LDAP Authentication Example

This section describes how to enable Lightweight Directory Access Protocol in Driverless AI. The available parameters can be specified as environment variables when starting the Driverless AI Docker image, or they can be set via the config.toml file for native installs. Upon completion, all the users in the configured LDAP should be able to log in to Driverless AI and run experiments, visualize datasets, interpret models, etc.

Note: Driverless AI does not support LDAP client auth. If you have LDAP client auth enabled, then the Driverless AI LDAP connector will not work.

Description of Configuration Attributes

The following options can be specified when enabling LDAP authentication.

  • ldap_server: The LDAP server domain or IP

  • ldap_port: The LDAP server port

  • ldap_bind_dn: The complete DN of the LDAP bind user

  • ldap_bind_password: The password for the LDAP bind

  • ldap_tls_file: The Transport Layer Security (TLS) certificate file location

  • ldap_use_ssl: Whether to enable (TRUE) or disable (FALSE) SSL

  • ldap_search_base: The location in the Directory Information Tree (DIT) where the search will start

  • ldap_search_filter: A string that describes what you are searching for. You can use Python substitution to have this constructed dynamically. (Only {{DAI_USERNAME}} is supported. For example, “(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))”.)

  • ldap_search_attributes: LDAP attributes to return from search

  • ldap_user_name_attribute: Specify the key to find user name

LDAP without SSL

The following examples describe how to enable LDAP without SSL when running Driverless AI in the Docker image or through native installs.

Setting Environment Variables in Docker Images

The following example shows how to configure LDAP without SSL when starting the Driverless AI Docker image. Replace TAG below with the image tag.

nvidia-docker run \
  --pid=host \
  --init \
  --rm \
  --shm-size=256m \
  -p 12345:12345 \
  -u `id -u`:`id -g` \
  -e DRIVERLESS_AI_ENABLED_FILE_SYSTEMS="file,s3,hdfs" \
  -e DRIVERLESS_AI_AUTHENTICATION_METHOD="ldap" \
  -e DRIVERLESS_AI_LDAP_USE_SSL="false" \
  -e DRIVERLESS_AI_LDAP_SERVER="ldap.forumsys.com" \
  -e DRIVERLESS_AI_LDAP_PORT="389" \
  -e DRIVERLESS_AI_LDAP_SEARCH_BASE="dc=example,dc=com" \
  -e DRIVERLESS_AI_LDAP_BIND_DN="cn=read-only-admin,dc=example,dc=com" \
  -e DRIVERLESS_AI_LDAP_BIND_PASSWORD=password \
  -e DRIVERLESS_AI_LDAP_SEARCH_FILTER="(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))" \
  -e DRIVERLESS_AI_LDAP_USER_NAME_ATTRIBUTE="uid" \
  -v `pwd`/data:/data \
  -v `pwd`/log:/log \
  -v `pwd`/license:/license \
  -v `pwd`/tmp:/tmp \
  h2oai/dai-centos7-x86_64:TAG

Using the config.toml file with Native Installs

The following example shows how to configure LDAP without SSL when starting Driverless AI from a native install. Native installs include DEBs, RPMs, and TAR SH installs.

  1. Export the Driverless AI config.toml file or add it to ~/.bashrc. For example:

# DEB and RPM
export DRIVERLESS_AI_CONFIG_FILE="/etc/dai/config.toml"

# TAR SH
export DRIVERLESS_AI_CONFIG_FILE="/path/to/your/unpacked/dai/directory/config.toml"
  1. Enable LDAP authentication without SSL.

# Enable LDAP authentication
authentication_method = "ldap"

# Specify the LDAP server domain or IP to connect to
ldap_server = "ldap.forumsys.com"

# Specify the LDAP port to connect to
ldap_port = "389"

# Disable SSL
ldap_use_ssl="false"

# Specify the location in the DIT where the search will start
ldap_search_base = "dc=example,dc=com"

# Specify the LDAP search filter
# This is A string that describes what you are searching for. You
# can use Python substitution to have this constructed dynamically.
# (Only {{DAI_USERNAME}} is supported. For example, "(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))".)
ldap_search_filter = "(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))"

# Specify the complete DN of the LDAP bind user
ldap_bind_dn = "cn=read-only-admin,dc=example,dc=com"

# Specify the LDAP password for the above user
ldap_bind_password = "password"

# Specify a key to find the user name
ldap_user_name_attribute = "uid"
  1. Start (or restart) Driverless AI.

Users can now launch Driverless AI using their LDAP credentials. If authentication is successful, the user can access Driverless AI and run experiments, visualize datasets, interpret models, etc.

LDAP with SSL

These examples show how to enable LDAP authentication with SSL and additional parameters that can be specified as environment variables when starting the Driverless AI Docker image, or they can be set via the config.toml file for native installs. Upon completion, all the users in the configured LDAP should be able to log in to Driverless AI and run experiments, visualize datasets, interpret models, etc.

Setting Environment Variables in Docker Images

Specify the following LDAP environment variables when starting the Driverless AI Docker image. This example enables LDAP authentication and shows how to specify additional options that are used when recipe=1. Replace TAG below with the image tag.

nvidia-docker run \
 --pid=host \
 --init \
 --rm \
 --shm-size=256m \
 -p 12345:12345 \
 -u `id -u`:`id -g` \
 -e DRIVERLESS_AI_ENABLED_FILE_SYSTEMS="file,s3,hdfs" \
 -e DRIVERLESS_AI_AUTHENTICATION_METHOD="ldap" \
 -e DRIVERLESS_AI_LDAP_SERVER="ldap.forumsys.com" \
 -e DRIVERLESS_AI_LDAP_PORT="389" \
 -e DRIVERLESS_AI_LDAP_SEARCH_BASE="dc=example,dc=com" \
 -e DRIVERLESS_AI_LDAP_SEARCH_FILTER="(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))" \
 -e DRIVERLESS_AI_LDAP_USE_SSL="true" \
 -e DRIVERLESS_AI_LDAP_TLS_FILE="/tmp/abc-def-root.cer" \
 -e DRIVERLESS_AI_LDAP_LDAP_BIND_DN="cn=read-only-admin,dc=example,dc=com" \
 -e DRIVERLESS_AI_LDAP_LDAP_BIND_PASSWORD="password" \
 -e DRIVERLESS_AI_LDAP_USER_NAME_ATTRIBUTE="uid" \
 -v `pwd`/data:/data \
 -v `pwd`/log:/log \
 -v `pwd`/license:/license \
 -v `pwd`/tmp:/tmp \
 h2oai/dai-centos7-x86_64:TAG

Upon successful completion, all the users in the configured LDAP should be able to log in to Driverless AI and run experiments, visualize datasets, interpret models, etc.

Using the config.toml file with Native Installs

Native installs include DEBs, RPMs, and TAR SH installs.

  1. Export the Driverless AI config.toml file or add it to ~/.bashrc. For example:

# DEB and RPM
export DRIVERLESS_AI_CONFIG_FILE="/etc/dai/config.toml"

# TAR SH
export DRIVERLESS_AI_CONFIG_FILE="/path/to/your/unpacked/dai/directory/config.toml"
  1. Enable LDAP authentication with SSL.

# Enable LDAP authentication
authentication_method = "ldap"

# Specify the LDAP server domain or IP to connect to
ldap_server = "ldap.forumsys.com"

# Specify the LDAP port to connect to
ldap_port = "389"

# Specify the location in the DIT where the search will start
ldap_search_base = "dc=example,dc=com"

# Specify the LDAP search filter
# This is a string that describes what you are searching for. You
# can use Python substitution to have this constructed dynamically.
# (Only {{DAI_USERNAME}} is supported.)
ldap_search_filter = "(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))"

# If the LDAP connection to the LDAP server needs an SSL certificate,
# then this needs to be specified
ldap_use_ssl = "True"

# Specify the LDAP TLS file location if SSL is set to True
ldap_tls_file = "/tmp/abc-def-root.cer"

# Complete DN of the LDAP bind user
ldap_bind_dn = "cn=read-only-admin,dc=example,dc=com"

# Specify the LDAP password for the above user
ldap_bind_password = "password"

# Specify a key to find the user name
ldap_user_name_attribute = "uid"
  1. Start (or restart) Driverless AI. Users can now launch Driverless AI using their LDAP credentials. If authentication is successful, the user can access Driverless AI and run experiments, visualize datasets, interpret models, etc.