,o=2141242,dc=jumpcloud,dc=com" and "cn=testgroup1,ou=Users,o=5b1804cb68264f1c4d6b3193,dc=jumpcloud,dc=com"

  • LDAP_GROUP_OBJECT_CLASS: This setting specifies the object class of the group in the LDAP directory. In this example, the object class is "inetOrgPerson". This class is used when searching for groups in the directory.

  • LDAP_BIND_DN: This environment variable specifies the Distinguished Name (DN) to be used for binding to the LDAP server for authentication. The DN uniquely identifies an entry (in this case, a user) in the LDAP directory. The DN is generally of the format uid=<username>,ou=<organizational_unit>,o=<organization>,dc=<domain_component>,dc=<domain_component>. Ensure that the user represented by LDAP_BIND_DN has sufficient permissions to perform the required LDAP operations, such as search, read, or write.

  • LDAP_BIND_PASSWORD: This environment variable holds the password corresponding to the user specified in LDAP_BIND_DN. This password is used to authenticate the bind operation with the LDAP server.

Jul. 9, 2024