-->
I am not able to get the configuration right. I am locked out of my account and can’t login with either my WordPress credentials or LDAP credentials. What should I do? For support or troubleshooting help
Applies to: Machine Learning Server, Microsoft R Server 9.x
Machine Learning Server's offers seamless integration with authentication solutions when configured to operationalize analytics.
LDAP Authentication Primer. This document provides background on what LDAP authentication is, what specific LDAP authentication methods and mechanisms Active Directory and more specifically the NETID domain supports, and finally gives some guidance on which method and mechanism you should use. LDAP Authentication. Active Directory / LDAP - Troubleshooting Authentication Integration Installation errors on customized corporate builds of CentOS or RHEL Nagios Log Server - Administration Page Fails To Display.
To secure connections and communications, you have several options:
Authentication Method | When to Use |
---|---|
Local 'admin' account | For one-box configurations |
Active Directory / LDAP | For enterprise on-premises configurations |
Active Directory / LDAP-S | For enterprise on-premises configurations with SSL/TLS enabled |
Azure Active Directory | For enterprise cloud configurations |
Local Administrator Account Authentication
During configuration, a default administrator account, 'admin', is created to manage the web and compute nodes for In Machine Learning Server (and R Server). This account allows you to use the CLI or administration utility to configure this feature, edit ports, restart nodes, and so on.
This account might be sufficient when trying to operationalize with a one-box configuration since everything is running within the trust boundary. However, it is insufficient for enterprise configurations.
To set or change the password for the local administrator account after the configuration script has been run, follow these steps.
To log in to Machine Learning Server with this user for remote execution or web service functionalities, use remoteLogin() as described in the article 'Connecting to Machine Learning Server with mrsdeploy.'
Warning
If you enable Azure Active Directory or Active Directory/LDAP authentication, this 'admin' account can no longer be used to authenticate with Machine Learning Server.
Active Directory and LDAP/LDAP-S
Active Directory (AD) and LDAP are a great authentication option for on-premises configurations to ensure that domain users have access to the APIs.
LDAP is the standard protocol for reading data from and writing data to Active Directory (AD) domain controllers. AD LDAP traffic is unsecured by default, which makes it possible to use network-monitoring software to view the LDAP traffic between clients and domain controllers.
By default, the LDAP security provider is not configured. To enable LDAP authentication support, update the relevant properties in your configuration file. The values you assign to these properties must match the configuration of your LDAP Directory Information Tree (DIT).
You can make LDAP traffic confidential and secure using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology. This combination is referred to as LDAP over SSL (or LDAP-S). To ensure that no one else can read the traffic, SSL/TLS establishes an encrypted tunnel between an LDAP client and a domain controller. Learn more about enabling SSL/TLS. Reasons for enabling LDAP-S include:
- Organizational security policies typically require that all client/server communication is encrypted.
- Applications use simple BIND to transport credentials and authenticate against a Domain Controller. As simple BIND exposes the users’ credentials in clear text, using SSL/TLS to encrypt the authentication session is recommended.
- Use of proxy binding or password change over LDAP, which requires LDAP-S. Bind to an AD LDS instance Through a Proxy Object
- Applications that integrate with LDAP servers (such as Active Directory or Active Directory Domain Controllers) might require encrypted LDAP communications.
Warning
You cannot have both Azure Active Directory and Active Directory/LDAP enabled at the same time. If one is set to
'Enabled': true
, then the other must be set to 'Enabled': false
.On each web node:
- Enable LDAP/LDAP-S in the external JSON configuration file, appsettings.json:
- Open the configuration file, <web-node-install-path>/appsettings.json.
- Search for the section starting with
'LDAP': {
- Enable this section and update the properties so that they match the values in your Active Directory Service Interfaces Editor.For better security, we recommend you encrypt the password before adding the information to appsettings.json.
LDAP Properties Definition Host Address of the Active Directory server Port (version 9.1+) Used to override the default LDAP port. By default, the LDAP port is 389 and the LDAP-S port is 636. UseLDAPS Set 'true' for LDAP-S or 'false' for LDAP
Note: If LDAP-S is configured, an installed LDAP service certificate is assumed so that the tokens produced by Active Directory/LDAP can be signed and accepted by Machine Learning Server.BindFilter (version 9.0.1 only) The template used to do the Bind operation. For example, 'CN={0},CN=DeployR,DC=TEST,DC=COM'. {0} is the user's DN. QueryUserDn Distinguished name of user with read-only query capabilities with which to authenticate QueryUserPassword Password for that user with which to authenticate (value must be encrypted). We highly recommend that you encrypt LDAP login credentials before adding the information to this file. QueryUserPasswordEncrypted True/False. If 'True', it means the value of QueryUserPassword is an encrypted string. SearchBase Context name to search in, relative to the base of the configured ContextSource, for example, 'ou=users,dc=example,dc=com'. SearchFilter The pattern to be used for the user search. 'SearchFilter': 'cn={0}' is for each user's DN. In legacy systems, some use 'SearchFilter': 'sAMAccountName={0}' UniqueUserIdentifierAttributeName (Version 9.1) The attribute name that stores the unique user ID for each user. If you are configuring roles, you must ensure that the username returned for this value matches the username returned by SearchFilter. For example, if 'SearchFilter': 'cn={0}' and 'UniqueUserIdentifierAttributeName': 'userPrincipalName', then the values for cn and userPrincipalName must match. DisplayNameAttributeName (Version 9.1) The attribute name that stores the display name for each user. EmailAttributeName (Version 9.1) The attribute name that stores the email address for each user. ImportantThe entities created by the users, specifically web services and session snapshots, are tied to their usernames. For this reason, you must be careful to prevent changes to the user identifier over time. Otherwise, pre-existing web services and snapshots cannot be mapped to the users who created them.For this reason, we strongly recommend that you DO NOT change the unique LDAP identifier in appsettings.json once users start publishing service or creating snapshots.Similarly, if your organization changes its usernames, those users can no longer access the web services and snapshots they created unless they are assigned to theOwner
role.WarningFor 9.0.1 Users! The unique identifier is always set to theuserPrincipalName
in version 9.0.1. Therefore, make sure that a value is defined for theuserPrincipalName
in the Active Directory Service Interfaces Editor or the authentication may fail. In the Explorer, connect to the domain controller, find the user to authorize, and then make sure that the value for the UserPrincipalName (UPN) property is not null.For example, with R Server 9.1:NoteNeed help figuring out your Active Directory/LDAP settings? Check out your LDAP settings using theldp.exe
tool and compare them to what you’ve declared in appsettings.json. You can also consult with any Active Directory experts in your organization to identify the correct parameters. - To set different levels of permissions for users interacting with web services, assign them roles.
- If using a certificate for access token signing, you must:ImportantYou must use a certificate for access token signing whenever you have multiple web nodes so the tokens are signed consistently by every web node in your configuration.In production environments, we recommend that you use a certificate with a private key to sign the user access tokens between the web node and the LDAP server.Tokens are useful to the application developers who use them to identify and authenticate users who are sending API calls within their application. Learn more...Every web node must have the same values.
- On each machine hosting the Web node, install the trusted, signed access token signing certificate with a private key in the certificate store. Take note of the
Subject
name of the certificate as you need this information later. Read this blog post to learn how to use a self-signed certificate in Linux for access token signing. Self-signed certificates are NOT recommended for production usage. - In the appsettings.json file, search for the section starting with
'JWTSigningCertificate': {
- Enable this section and update the properties so that they match the values for your token signing certificate:NoteUse
'Thumbprint'
to ensure that the correct certificate is loaded if there are multiple certificates on the same system with same name used for different purposes such as IPsec, TLS Web Server Authentication, Client Authentication, Server Authentication, and so on. If you do not have multiple certificates with same name, you can leave the Thumbprint field empty.
- Save changes to appsettings.json.
- Restart the web node using the administration utility so that the changes can take effect.
- Run the diagnostic tests to ensure all tests are passing in the configuration.ImportantIf you run into connection issues when configuring for Active Directory/LDAP, try the ldp.exe tool to search the LDAP settings and compare them to what you declared in appsettings.json. To identify the correct parameters, consult with any Active Directory experts in your organization.
- Repeat these steps on each machine hosting the web node.
- Share the connection details with any users who authenticate with Machine Learning Server either to make API calls directly or indirectly in R using remoteLogin() function in the mrsdeploy package.
Azure Active Directory
Azure Active Directory (AAD) can be used to securely authenticate in the cloud when the client application and Web node have access to the internet.
Step 1: Log in to the Azure portal
- Sign in to the Azure portal.
- Select the upper-right hand corner and select the Active Directory account from the list. If the Azure Active Directory has not been set up yet, contact your system administrator. In our example, that directory is
MyMLServer
. - Select Azure Active Directory from the left-hand side.
- Select App registrations tab at the top.The application list appears. You may not have any applications yet.
Step 2: Create a web application
Now, create a web app that is tied to the Azure Active Directory as follows:
- Select New application registration at the top.
- Enter a Name for your application, such as
Machine Learning Server Web app
. - For the Application type, select the Web app / API.
- In the Sign-on URL box, enter http://localhost:12800. This is the port that R Client and R Server listen on.
- Select Create to create the new web application.The application is created and its details appear onscreen.
- Copy the Application ID for the web application. You use this later when you configure your Native application and Machine Learning Server using this ID.
- Select Settings . The Settings pane appears on the right.
- Select Keys from the Settings pane. The Keys pane appears.
- In the Password area, add a client key. Provide a description of your choosing and select a key duration.
- Select Save to save the key.
- Be sure to copy the key.ImportantTake note of this key as it is needed to configure roles to give web services permissions to certain users.
- Also, take note of the application's tenant ID. The tenant ID is the domain of the Azure Active Directory account, for example,
myMLServer.contoso.com
.
Step 3: Create a native application
Now, let's create a native application. This application links the web application to the Machine Learning Server web node.
- In the Azure portal, select Azure Active Directory from the left-hand side.
- Select App registrations.
- Select New application registration at the top.
- Enter a Name for your application, such as
Machine Learning Server native app
. - For the Application type, select the Native.
- In the Redirect URI field, enter:
- Select Create to create the new native application.The application is created and its details appear onscreen.
- Copy the Application ID for the web application. You use this ID later to enable AAD in Machine Learning Server.
- Select Settings . The Settings pane appears on the right.
- Select Required permissions.
- Select Add at the top.
- Select Select an API.
- In the search field at the top, type the name of the web application you created. In our example, we use the name
Machine Learning Server Web app
. - Select the web application name.
- Select the Select button. The Select permissions > Enable Access fields appear.
- Select the checkmark next to the name of the web application.
- Select the Select button. The pane closes.
- Select Done at the bottom to finish adding the permissions.
Step 4: Enable Azure AD on each web node
- Open the configuration file, <web-node-install-path>/appsettings.json.
- Search for the section starting with:WarningYou cannot have both Azure Active Directory and Active Directory/LDAP enabled at the same time. If one is set to
'Enabled': true
, then the other must be set to'Enabled': false
. - Enable Azure Active Directory as the authentication method:
'Enabled': true,
- Update the other properties in that section so that they match the values in the Azure portal. Properties include:
Azure AD Properties Definition Enabled To use AAD for authentication, set to 'true'. Else, set to 'false'. Authority Use 'https://login.windows.net/<URL to AAD login>' where <URL to AAD login> is the URL to the AAD login. For example, if the AAD account domain is myMLServer.contoso.com, then the Authority would be 'https://login.windows.net/myMLServer.contoso.com' Audience Use the Application ID value for the WEB app you created in the Azure portal. ClientId Use the Application ID value for the NATIVE app you created in the Azure portal. Key This is the key for the WEB application you took note of before. KeyEncrypted We highly recommend that you encrypt login credentials before adding the information to this file. Set KeyEncrypted to 'true' if using encrypted information. For plain text, set to 'false'. For example: - To set different levels of permissions for users interacting with web services, assign them roles.
- Restart the web node for the changes to take effect.
- Authorize this machine for Azure Active Directory Test by running a diagnostic test of the configuration.ImportantYou must run the diagnostic tests once on each web node to authorize this device for Azure Active Directory. You will not be able to log in using AAD until this has been done.
- Repeat these steps on each machine hosting a web node.
Step 5: Share the required AAD connection details with your users
Share the connection details, such as the Authority and Audience, with any users who need to authenticate with Machine Learning Server to make API calls directly or indirectly in R using remoteLoginAAD() function in the mrsdeploy package.
If you do not specify a username and password as arguments to the login call or R functions, you are prompted for your AAD username (@) and password.
Important
Learn how to authenticate with AAD using the remoteLoginAAD() function in the mrsdeploy R package as described in this article: 'Connecting to Machine Learning Server with mrsdeploy.'
See also
Description
Active Directory Integration / LDAP Integration for Intranet sites plugin provides login to WordPress using credentials stored in your LDAP Server. It allows users to authenticate against various LDAP implementations like Microsoft Active Directory, OpenLDAP and other directory systems. We support user management features such as creating users not present in WordPress from LDAP Server, adding users, editing users and so on through additional add-ons. User information is in sync with the information in LDAP. This plugin is free to use under the GNU/GPLv2 license. If you wish to use enhanced features, then there is a provision to upgrade as well. There is also a provision to use our services to deploy and configure this plugin.
Free Version Features :-
- Login to WordPress using your LDAP credentials ( Additionally login with WordPress credentials supported if enabled )
- Automatic user registration after login if the user is not already registered with your site.
- Keep user profile information in sync with LDAP upon authentication.
- Uses LDAP or LDAPS for secure connection to your LDAP Server.
- Test connection to your LDAP server.
- Test authentication using credentials stored in your LDAP server.
- Ability to test against demo LDAP server and demo credentials.
Premium Version Features (Check out the Licensing tab to know more):-
- Multiple Search Containers: Authenticate users against multiple search bases.
- Role Mapping: Mapping of LDAP groups to WordPress Roles upon authentication.
- Multiple Username Attributes: Authenticate users against multiple user attributes like uid, cn, mail, sAMAccountName.
- Fallback Login: Fallback to local password in case LDAP is unreacheable.
- Multisite support: Available as a separate plugin
- Add-ons: Add-ons for Integrations with plugins like Buddypress, WP User Manager Gravity Forms etc available. Contact Us if you need such integrations.
- Profile Sync: Sync LDAP Profile with WordPress. (Available as an add-on)
- Outbound LDAP Password Sync: Available as an add-on
- Brute Force Protection: Available as an add-on
- Failed Logon Notifications: User/Admin email notification on failed logon attempt. Contact us in case you require this functionality. Available as an add-on
- Profile Photos Sync: Sync Profile Photos with WordPress. Available as an add-on
- Single Sign-On: If you are looking for Single-Sign-On in addition to authentication with AD/LDAP and do not have any Identity Provider Yet. You can try out miniOrange On-Premise IdP.
Add-ons List :-
- Buddypress Extended Profiles integration add-on: Sync BuddyPress Extended Profiles with information from LDAP.
- Directory Sync add-on: Sync users and user information from LDAP.
- Kerberos/NTLM SSO add-on: Allow auto-login into website from a system joined to Active Directory domain.
- BuddyPress Groups add-on: Assign BuddyPress groups to users based on LDAP group membership.
- LDAP Search Widget add-on: Search interface to display user information from LDAP.
- Gravity Forms add-on: Populate Gravity Forms with information from LDAP.
- eMember add-on: Login to eMember profiles with LDAP Credentials.
Why the free plugins are not sufficient? :-
- With authentication being one of the essential functions of the day, a fast and priority support (provided in paid versions) ensure that any issues you face on a live production site can be resolved in a timely manner.
- Regular updates to the premium plugin compatible with the latest WordPress version. The updates include security and bug fixes. These updates ensure that you are updated with the latest security fixes.
- Ensure timely update for new WordPress/PHP releases with our premium plugins and compatibility updates to make sure you have adequate support for smooth transitions to new versions for WordPress and PHP.
- Reasonably priced with various plans tailored to suit your needs.
- Easy to setup with lots of support and documentation to assist with the setup.
- High level of customization and add-ons to support specific requirements.
Need support?
Please email us at [email protected] or Contact us
Installation
From your WordPress dashboard
- Visit
Plugins > Add New
- Search for
Active Directory Integration for Intranet sites
. Find and InstallActive Directory Integration for Intranet sites
- Activate the plugin from your Plugins page
From WordPress.org
- Download Active Directory Integration for Intranet sites.
- Unzip and upload the
ldap-login-for-intranet-sites
directory to your/wp-content/plugins/
directory. - Activate Active Directory Integration for Intranet sites from your Plugins page.
Once Activated
- Go to
Settings-> LDAP Login Config
, and follow the instructions. - Click on
Save
Make sure that if there is a firewall, you
OPEN THE FIREWALL
to allow incoming requests to your LDAP from your WordPress Server IP and open port 389(636 for SSL or ldaps).FAQ
Make sure that if there is a firewall, you
OPEN THE FIREWALL
to allow incoming requests to your LDAP from your WordPress Server IP and open port 389(636 for SSL or ldaps). For further help please click on the Troubleshooting tab where you can find detailed description for each configuration. If that does not help, please check the format of example settings beside each text box.Firstly, please check if the
user you are trying to login with
exists in your WordPress. To unlock yourself, rename ldap-login-for-intranet-sites plugin name. You will be able to login with your WordPress credentials. After logging in, rename the plugin back to ldap-login-for-intranet-sites. If the problem persists, activate, deactivate and again activate
the plugin.Please email us at [email protected] or Contact us.
Reviews
Using this as the validation for my intranet. Setup is minimal and well-documented. Works reliably. Support is prompt and accurate.