LDAP Authentication Example

Driverless AI provides two recipes for enabling LDAP authentication.

LDAP without SSL (Recipe 0)

The examples below show how to enable LDAP in Driverless AI and reference an open LDAP server. These parameters can be specified as environment variables when starting the Driverless AI Docker image, or they can be set via the config.toml file for native installs. Upon completion, all the users in the configured LDAP should be able to log in to Driverless AI and run experiments, visualize datasets, interpret models, etc.

Setting Environment Variables in Docker Images

Specify the following LDAP environment variables when starting the Driverless AI Docker image. With recipe=0, these are the only parameters that you will need to set. Replace TAG below with the image tag.

nvidia-docker run \
  --pid=host \
  --init \
  --rm \
  --shm-size=256m \
  -p 12345:12345 \
  -u `id -u`:`id -g` \
  -e DRIVERLESS_AI_ENABLED_FILE_SYSTEMS="file,s3,hdfs" \
  -e DRIVERLESS_AI_AUTHENTICATION_METHOD="ldap" \
  -e DRIVERLESS_AI_LDAP_RECIPE="0" \
  -e DRIVERLESS_AI_LDAP_SERVER="ldap.forumsys.com" \
  -e DRIVERLESS_AI_LDAP_PORT="389" \
  -e DRIVERLESS_AI_LDAP_DC="dc=example,dc=com" \
  -v `pwd`/data:/data \
  -v `pwd`/log:/log \
  -v `pwd`/license:/license \
  -v `pwd`/tmp:/tmp \
  h2oai/dai-centos7-x86_64:TAG

Using the config.toml file with Native Installs

Native installs include DEBs, RPMs, and TAR SH installs.

  1. Export the Driverless AI config.toml file or add it to ~/.bashrc. For example:
export DRIVERLESS_AI_CONFIG_FILE=“/config/config.toml”
  1. Enable LDAP authentication.
# Enable LDAP authentication
authentication_method = "ldap"

# Specify recipe 0. This value is used internally by Driverless AI.
ldap_recipe = "0"

# Specify the LDAP server to connect to
ldap_server = "ldap.forumsys.com"

# Specify the LDAP port to connect to
ldap_port = "389"

# Specify the LDAP DC
ldap_dc = "dc=example,dc=com"
  1. Start (or restart) Driverless AI.

Users can now launch Driverless AI using their LDAP credentials. If authentication is successful, the user can access Driverless AI and run experiments, visualize datasets, interpret models, etc.

LDAP with SSL (Recipe 1)

This example shows how to enable LDAP authentication with additional parameters for Recipe 1. These parameters can be specified as environment variables when starting the Driverless AI Docker image, or they can be set via the config.toml file for native installs. For native installs, this method of LDAP authentication is a three-step process. Upon completion, all the users in the configured LDAP should be able to log in to Driverless AI and run experiments, visualize datasets, interpret models, etc.

Setting Environment Variables in Docker Images

Specify the following LDAP environment variables when starting the Driverless AI Docker image. This example enables LDAP authentication and shows how to specify additional options that are used when recipe=1. Replace TAG below with the image tag.

nvidia-docker run \
 --pid=host \
 --init \
 --rm \
 --shm-size=256m \
 -p 12345:12345 \
 -u `id -u`:`id -g` \
 -e DRIVERLESS_AI_ENABLED_FILE_SYSTEMS="file,s3,hdfs" \
 -e DRIVERLESS_AI_AUTHENTICATION_METHOD="ldap" \
 -e DRIVERLESS_AI_LDAP_RECIPE="1" \
 -e DRIVERLESS_AI_LDAP_SERVER="ldap.forumsys.com" \
 -e DRIVERLESS_AI_LDAP_PORT="389" \
 -e DRIVERLESS_AI_LDAP_DC="dc=example,dc=com" \
 -e DRIVERLESS_AI_LDAP_USE_SSL="1" \
 -e DRIVERLESS_AI_LDAP_TLS_FILE="/tmp/abc-def-root.cer" \
 -e DRIVERLESS_AI_LDAP_SEARCH_USER_ID="gauss" \
 -e DRIVERLESS_AI_LDAP_SEARCH_PASSWORD="password" \
 -e DRIVERLESS_AI_LDAP_USER_PREFIX="uid=" \
 -e DRIVERLESS_AI_LDAP_OU_DN="dc=example,dc=com" \
 -e DRIVERLESS_AI_LDAP_BASE_DN="dc=example,dc=com" \
 -e DRIVERLESS_AI_LDAP_SEARCH_BASE="dc=example,dc=com" \
 -e DRIVERLESS_AI_LDAP_SEARCH_FILTER="(objectclass=person)" \
 -v `pwd`/data:/data \
 -v `pwd`/log:/log \
 -v `pwd`/license:/license \
 -v `pwd`/tmp:/tmp \
 h2oai/dai-centos7-x86_64:TAG

Upon successful completion, all the users in the configured LDAP should be able to log in to Driverless AI and run experiments, visualize datasets, interpret models, etc.

Using the config.toml file with Native Installs

Native installs include DEBs, RPMs, and TAR SH installs. For native installs, this method of LDAP authentication is a four-step process.

  1. Export the Driverless AI config.toml file or add it to ~/.bashrc. For example:
export  DRIVERLESS_AI_CONFIG_FILE=“/config/config.toml”
  1. Enable LDAP authentication.
# Enable LDAP authentication
authentication_method = "ldap"

# Specify recipe=1. This value is used internally by Driverless AI.
ldap_recipe = "1"

# Specify the LDAP server to connect to
ldap_server = "ldap.forumsys.com"

# Specify the LDAP port to connect to
ldap_port = "389"

# Specify the LDAP DC
ldap_dc = "dc=example,dc=com"

Specify additional options that are used when recipe=1. The variables listed below are specific to this method of LDAP authentication.

# If the LDAP connection to the LDAP server needs an SSL certificate,
# then this needs to be specified
ldap_use_ssl = "True"

# Specify the LDAP TLS file location if SSL is set to True above
ldap_tls_file = "/tmp/abc-def-root.cer"

# Specify the LDAP user to be searched for
ldap_search_user_id = "gauss"

# Specify the LDAP password for the above user
ldap_search_password = "password"

# Specify The LDAP prefix to be used for step 1 of the LDAP authentication
# The first step connects to the LDAP server using the user as concatenated
# string of - ldap_user_prefix + ldap_search_user_id + ',' + ldap_ou_dn
ldap_user_prefix = "uid="

# Specify the LDAP OU along with the base DN
ldap_ou_dn = "dc=example,dc=com"
  1. Using the above variables, an attempt to connect to the LDAP server it made. If the connection is successful, the values below will be used. In this case, the user is being searched for in ldap_base_dn in accordance with the search filter.
# Specify the LDAP base DN
ldap_base_dn = "dc=example,dc=com"

# Specify the LDAP search filter
ldap_search_filter = "(objectclass=person)"

# Specify LDAP search base, the location in the DIT where the search will start
ldap_search_base = "dc=example,dc=com"
  1. Start (or restart) Driverless AI. Users can now launch Driverless AI using their LDAP credentials. If authentication is successful, the user can access Driverless AI and run experiments, visualize datasets, interpret models, etc.