Steampunk Spotter

Steampunk Spotter's LDAP integration

March 22, 2024 - Words by  The Spotter Team - 6 min read

Card image caption

Spotter has a new enterprise integration: LDAP, including custom mapping out-of-the-box!

Users of our on-premises installation are now able to sign in with their organization’s LDAP provider, massively simplifying user and permission management. In contrast to most integrations, Spotter’s LDAP integration offers no tiered limitations to functionality: if you have Spotter on-prem, you get user, group and permission mapping without having to account for an additional tier of service or support.

Spotter’s LDAP mappings are very configurable, and admins with familiarity with LDAP or those who have configured a similar integration before will feel right at home. For those who are not familiar with LDAP, our documentation explains the necessary concepts to allow anyone to be able to configure the integration. We strive for an intuitive interface that is both simple and powerful, but rather lean towards the latter to allow for maximum usability.

Let’s see how this looks.

How Spotter’s LDAP integration works

Everything is configured at runtime. That means that you first install Spotter and the use the local instance admin account for configuration.

Conceptually, Spotter’s LDAP integration is asynchronous in two ways. First, all users are created automatically; no login is required. Second, synchronization not only happens on-demand, but it can also be configured to run periodically with a user-defined interval. This means that you do not need to worry about maintaining the mapping - Spotter does it for you!

All changes in LDAP are applied to Spotter as soon as the synchronization runs. Whether a user is deleted, moved between groups, or if their attributes change; everything is immediately synchronized by Spotter.

Whenever you configure mappings between LDAP users or groups and Spotter entities, you can use as many separate configurations as you’d like. This way, Spotter can adapt to your organization’s “very specific” (putting it mildly) LDAP schemata and does not require you to change your tree.

Configuring Spotter’s LDAP integration begins by specifying the connection. You need to specify the host, port, encryption settings and credentials to connect to the LDAP server. Once that is done, you’re ready to start mapping!

Mapping users

Users are mapped directly from LDAP users. Or, alternatively, any other object you specify. Using inetOrgPerson as the object type for humans? No problem! Maybe you’d rather consider your users the computer type? Also no problem!

With Spotter, you specify your LDAP search query and filters and let Spotter do the mapping for you. Each user gets a username and email as identifiers (but the email is optional), and they can log in with any of them. Additionally, you can map basic attributes such as their name directly from LDAP, which comes in handy in the enterprise reporting functionality, where you can see scan summaries with regard to users.

If you somehow have many subtrees with completely different layouts and schemata in LDAP, you can configure more than one mapping, which then gets merged together to find users.

An important point to note that regardless of other configuration (described in subsequent sections), only users that are present in the user mapping are eligible to become Spotter users. If groups have members that are not recognized as an eligible user, the users will not be created! This is very useful, for example, to globally exclude inactive users from the mapping. You do this by including isActive (or your particular marker for active users) in the search filter.

Test and test again!

You may have noticed in the image above, and in the image that shows connection settings, that there is a “test” button shown at the bottom. That’s right, every piece of configuration has a testing mode that shows you what effect your changes have on the configuration. Verifying connectivity is one thing - you need to be sure whether Spotter can access and successfully authenticate against your LDAP server. You also get descriptive errors if anything goes wrong. No need for magic incantations to get access to the server logs to see what the issue is!

However, what’s more useful are the testing buttons for user, organization and permission mappings. Since LDAP is quite a complex beast (it doesn’t really live up to the L in LDAP), filters can get unwieldy, and not everyone has an LDAP browser handy or wants to copy-paste configuration between the browser and another tool. Instead, when you click the test button, Spotter directly shows you what your LDAP mapping queries return, along with any errors and warnings there are or that could pose problems for synchronization. You get sortable tables for users and groups, where you can directly see the effect of your mappings. Verify whether the usernames and emails look correct, discover conceptual incompatibilities between Spotter and your LDAP schema and see how much actually gets mapped, all without performing a single destructive operation!

It’s always a good idea to test things out thoroughly. This testing mode is a feature we, as Spotter developers, always wished we had in other tools, and we finally got a chance to implement it ourselves! Hooray!

Automatically creating Spotter organizations

What good are users without being corralled into safe and comfortable pens where they can enjoy their Spottering without worrying about their living space? That’s right, Spotter can automatically create organizations for your users by looking at LDAP!

Whether you want to have a company-wide group, one for each department, or even one for each user, Spotter has you covered.

Every LDAP mapping can create groups, and a name is determined via a regular expression. This is a very flexible way of mapping group names - you’re not limited to what your LDAP objects are called, but can modify the names however you wish so it “looks better” within Spotter.

Permission mapping

Spotter organizations currently have two membership levels: a regular member and an organization admin. With each LDAP group to Spotter organization mapping, you also choose the permission level for the users that will have access - meaning you can have quite a flexible configuration and privilege separation directly mapped from LDAP.

What’s more, even instance administrators of an on-prem deployment of Spotter can be directly configured through LDAP. This way, you don’t have to remember that pesky local account that was created during installation; but local accounts, of course, still work.

Test, test, test, and sync!

Recall that we wrote about every configuration item having its dedicated, and verbose, testing function? The same goes for synchronization!

When first configuring SSO for any application, it’s often hard to see what effect your complete configuration has on the overall picture. Spotter’s LDAP integration has something even better than testing buttons for every mapping configuration setting - a testing button for the complete synchronization process!

When you click the button, you can see the full effect of synchronization as it would happen if it were run at that moment. You get a list of created, updated, modified and deleted users, organizations, permissions and so on, complete with a list of synchronization warnings and errors. This helps you refine your configuration if you notice something went wrong.

After you’re satisfied with how a dry-run of LDAP synchronization would go, you can either enable the periodic synchronization in the settings, or synchronize manually. Depending on your particular enterprise requirements, one, or even both, may be necessary, and they are not mutually exclusive.

Start using LDAP with Spotter today!

We hope you see how flexible we’ve tried to make Spotter’s LDAP integration, and the care we took to enable you to safely configure it to your exact tastes - without fear of misconfiguration.

You’re very welcome to try Spotter on-prem and see if the claims we’ve made here hold true, or if we’ve made a huge mistake somewhere and don’t realize it yet. In any case, contact us to try it out, and give us your thoughts!

Ready to give Spotter on-prem a spin? Let’s chat.