You can set up a connection with an LDAP server to allow your users to login to knowi using LDAP credentials. Please Contact us to enable this feature. The LDAP server used only as read-only information to login and get information about logged-in user objects to map directly to Knowi fields contained within their user account.
Looker supports transport/encryption via LDAP in the clear and LDAP over TLS. LDAP over TLS is strongly recommended. The LDAP tab can be found within User settings.
It is possible to create multiple different LDAP configurations. Click "Add" to add a new configuration. If you wish to edit an existing configuration, please select it from the drop-down list. After selecting the configuration, you can then edit or view the existing configuration or delete it by pressing the "Delete" button.
LDAP Configuration details
Type a configuration name (any), your LDAP server host and port, and select the TLS checkbox if your LDAP server supports TLS encryption.
This section is used to enter a "master" LDAP account which must have access to get information about LDAP user objects which you or your users want to login with. After entering the credentials, you have the option to click on the "Test" button to check if the credentials and connection details are valid. This will run the connection with the LDAP server, "bind" with entered master DN and then unbind and disconnect from the server.
Base search DN: this is the top root path to start the search of the user.
Login attributes: comma-separated list of attribute names of user objects which will be used as login field to login into Knowi. E.g. this could be "uid", "cn", etc. The system will choose the first match via any of the provided attributes (OR filter will be used to search users with these attributes).
Email attribute: used to read the email attribute and assign to the email field of Knowi User.
User Name Attributes: list of attributes to set to Knowi User Name, commonly this is First Name and User Name.
ID attribute: should uniquely identify your user in the LDAP server.
Filter (optional): used to filter search through user objects for login. E.g. can filter by groups, organizations, etc. Please refer to your LDAP server documentation on filter syntax.
Roles and Groups management
Please choose which Knowi role will be mapped to the LDAP user when logging into Knowi. Optionally, you may select Default Groups which will then be sent to the user. If you change any of these settings, it will be applied to LDAP users upon their next login into Knowi.
After saving the newly created LDAP configuration, you will get LDAP login URL. This is the URL that your LDAP users should then use to login to Knowi.
LDAP login test
At the bottom of the LDAP configuration, you will find a "Test login" button. Selecting this will present a login dialog box. Enter the login attribute values to login with an LDAP account and press Test. This will mimic all login sequences by searching for the user via the set attributes and binding it if possible. If the password is not entered (it is optional), the user will be just found using a master LDAP account and not bound with a password.
This section useful if you wish to test if all LDAP configuration fields valid. After pressing the Test button you will see log output showing the exact steps made by the system to connect to LDAP.
Login with LDAP
First, you will need to provide the LDAP login link to your users. This link is obtained above. This link is associated with your customer account and your exact LDAP configuration. When the user uses this link, they will be presented with special login window. In the "ID" field user should enter a login attribute value (corresponding to login attribute in your LDAP server). In the password field, the user should type their user LDAP password. After login the user will be granted access to Knowi.
If this is a first-time user with such an ID (the ID is set up in the LDAP configuration page) then this user will be automatically created as a new user in Knowi. If this is an existing user login, then they will be directed to their Knowi user account. In this case, all changed fields, roles, and groups will be updated from the LDAP server into the Knowi user account. E.g. if user name in the LDAP server was changed, this will be updated in Knowi upon login.