LDAP Authentication Example¶

This section describes how to enable Lightweight Directory Access Protocol in Driverless AI. The available parameters can be specified as environment variables when starting the Driverless AI Docker image, or they can be set via the config.toml file for native installs. Upon completion, all the users in the configured LDAP should be able to log in to Driverless AI and run experiments, visualize datasets, interpret models, etc.

Note: Driverless AI does not support LDAP client auth. If you have LDAP client auth enabled, then the Driverless AI LDAP connector will not work.

Description of Configuration Attributes¶

The following options can be specified when enabling LDAP authentication.

ldap_server: The LDAP server domain or IP.
ldap_port: The LDAP server port.
ldap_bind_dn: The complete distinguished name (DN) of the LDAP bind user.
ldap_bind_password: The password for the LDAP bind.
ldap_tls_file: The Transport Layer Security (TLS) certificate file location.
ldap_use_ssl: Whether to enable (TRUE) or disable (FALSE) SSL.
ldap_search_base: The location in the Directory Information Tree (DIT) where the search will start.
ldap_search_filter: A string that describes what you are searching for. You can use Python substitution to have this constructed dynamically. (Only {{DAI_USERNAME}} is supported. For example, “(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))”.)
ldap_search_attributes: LDAP attributes to return from search.
ldap_user_name_attribute="uid": Specify the key to find user name.

LDAP without SSL¶

The following examples describe how to enable LDAP without SSL when running Driverless AI in the Docker image or through native installs. If the configuration and authentication authentication are successful, the user can access Driverless AI and run experiments, visualize datasets, interpret models, etc.

The following example shows how to configure LDAP without SSL when starting the Driverless AI Docker image.

  nvidia-docker run \
    --pid=host \
    --init \
    --rm \
    --shm-size=256m \
    -p 12345:12345 \
    -u `id -u`:`id -g` \
    -e DRIVERLESS_AI_ENABLED_FILE_SYSTEMS="file,s3,hdfs" \
    -e DRIVERLESS_AI_AUTHENTICATION_METHOD="ldap" \
    -e DRIVERLESS_AI_LDAP_USE_SSL="false" \
    -e DRIVERLESS_AI_LDAP_SERVER="ldap.forumsys.com" \
    -e DRIVERLESS_AI_LDAP_PORT="389" \
    -e DRIVERLESS_AI_LDAP_SEARCH_BASE="dc=example,dc=com" \
    -e DRIVERLESS_AI_LDAP_BIND_DN="cn=read-only-admin,dc=example,dc=com" \
    -e DRIVERLESS_AI_LDAP_BIND_PASSWORD=password \
    -e DRIVERLESS_AI_LDAP_SEARCH_FILTER="(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))" \
    -e DRIVERLESS_AI_LDAP_USER_NAME_ATTRIBUTE="uid" \
    -v `pwd`/data:/data \
    -v `pwd`/log:/log \
    -v `pwd`/license:/license \
    -v `pwd`/tmp:/tmp \
    h2oai/dai-ubi8-x86_64:1.10.3.1-cuda11.2.2.xx

The following example shows how to configure LDAP without SSL when starting Driverless AI from a native install. Native installs include DEBs, RPMs, and TAR SH installs.

Export the Driverless AI config.toml file or add it to ~/.bashrc. For example:

# DEB and RPM
export DRIVERLESS_AI_CONFIG_FILE="/etc/dai/config.toml"

# TAR SH
export DRIVERLESS_AI_CONFIG_FILE="/path/to/your/unpacked/dai/directory/config.toml"

Enable LDAP authentication without SSL.

# Enable LDAP authentication
authentication_method = "ldap"

# Specify the LDAP server domain or IP to connect to
ldap_server = "ldap.forumsys.com"

# Specify the LDAP port to connect to
ldap_port = "389"

# Disable SSL
ldap_use_ssl="false"

# Specify the location in the DIT where the search will start
ldap_search_base = "dc=example,dc=com"

# Specify the LDAP search filter
# This is A string that describes what you are searching for. You
# can use Python substitution to have this constructed dynamically.
# (Only {{DAI_USERNAME}} is supported. For example, "(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))".)
ldap_search_filter = "(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))"

# Specify the complete DN of the LDAP bind user
ldap_bind_dn = "cn=read-only-admin,dc=example,dc=com"

# Specify the LDAP password for the above user
ldap_bind_password = "password"

# Specify a key to find the user name
ldap_user_name_attribute = "uid"

Start (or restart) Driverless AI. Note that the command used to start Driverless AI varies depending on your install type.

# Linux RPM or DEB with systemd
sudo systemctl start dai

# Linux RPM or DEB without systemd
sudo -H -u dai /opt/h2oai/dai/run-dai.sh

# Linux TAR SH
./run-dai.sh

If authentication is successful, the user can access Driverless AI and run experiments, visualize datasets, interpret models, etc.

LDAP with SSL¶

These examples show how to enable LDAP authentication with SSL and additional parameters that can be specified as environment variables when starting the Driverless AI Docker image, or they can be set via the config.toml file for native installs. Upon completion, all the users in the configured LDAP should be able to log in to Driverless AI and run experiments, visualize datasets, interpret models, etc.

Specify the following LDAP environment variables when starting the Driverless AI Docker image. This example enables LDAP authentication and shows how to specify additional options enabling SSL.

   nvidia-docker run \
    --pid=host \
    --init \
    --rm \
    --shm-size=256m \
    -p 12345:12345 \
    -u `id -u`:`id -g` \
    -e DRIVERLESS_AI_ENABLED_FILE_SYSTEMS="file,s3,hdfs" \
    -e DRIVERLESS_AI_AUTHENTICATION_METHOD="ldap" \
    -e DRIVERLESS_AI_LDAP_SERVER="ldap.forumsys.com" \
    -e DRIVERLESS_AI_LDAP_PORT="389" \
    -e DRIVERLESS_AI_LDAP_SEARCH_BASE="dc=example,dc=com" \
    -e DRIVERLESS_AI_LDAP_SEARCH_FILTER="(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))" \
    -e DRIVERLESS_AI_LDAP_USE_SSL="true" \
    -e DRIVERLESS_AI_LDAP_TLS_FILE="/tmp/abc-def-root.cer" \
    -e DRIVERLESS_AI_LDAP_LDAP_BIND_DN="cn=read-only-admin,dc=example,dc=com" \
    -e DRIVERLESS_AI_LDAP_LDAP_BIND_PASSWORD="password" \
    -e DRIVERLESS_AI_LDAP_USER_NAME_ATTRIBUTE="uid" \
    -v `pwd`/data:/data \
    -v `pwd`/log:/log \
    -v `pwd`/license:/license \
    -v `pwd`/tmp:/tmp \
    h2oai/dai-ubi8-x86_64:1.10.3.1-cuda11.2.2.xx

Native installs include DEBs, RPMs, and TAR SH installs.

Export the Driverless AI config.toml file or add it to ~/.bashrc. For example:

# DEB and RPM
export DRIVERLESS_AI_CONFIG_FILE="/etc/dai/config.toml"

# TAR SH
export DRIVERLESS_AI_CONFIG_FILE="/path/to/your/unpacked/dai/directory/config.toml"

Enable LDAP authentication with SSL.

# Enable LDAP authentication
authentication_method = "ldap"

# Specify the LDAP server domain or IP to connect to
ldap_server = "ldap.forumsys.com"

# Specify the LDAP port to connect to
ldap_port = "389"

# Specify the location in the DIT where the search will start
ldap_search_base = "dc=example,dc=com"

# Specify the LDAP search filter
# This is a string that describes what you are searching for. You
# can use Python substitution to have this constructed dynamically.
# (Only {{DAI_USERNAME}} is supported.)
ldap_search_filter = "(&(objectClass=person)(cn:dn:={{DAI_USERNAME}}))"

# If the LDAP connection to the LDAP server needs an SSL certificate,
# then this needs to be specified
ldap_use_ssl = "True"

# Specify the LDAP TLS file location if SSL is set to True
ldap_tls_file = "/tmp/abc-def-root.cer"

# Complete DN of the LDAP bind user
ldap_bind_dn = "cn=read-only-admin,dc=example,dc=com"

# Specify the LDAP password for the above user
ldap_bind_password = "password"

# Specify a key to find the user name
ldap_user_name_attribute = "uid"

Start (or restart) Driverless AI. Users can now launch Driverless AI using their LDAP credentials. Note that the command used to start Driverless AI varies depending on your install type.

# Linux RPM or DEB with systemd
sudo systemctl start dai

# Linux RPM or DEB without systemd
sudo -H -u dai /opt/h2oai/dai/run-dai.sh

# Linux TAR SH
./run-dai.sh

If authentication is successful, the user can access Driverless AI and run experiments, visualize datasets, interpret models, etc.