LDAP Authentication Example

This section describes how to enable Lightweight Directory Access Protocol in Driverless AI. The available parameters can be specified as environment variables when starting the Driverless AI Docker image, or they can be set via the config.toml file for native installs. Upon completion, all the users in the configured LDAP should be able to log in to Driverless AI and run experiments, visualize datasets, interpret models, etc.

Note: Driverless AI does not support LDAP client auth. If you have LDAP client auth enabled, then the Driverless AI LDAP connector will not work.

Description of Configuration Attributes

The following options can be specified when enabling LDAP authentication.

  • ldap_server: The LDAP server domain or IP.

  • ldap_port: The LDAP server port.

  • ldap_bind_dn: The complete distinguished name (DN) of the LDAP bind user.

  • ldap_bind_password: The password for the LDAP bind.

  • ldap_tls_file: The Transport Layer Security (TLS) certificate file location.

  • ldap_use_ssl: Whether to enable (TRUE) or disable (FALSE) SSL.

  • ldap_search_base: The location in the Directory Information Tree (DIT) where the search will start.

  • ldap_search_filter: A string that describes what you are searching for. You can use Python substitution to have this constructed dynamically. (Only {{DAI_USERNAME}} is supported. For example, “(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))”.)

  • ldap_user_name_attribute="uid": Specify the LDAP attribute that should be used as the user identifier or username when authenticating users against an LDAP server.

  • ldap_search_attributes (Required): Specify the LDAP attributes to use when searching for user accounts within the LDAP directory. Note that for the LDAP search to be successful, the attributes specified in ldap_search_attributes must include the attribute specified in ldap_user_name_attribute. This is because the LDAP server needs to search for a match in the attribute designated as the username identifier. If the attribute set by ldap_user_name_attribute is not included in ldap_search_attributes, the LDAP server may not be able to find the user’s account, leading to authentication failures. The following is an example of how to correctly use this configuration parameter:

ldap_user_name_attribute:"uid"
ldap_search_attributes:"uid, cn, mail"

LDAP without SSL

The following examples describe how to enable LDAP without SSL when running Driverless AI in the Docker image or through native installs. If the configuration and authentication authentication are successful, the user can access Driverless AI and run experiments, visualize datasets, interpret models, etc.

The following example shows how to configure LDAP without SSL when starting the Driverless AI Docker image.

  nvidia-docker run \
    --pid=host \
    --init \
    --rm \
    --shm-size=2g --cap-add=SYS_NICE --ulimit nofile=131071:131071 --ulimit nproc=16384:16384 \
    -p 12345:12345 \
    -u `id -u`:`id -g` \
    -e DRIVERLESS_AI_ENABLED_FILE_SYSTEMS="file,s3,hdfs" \
    -e DRIVERLESS_AI_AUTHENTICATION_METHOD="ldap" \
    -e DRIVERLESS_AI_LDAP_USE_SSL="false" \
    -e DRIVERLESS_AI_LDAP_SERVER="ldap.forumsys.com" \
    -e DRIVERLESS_AI_LDAP_PORT="389" \
    -e DRIVERLESS_AI_LDAP_SEARCH_BASE="dc=example,dc=com" \
    -e DRIVERLESS_AI_LDAP_BIND_DN="cn=read-only-admin,dc=example,dc=com" \
    -e DRIVERLESS_AI_LDAP_BIND_PASSWORD=password \
    -e DRIVERLESS_AI_LDAP_SEARCH_FILTER="(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))" \
    -e DRIVERLESS_AI_LDAP_USER_NAME_ATTRIBUTE="uid" \
    -v `pwd`/data:/data \
    -v `pwd`/log:/log \
    -v `pwd`/license:/license \
    -v `pwd`/tmp:/tmp \
    h2oai/dai-ubi8-x86_64:1.11.1.1-cuda11.8.0.xx

LDAP with SSL

These examples show how to enable LDAP authentication with SSL and additional parameters that can be specified as environment variables when starting the Driverless AI Docker image, or they can be set via the config.toml file for native installs. Upon completion, all the users in the configured LDAP should be able to log in to Driverless AI and run experiments, visualize datasets, interpret models, etc.

Specify the following LDAP environment variables when starting the Driverless AI Docker image. This example enables LDAP authentication and shows how to specify additional options enabling SSL.

   nvidia-docker run \
    --pid=host \
    --init \
    --rm \
    --shm-size=2g --cap-add=SYS_NICE --ulimit nofile=131071:131071 --ulimit nproc=16384:16384 \
    -p 12345:12345 \
    -u `id -u`:`id -g` \
    -e DRIVERLESS_AI_ENABLED_FILE_SYSTEMS="file,s3,hdfs" \
    -e DRIVERLESS_AI_AUTHENTICATION_METHOD="ldap" \
    -e DRIVERLESS_AI_LDAP_SERVER="ldap.forumsys.com" \
    -e DRIVERLESS_AI_LDAP_PORT="389" \
    -e DRIVERLESS_AI_LDAP_SEARCH_BASE="dc=example,dc=com" \
    -e DRIVERLESS_AI_LDAP_SEARCH_FILTER="(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))" \
    -e DRIVERLESS_AI_LDAP_USE_SSL="true" \
    -e DRIVERLESS_AI_LDAP_TLS_FILE="/tmp/abc-def-root.cer" \
    -e DRIVERLESS_AI_LDAP_LDAP_BIND_DN="cn=read-only-admin,dc=example,dc=com" \
    -e DRIVERLESS_AI_LDAP_LDAP_BIND_PASSWORD="password" \
    -e DRIVERLESS_AI_LDAP_USER_NAME_ATTRIBUTE="uid" \
    -v `pwd`/data:/data \
    -v `pwd`/log:/log \
    -v `pwd`/license:/license \
    -v `pwd`/tmp:/tmp \
    h2oai/dai-ubi8-x86_64:1.11.1.1-cuda11.8.0.xx