LDAP Authentication Example¶
This section describes how to enable Lightweight Directory Access Protocol in Driverless AI. The available parameters can be specified as environment variables when starting the Driverless AI Docker image, or they can be set via the config.toml file for native installs. Upon completion, all the users in the configured LDAP should be able to log in to Driverless AI and run experiments, visualize datasets, interpret models, etc.
Note: Driverless AI does not support LDAP client auth. If you have LDAP client auth enabled, then the Driverless AI LDAP connector will not work.
Description of Configuration Attributes¶
The following options can be specified when enabling LDAP authentication.
ldap_server
: The LDAP server domain or IP.ldap_port
: The LDAP server port.ldap_bind_dn
: The complete distinguished name (DN) of the LDAP bind user.ldap_bind_password
: The password for the LDAP bind.ldap_tls_file
: The Transport Layer Security (TLS) certificate file location.ldap_use_ssl
: Whether to enable (TRUE) or disable (FALSE) SSL.ldap_search_base
: The location in the Directory Information Tree (DIT) where the search will start.ldap_search_filter
: A string that describes what you are searching for. You can use Python substitution to have this constructed dynamically. (Only {{DAI_USERNAME}} is supported. For example, “(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))”.)ldap_user_name_attribute="uid"
: Specify the LDAP attribute that should be used as the user identifier or username when authenticating users against an LDAP server.ldap_search_attributes
(Required): Specify the LDAP attributes to use when searching for user accounts within the LDAP directory. Note that for the LDAP search to be successful, the attributes specified inldap_search_attributes
must include the attribute specified inldap_user_name_attribute
. This is because the LDAP server needs to search for a match in the attribute designated as the username identifier. If the attribute set byldap_user_name_attribute
is not included inldap_search_attributes
, the LDAP server may not be able to find the user’s account, leading to authentication failures. The following is an example of how to correctly use this configuration parameter:
ldap_user_name_attribute:"uid" ldap_search_attributes:"uid, cn, mail"
LDAP without SSL¶
The following examples describe how to enable LDAP without SSL when running Driverless AI in the Docker image or through native installs. If the configuration and authentication authentication are successful, the user can access Driverless AI and run experiments, visualize datasets, interpret models, etc.
The following example shows how to configure LDAP without SSL when starting the Driverless AI Docker image.
nvidia-docker run \
--pid=host \
--init \
--rm \
--shm-size=2g --cap-add=SYS_NICE --ulimit nofile=131071:131071 --ulimit nproc=16384:16384 \
-p 12345:12345 \
-u `id -u`:`id -g` \
-e DRIVERLESS_AI_ENABLED_FILE_SYSTEMS="file,s3,hdfs" \
-e DRIVERLESS_AI_AUTHENTICATION_METHOD="ldap" \
-e DRIVERLESS_AI_LDAP_USE_SSL="false" \
-e DRIVERLESS_AI_LDAP_SERVER="ldap.forumsys.com" \
-e DRIVERLESS_AI_LDAP_PORT="389" \
-e DRIVERLESS_AI_LDAP_SEARCH_BASE="dc=example,dc=com" \
-e DRIVERLESS_AI_LDAP_BIND_DN="cn=read-only-admin,dc=example,dc=com" \
-e DRIVERLESS_AI_LDAP_BIND_PASSWORD=password \
-e DRIVERLESS_AI_LDAP_SEARCH_FILTER="(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))" \
-e DRIVERLESS_AI_LDAP_USER_NAME_ATTRIBUTE="uid" \
-v `pwd`/data:/data \
-v `pwd`/log:/log \
-v `pwd`/license:/license \
-v `pwd`/tmp:/tmp \
h2oai/dai-ubi8-x86_64:1.11.1.1-cuda11.8.0.xx
The following example shows how to configure LDAP without SSL when starting Driverless AI from a native install. Native installs include DEBs, RPMs, and TAR SH installs.
Export the Driverless AI config.toml file or add it to ~/.bashrc. For example:
# DEB and RPM export DRIVERLESS_AI_CONFIG_FILE="/etc/dai/config.toml" # TAR SH export DRIVERLESS_AI_CONFIG_FILE="/path/to/your/unpacked/dai/directory/config.toml"
Enable LDAP authentication without SSL.
# Enable LDAP authentication authentication_method = "ldap" # Specify the LDAP server domain or IP to connect to ldap_server = "ldap.forumsys.com" # Specify the LDAP port to connect to ldap_port = "389" # Disable SSL ldap_use_ssl="false" # Specify the location in the DIT where the search will start ldap_search_base = "dc=example,dc=com" # Specify the LDAP search filter # This is A string that describes what you are searching for. You # can use Python substitution to have this constructed dynamically. # (Only {{DAI_USERNAME}} is supported. For example, "(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))".) ldap_search_filter = "(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))" # Specify the complete DN of the LDAP bind user ldap_bind_dn = "cn=read-only-admin,dc=example,dc=com" # Specify the LDAP password for the above user ldap_bind_password = "password" # Specify a key to find the user name ldap_user_name_attribute = "uid"
Start (or restart) Driverless AI. Note that the command used to start Driverless AI varies depending on your install type.
# Linux RPM or DEB with systemd sudo systemctl start dai # Linux RPM or DEB without systemd sudo -H -u dai /opt/h2oai/dai/run-dai.sh # Linux TAR SH ./run-dai.sh
If authentication is successful, the user can access Driverless AI and run experiments, visualize datasets, interpret models, etc.
LDAP with SSL¶
These examples show how to enable LDAP authentication with SSL and additional parameters that can be specified as environment variables when starting the Driverless AI Docker image, or they can be set via the config.toml file for native installs. Upon completion, all the users in the configured LDAP should be able to log in to Driverless AI and run experiments, visualize datasets, interpret models, etc.
Specify the following LDAP environment variables when starting the Driverless AI Docker image. This example enables LDAP authentication and shows how to specify additional options enabling SSL.
nvidia-docker run \ --pid=host \ --init \ --rm \ --shm-size=2g --cap-add=SYS_NICE --ulimit nofile=131071:131071 --ulimit nproc=16384:16384 \ -p 12345:12345 \ -u `id -u`:`id -g` \ -e DRIVERLESS_AI_ENABLED_FILE_SYSTEMS="file,s3,hdfs" \ -e DRIVERLESS_AI_AUTHENTICATION_METHOD="ldap" \ -e DRIVERLESS_AI_LDAP_SERVER="ldap.forumsys.com" \ -e DRIVERLESS_AI_LDAP_PORT="389" \ -e DRIVERLESS_AI_LDAP_SEARCH_BASE="dc=example,dc=com" \ -e DRIVERLESS_AI_LDAP_SEARCH_FILTER="(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))" \ -e DRIVERLESS_AI_LDAP_USE_SSL="true" \ -e DRIVERLESS_AI_LDAP_TLS_FILE="/tmp/abc-def-root.cer" \ -e DRIVERLESS_AI_LDAP_LDAP_BIND_DN="cn=read-only-admin,dc=example,dc=com" \ -e DRIVERLESS_AI_LDAP_LDAP_BIND_PASSWORD="password" \ -e DRIVERLESS_AI_LDAP_USER_NAME_ATTRIBUTE="uid" \ -v `pwd`/data:/data \ -v `pwd`/log:/log \ -v `pwd`/license:/license \ -v `pwd`/tmp:/tmp \ h2oai/dai-ubi8-x86_64:1.11.1.1-cuda11.8.0.xx
Native installs include DEBs, RPMs, and TAR SH installs.
Export the Driverless AI config.toml file or add it to ~/.bashrc. For example:
# DEB and RPM export DRIVERLESS_AI_CONFIG_FILE="/etc/dai/config.toml" # TAR SH export DRIVERLESS_AI_CONFIG_FILE="/path/to/your/unpacked/dai/directory/config.toml"
Enable LDAP authentication with SSL.
# Enable LDAP authentication authentication_method = "ldap" # Specify the LDAP server domain or IP to connect to ldap_server = "ldap.forumsys.com" # Specify the LDAP port to connect to ldap_port = "389" # Specify the location in the DIT where the search will start ldap_search_base = "dc=example,dc=com" # Specify the LDAP search filter # This is a string that describes what you are searching for. You # can use Python substitution to have this constructed dynamically. # (Only {{DAI_USERNAME}} is supported.) ldap_search_filter = "(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))" # If the LDAP connection to the LDAP server needs an SSL certificate, # then this needs to be specified ldap_use_ssl = "True" # Specify the LDAP TLS file location if SSL is set to True ldap_tls_file = "/tmp/abc-def-root.cer" # Complete DN of the LDAP bind user ldap_bind_dn = "cn=read-only-admin,dc=example,dc=com" # Specify the LDAP password for the above user ldap_bind_password = "password" # Specify a key to find the user name ldap_user_name_attribute = "uid"
Start (or restart) Driverless AI. Users can now launch Driverless AI using their LDAP credentials. Note that the command used to start Driverless AI varies depending on your install type.
# Linux RPM or DEB with systemd sudo systemctl start dai # Linux RPM or DEB without systemd sudo -H -u dai /opt/h2oai/dai/run-dai.sh # Linux TAR SH ./run-dai.sh
If authentication is successful, the user can access Driverless AI and run experiments, visualize datasets, interpret models, etc.