LDAP Authentication Example¶
This section describes how to enable Lightweight Directory Access Protocol in Driverless AI. The available parameters can be specified as environment variables when starting the Driverless AI Docker image, or they can be set via the config.toml file for native installs. Upon completion, all the users in the configured LDAP should be able to log in to Driverless AI and run experiments, visualize datasets, interpret models, etc.
Note: Driverless AI does not support LDAP client auth. If you have LDAP client auth enabled, then the Driverless AI LDAP connector will not work.
Description of Configuration Attributes¶
The following options can be specified when enabling LDAP authentication.
ldap_server
: The LDAP server domain or IPldap_port
: The LDAP server portldap_bind_dn
: The complete DN of the LDAP bind userldap_bind_password
: The password for the LDAP bindldap_tls_file
: The Transport Layer Security (TLS) certificate file locationldap_use_ssl
: Whether to enable (TRUE) or disable (FALSE) SSLldap_search_base
: The location in the Directory Information Tree (DIT) where the search will startldap_search_filter
: A string that describes what you are searching for. You can use Python substitution to have this constructed dynamically. (Only {{DAI_USERNAME}} is supported. For example, “(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))”.)ldap_search_attributes
: LDAP attributes to return from searchldap_user_name_attribute
: Specify the key to find user name
LDAP without SSL¶
The following examples describe how to enable LDAP without SSL when running Driverless AI in the Docker image or through native installs.
Setting Environment Variables in Docker Images¶
The following example shows how to configure LDAP without SSL when starting the Driverless AI Docker image. Replace TAG below with the image tag.
nvidia-docker run \
--pid=host \
--init \
--rm \
--shm-size=256m \
-p 12345:12345 \
-u `id -u`:`id -g` \
-e DRIVERLESS_AI_ENABLED_FILE_SYSTEMS="file,s3,hdfs" \
-e DRIVERLESS_AI_AUTHENTICATION_METHOD="ldap" \
-e DRIVERLESS_AI_LDAP_USE_SSL="false" \
-e DRIVERLESS_AI_LDAP_SERVER="ldap.forumsys.com" \
-e DRIVERLESS_AI_LDAP_PORT="389" \
-e DRIVERLESS_AI_LDAP_SEARCH_BASE="dc=example,dc=com" \
-e DRIVERLESS_AI_LDAP_BIND_DN="cn=read-only-admin,dc=example,dc=com" \
-e DRIVERLESS_AI_LDAP_BIND_PASSWORD=password \
-e DRIVERLESS_AI_LDAP_SEARCH_FILTER="(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))" \
-e DRIVERLESS_AI_LDAP_USER_NAME_ATTRIBUTE="uid" \
-v `pwd`/data:/data \
-v `pwd`/log:/log \
-v `pwd`/license:/license \
-v `pwd`/tmp:/tmp \
h2oai/dai-centos7-x86_64:TAG
Using the config.toml file with Native Installs¶
The following example shows how to configure LDAP without SSL when starting Driverless AI from a native install. Native installs include DEBs, RPMs, and TAR SH installs.
Export the Driverless AI config.toml file or add it to ~/.bashrc. For example:
# DEB and RPM export DRIVERLESS_AI_CONFIG_FILE="/etc/dai/config.toml" # TAR SH export DRIVERLESS_AI_CONFIG_FILE="/path/to/your/unpacked/dai/directory/config.toml"
Enable LDAP authentication without SSL.
# Enable LDAP authentication authentication_method = "ldap" # Specify the LDAP server domain or IP to connect to ldap_server = "ldap.forumsys.com" # Specify the LDAP port to connect to ldap_port = "389" # Disable SSL ldap_use_ssl="false" # Specify the location in the DIT where the search will start ldap_search_base = "dc=example,dc=com" # Specify the LDAP search filter # This is A string that describes what you are searching for. You # can use Python substitution to have this constructed dynamically. # (Only {{DAI_USERNAME}} is supported. For example, "(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))".) ldap_search_filter = "(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))" # Specify the complete DN of the LDAP bind user ldap_bind_dn = "cn=read-only-admin,dc=example,dc=com" # Specify the LDAP password for the above user ldap_bind_password = "password" # Specify a key to find the user name ldap_user_name_attribute = "uid"
Start (or restart) Driverless AI.
Users can now launch Driverless AI using their LDAP credentials. If authentication is successful, the user can access Driverless AI and run experiments, visualize datasets, interpret models, etc.
LDAP with SSL¶
These examples show how to enable LDAP authentication with SSL and additional parameters that can be specified as environment variables when starting the Driverless AI Docker image, or they can be set via the config.toml file for native installs. Upon completion, all the users in the configured LDAP should be able to log in to Driverless AI and run experiments, visualize datasets, interpret models, etc.
Setting Environment Variables in Docker Images¶
Specify the following LDAP environment variables when starting the Driverless AI Docker image. This example enables LDAP authentication and shows how to specify additional options that are used when recipe=1
. Replace TAG below with the image tag.
nvidia-docker run \ --pid=host \ --init \ --rm \ --shm-size=256m \ -p 12345:12345 \ -u `id -u`:`id -g` \ -e DRIVERLESS_AI_ENABLED_FILE_SYSTEMS="file,s3,hdfs" \ -e DRIVERLESS_AI_AUTHENTICATION_METHOD="ldap" \ -e DRIVERLESS_AI_LDAP_SERVER="ldap.forumsys.com" \ -e DRIVERLESS_AI_LDAP_PORT="389" \ -e DRIVERLESS_AI_LDAP_SEARCH_BASE="dc=example,dc=com" \ -e DRIVERLESS_AI_LDAP_SEARCH_FILTER="(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))" \ -e DRIVERLESS_AI_LDAP_USE_SSL="true" \ -e DRIVERLESS_AI_LDAP_TLS_FILE="/tmp/abc-def-root.cer" \ -e DRIVERLESS_AI_LDAP_LDAP_BIND_DN="cn=read-only-admin,dc=example,dc=com" \ -e DRIVERLESS_AI_LDAP_LDAP_BIND_PASSWORD="password" \ -e DRIVERLESS_AI_LDAP_USER_NAME_ATTRIBUTE="uid" \ -v `pwd`/data:/data \ -v `pwd`/log:/log \ -v `pwd`/license:/license \ -v `pwd`/tmp:/tmp \ h2oai/dai-centos7-x86_64:TAG
Upon successful completion, all the users in the configured LDAP should be able to log in to Driverless AI and run experiments, visualize datasets, interpret models, etc.
Using the config.toml file with Native Installs¶
Native installs include DEBs, RPMs, and TAR SH installs.
Export the Driverless AI config.toml file or add it to ~/.bashrc. For example:
# DEB and RPM export DRIVERLESS_AI_CONFIG_FILE="/etc/dai/config.toml" # TAR SH export DRIVERLESS_AI_CONFIG_FILE="/path/to/your/unpacked/dai/directory/config.toml"
Enable LDAP authentication with SSL.
# Enable LDAP authentication authentication_method = "ldap" # Specify the LDAP server domain or IP to connect to ldap_server = "ldap.forumsys.com" # Specify the LDAP port to connect to ldap_port = "389" # Specify the location in the DIT where the search will start ldap_search_base = "dc=example,dc=com" # Specify the LDAP search filter # This is a string that describes what you are searching for. You # can use Python substitution to have this constructed dynamically. # (Only {{DAI_USERNAME}} is supported.) ldap_search_filter = "(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))" # If the LDAP connection to the LDAP server needs an SSL certificate, # then this needs to be specified ldap_use_ssl = "True" # Specify the LDAP TLS file location if SSL is set to True ldap_tls_file = "/tmp/abc-def-root.cer" # Complete DN of the LDAP bind user ldap_bind_dn = "cn=read-only-admin,dc=example,dc=com" # Specify the LDAP password for the above user ldap_bind_password = "password" # Specify a key to find the user name ldap_user_name_attribute = "uid"
Start (or restart) Driverless AI. Users can now launch Driverless AI using their LDAP credentials. If authentication is successful, the user can access Driverless AI and run experiments, visualize datasets, interpret models, etc.