The Authorization Configuration is used to configure a connection to an LDAP/AD server. The configuration is later used by the plugin to authorize a user or search for them in the LDAP/AD server. You can also configure multiple LDAP/AD servers by creating multiple authorization configurations.
-
Login to the GoCD server as an administrator and navigate to Admin > Security > Authorization Configuration.
-
Click on Add to create a new authorization configuration.
-
Provide a unique identifier for this authorization configuration and select
LDAP Authorization Plugin for GoCDas the Plugin. -
URI (
Mandatory): Specify your ldap server URL.
<property> <key>Url</key> <value>ldap://ldap-server-url:10389</value> </property>
-
StartTLS (
Optional): StartTLS is a mechanism for avoiding the need to listen on a separate port for SSL connections. Enabling StartTLS would require the root certificate of the CA that issued your LDAP/AD server certificate to be configured (see below).
<property> <key>StartTLS</key> <value>false</value> </property>
-
ManagerDN (
Optional): The LDAP/AD manager user's DN, used to connect to the LDAP/AD server.
<property> <key>ManagerDN</key> <value>uid=admin,ou=system,dc=example,dc=com</value> </property>
-
Password (Mandatory if
ManagerDNprovided): The LDAP/AD manager password, used to connect to the LDAP/AD server. Required only if a ManagerDN is specified. -
Certificate (
Optional): Provide the root X.509 Certificate in PEM format of the CA that issued your LDAP/AD server certificate if usingldapsorStartTLSis enabled. You can use keytool or openssl to generate x.509 certificate inPEMformat. If a certificate is not configured, the plugin will look for the certificate in following order -- Truststore defined using Java system property
javax.net.ssl.trustStore. - If not defined, then
${JAVA_HOME}/lib/security/jssecacertsor${JAVA_HOME}/lib/security/cacerts.
LDAP/AD X.509 Certificate in PEM format
<property> <key>Certificate</key> <value> -----BEGIN CERTIFICATE----- MIIDBzCCAe+...1E2mRQFQHn64AhA= -----END CERTIFICATE----- </value> </property>
- Truststore defined using Java system property
-
SearchBases (
Mandatory): This field defines the location in the directory from which the LDAP search begins. You can provide multiple search bases each separated by newlines. If multiple search bases are configured the plugin looks for the user in each search base sequentially until the user is found.Single search base
<property> <key>SearchBases</key> <value>ou=users,ou=system</value> </property>
Multiple search base
<property> <key>SearchBases</key> <value> ou=users,ou=system ou=employee,ou=system </value> </property>
-
UserLoginFilter (
Mandatory): It is an LDAP search filter used during authentication to lookup for a user entry matching the given expression.- In following example, the
{0}is replaced with the username provided by the user at the login screen. For a user with usernamebford, the below filter resolves to(sAMAccountName=bford).
In the following example the filter searches for a username matching the
sAMAccountNameattribute.
<property> <key>UserLoginFilter</key> <value>(sAMAccountName={0})</value> </property>
- In following example, the
-
UserNameAttribute (
Mandatory): The value of this attribute will be used by GoCD as ausernameof the logged in user. The GoCD usesusernameto decide role based permissions for an logged in user.In the following example the UserLoginFilter uses an Or filter whereby the User can login using either of
sAMAccountName,mailoruid. On successful authentication the plugin would return a User object to GoCD with theusernamederived from the UserNameAttribute which issAMAccountNamein this example.
<property> <key>UserLoginFilter</key> <value>(|(sAMAccountName={0})(mail={0})(uid={0}))</value> </property> <property> <key>UserNameAttribute</key> <value>sAMAccountName</value> </property>
-
UserSearchFilter (
Optional): It is an LDAP search filter used to lookup users matching a given search term. This allows GoCD administrators to search for LDAP/AD users from User Summary Page in GoCD. Default filter used is(|(sAMAccountName=*{0}*)(uid=*{0}*)(cn=*{0}*)(mail=*{0}*)(otherMailbox=*{0}*)).
<property> <key>UserSearchFilter</key> <value>(|(sAMAccountName=*{0}*)(uid=*{0}*))</value> </property>
-
DisplayNameAttribute (
Optional): The value of this attribute in the logged in user's record in the LDAP server is used as a display name. Default attribute used iscn.
<property> <key>DisplayNameAttribute</key> <value>displayName</value> </property>
Display name is shown in the top right corner after logging in 
-
EmailAttribute (
Optional): Value of this attribute is mapped to GoCD user'smailfield. Default value used ismail. Once the attribute is mapped, users can create custom email notification as described here.
<property> <key>EmailAttribute</key> <value>mail</value> </property>
-
SearchTimeout (
Optional): Timeout in seconds for search operations, default value is 5 seconds.
<property> <key>SearchTimeout</key> <value>10</value> </property>
-
Click on Check connection to verify your configuration. The plugin will establish a connection with LDAP/AD server using the configuration and will return the verification status.
-
Once check connection succeeds, click on Save to save the authorization configuration.
Alternatively, the configuration can be added directly to the GoCD config XML using the <authConfig> tag. It should be added under <security/> tag as described in the following example:
<security>
<authConfigs>
<authConfig id="my-ldap" pluginId="com.thoughtworks.gocd.authorization.ldap">
<property>
<key>Url</key>
<value>ldap://ldap-server-url:10389</value>
</property>
<property>
<key>StartTLS</key>
<value>false</value>
</property>
<property>
<key>ManagerDN</key>
<value>uid=admin,ou=system,dc=example,dc=com</value>
</property>
<property>
<key>Password</key>
<value>secret</value>
</property>
<property>
<key>Certificate</key>
<value>
-----BEGIN CERTIFICATE-----
MIIDBzCCAe+...1E2mRQFQHn64AhA=
-----END CERTIFICATE-----
</value>
</property>
<property>
<key>SearchBases</key>
<value>
ou=Teams,dc=corporate,dc=example,dc=com
ou=users,ou=system
</value>
</property>
<property>
<key>UserLoginFilter</key>
<value>(sAMAccountName={0})</value>
</property>
<property>
<key>UserNameAttribute</key>
<value>sAMAccountName</value>
</property>
<property>
<key>UserSearchFilter</key>
<value>(|(sAMAccountName=*{0}*)(uid=*{0}*))</value>
</property>
<property>
<key>DisplayNameAttribute</key>
<value>displayName</value>
</property>
<property>
<key>EmailAttribute</key>
<value>mail</value>
</property>
<property>
<key>SearchTimeout</key>
<value>10</value>
</property>
</authConfig>
</authConfigs>
</security>-
Note: You can also configure multiple LDAP/AD servers or multiple LDAP configurations within one server by adding multiple
<authConfig/>elements.<authConfigs> <authConfig id="first_ldap_server" pluginId="com.thoughtworks.gocd.authorization.ldap"> ... </authConfig> <authConfig id="second-ldap_server" pluginId="com.thoughtworks.gocd.authorization.ldap"> ... </authConfig> </authConfigs>