Configure Neo4j to authenticate users from different OUs using the Active Directory attribute samAccountName
Beginning with Neo4j version 3.2.2, it is possible to authenticate using the Active Directory attribute samAccountName as opposed to the LDAP Display Name attribute. This is described in detail in the following KB article: How do I allow for authentication using Active Directory attribute samAccountName
However, when you need to authenticate and authorize users who are defined under different OUs, and cannot define a System Account in the Neo4j configuration file, a slightly different configuration is needed. This is specific to Active Directory, and requires logging in with the samAccountName attribute (which we have found to be the common case).
The following conf/neo4j.conf
parameters must be set to use samAccountName and support authenticating users from multiple OUs:
dbms.security.auth_enabled=true
dbms.security.auth_provider=ldap
dbms.security.ldap.host=<the LDAP hostname>
dbms.security.ldap.authentication.user_dn_template={0}@example.com
dbms.security.ldap.authorization.user_search_base=dc=example,dc=com
dbms.security.ldap.authorization.user_search_filter=(&(objectClass=user)(sAMAccountName={0}))
dbms.security.ldap.authorization.group_membership_attributes=memberOf
dbms.security.ldap.authorization.group_to_role_mapping=\
"cn=Neo4j Read Only,cn=Users,dc=example,dc=com" = reader ;\
"cn=Neo4j Read-Write,cn=Users,dc=example,dc=com" = publisher ;\
"cn=Neo4j Schema Manager,cn=Users,dc=example,dc=com" = architect ;\
"cn=Neo4j Administrator,cn=Users,dc=example,dc=com" = admin ;\
"cn=Neo4j Procedures,cn=Users,dc=example,dc=com" = allowed_role
Key points:
-
The main difference that allows this to work is specifying the
{0}@example.com
pattern in theuser_dn_template
. This allows the authentication to start at the root Domain, and check the whole tree, regardless of where the User is located within it. -
Notice you should NOT set
dbms.security.ldap.authentication.use_samaccountname
. It will not work properly.
With the following AD setup we successfully authenicate both users Admin User and Support User. They would login with adminuser
and supportuser1
respectively:
Was this page helpful?