Active Directory Authentication¶
The ad-auth plugin integrates DRP with an external Microsoft Active Directory (AD) service for
Single Sign-On (SSO). Once installed and configured, DRP will authenticate users against AD using
LDAP BIND, optionally restricting access based on group membership and mapping AD groups to DRP
roles. Internally defined DRP users can coexist with AD-backed users.
For the full developer-oriented reference on all parameters and the complete architecture, see the Active Directory SSO content pack documentation.
Installation¶
Install the ad-auth plugin provider from the catalog, then create a plugin instance to configure
it:
# Install the plugin provider
drpcli catalog item install ad-auth
# Create a plugin instance from a YAML configuration file
drpcli plugins create /path/to/ad-auth-config.yaml
Through the portal, navigate to Catalog, search for ad-auth (select the Enterprise category),
install the plugin provider, then create a new Plugin of type ad-auth.
Required Parameters¶
Set the following parameters on the ad-auth plugin object:
| Parameter | Description |
|---|---|
ad-auth/ad-url |
LDAP URL for the AD server (e.g., ldaps://ldap.company.internal:3269) |
ad-auth/base-dn |
Base domain name to query (e.g., DC=department,DC=company,DC=com) |
ad-auth/ad-tls |
TLS mode: NONE, TLS, or STARTTLS. Default is NONE. |
ad-auth/default-role |
DRP role assigned when no group mapping matches. Defaults to superuser. |
Group-Based Access Control¶
To restrict access to members of specific AD groups and map groups to DRP roles, configure these additional parameters on the plugin:
| Parameter | Description |
|---|---|
ad-auth/groups |
List of AD group names to query for membership |
ad-auth/group-roles-map |
Map of AD group names to lists of DRP role names |
ad-auth/deny-if-no-groups |
If true, deny login when user is not in any configured group |
When ad-auth/group-roles-map is set, matched groups cumulatively grant their associated DRP roles.
This overrides ad-auth/default-role.
Cache and Session Parameters¶
DRP caches AD user information to reduce load on the AD server. Tune these parameters to match your organization's security requirements:
| Parameter | Description |
|---|---|
ad-auth/user-activity-check |
How often (seconds) to expire cached users. Default: 86400 (1 day) |
ad-auth/user-activity-window |
How long (seconds) a user remains cached without re-authenticating. Default: 2592000 (30 days) |
ad-auth/additional-dns |
Additional domain names to query beyond ad-auth/base-dn |
Example Configuration¶
Name: corp-ad-sso
Provider: ad-auth
Params:
ad-auth/ad-tls: TLS
ad-auth/ad-url: ldaps://ldap.company.internal:3269
ad-auth/base-dn: DC=department,DC=company,DC=com
ad-auth/deny-if-no-groups: true
ad-auth/group-roles-map:
DRP_Admins:
- superuser
ad-auth/groups:
- DRP_Admins
ad-auth/user-activity-check: 86400
ad-auth/user-activity-window: 259200
Apply this configuration with:
The ad-auth/additional-dns parameter can add secondary domains. All configured domains are
searched in order; the first successful BIND result wins.