Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×

Backend / Administrative Area LDAP integration

Submitted by -

It would be really great if the UniFi backend portal could be integrated with a LDAP (or ActiveDirectory) infrastructure.  Being able to assign sites and privileges based on LDAP/AD username or group membership would be amazing.

Almost every other software package we use has this ability and has greatly reduced the burdon on securing everything (Remembering to go through every package we use and deactive accounts when someone leaves), and it means the end user only needs to remember one username/password combination.  Adding/removing a user from a system is in a centeralized place.

 

Duplicates:
http://community.ubnt.com/t5/UniFi-Feature-Requests/Active-Directory-LDAP-admin-authentication-on-unifi-server/idi-p/619103
http://community.ubnt.com/t5/UniFi-Feature-Requests/Controller-login-control-based-on-LDAP-RADIUS/idi-p/776658

Comments
by
on ‎01-14-2014 12:31 AM

I couldn't agree more.

by
on ‎01-14-2014 03:19 PM
Active directory integration is a must for enterprise environments
by
on ‎01-18-2014 07:04 PM

Same here.

by
‎01-25-2014 07:36 AM - edited ‎01-25-2014 07:38 AM

I would also love it if this was built in.  You can get mostly the same behavior though by editing login.jsp on your server (in /usr/lib/unifi/webapps/ROOT) and adding LDAP authentication.  Add some import statements at the top:

<%@ page import="java.util.Hashtable" %>
<%@ page import="javax.naming.directory.InitialDirContext" %>
<%@ page import="javax.naming.Context" %>

Then if request.getParameter("login") != null, do this first:

String username = request.getParameter("username");
String password = request.getParameter("password");
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://ldapserver.example.com:389/dc=example,dc=com");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "uid=" + username + ",ou=users,dc=example,dc=com");
env.put(Context.SECURITY_CREDENTIALS, password);
try {
  InitialDirContext ctx = new InitialDirContext(env);
  // LDAP AUTH PASSED
  username = "regular_admin_user";
  password = "regular_admin_password";
} catch (Exception e) {
  // LDAP AUTH FAILED
  username = "invalid";
  password = "invalid";
}

Everyone gets logged in as one user (in this case "regular_admin_user"), and you do have that user's password in clear text on your server (make sure you have proper permissions on login.jsp), but you pass through to LDAP to do authentication first, so you don't have to manage users in two places.  Now when this happens to authenticate the user normally:

Admin admin = AuthFilter.authenticate(username, password);

It will either use the credentials that we know work if LDAP authentication passed, or credentials that we know do not if it failed.

by
on ‎02-12-2014 08:26 AM

For the reference, also asked here:

http://community.ubnt.com/t5/UniFi-Feature-Requests/Active-Directory-LDAP-admin-authentication-on-un...

I hope they once integrate it, but for now, I wouldn't expect it any near a v3.1+ release. For larger situations it's mostly must I agree.

by Ubiquiti Employee
on ‎06-23-2015 04:58 PM
Status changed to: Under Consideration
 
by
on ‎07-21-2015 03:17 AM
It's very nice to see this Enterprise feature under consideration. It would be great not having to creat administrator accounts but use an LDAP/AD environment to manage them in addition to the default admin account.
by
on ‎02-18-2016 02:32 PM

I too would like to see LDAP/AD as an option to allow login to the Web UI for the Unifi Wireless and Unifi Video Consoles. It would be nice if you could add an LDAP group that has access to the system and then everyone in that group would gain access. This would help simplify creation of multiple user accounts and prevent me from giving out the admin password.

by
on ‎04-03-2016 10:02 PM

LDAP/AD integration would also help reducing the risk of shared account usage. It would improve greatly the security of the management interface.

by
on ‎08-19-2016 02:29 AM

+1 to this, it would be very good if it was supported.