C3 AI Documentation Home

Connect the C3 Agentic AI Platform to an LDAP Server

Administrators often integrate their applications with the Lightweight Directory Access Protocol (LDAP) to streamline the user login process and to automate administrative tasks such as creating users and assigning them roles. LDAP integration allows the C3 Agentic AI Platform to use an existing LDAP server as the primary source of user data. Typically, LDAP integration is also part of a single sign-on implementation.

The integration uses the LDAP service account credentials to retrieve the user distinguished name (DN) from the LDAP server. Given the DN value for the user, the integration then rebinds with LDAP with the user's DN and password. The password that the user enters is contained entirely in a HTTPS session. The integration never stores LDAP passwords in the C3 Agentic AI Platform.

User authentication

Michelle is a Risk Analyst at Bank Corp. Bank Corp uses Active Directory (AD) for user authentication and group membership. Bank Corp has standardized on LDAP-based authentication for internal application users. When Michelle logs into the C3 AI Anti-Money Laundering application, the C3 Agentic AI Platform proxies the authentication request to the authentication provider (in this case AD). If the user is found and the specified password is valid, the authentication provider returns user attributes and membership details to the C3 Agentic AI Platform to be used for application authorization.

Group membership

Michelle is a Risk Analyst at Bank Corp. Bank Corp uses Active Directory (AD) for user authentication and group membership. Bank Corp has standardized on LDAP-based authentication for internal application users. When Michelle logs into the C3 AI Anti-Money Laundering application, the C3 Agentic AI Platform proxies the authentication request to the authentication provider (in this case AD). If the user is found and the specified password is valid, the authentication provider returns user attributes and membership details to the C3 Agentic AI Platform to be used for application authorization. Upon receiving the membership details, apps code assigns the user to the corresponding groups for authorization.

Parameters

Use the following sections to configure your LDAP parameters.

Configuration requirements

To establish a secure connection between the C3 Agentic AI Platform and the LDAP server, the LDAP configuration must be explicitly defined using the LdapIdp.Config Type. The configuration includes crucial fields that ensure the connection is secure, reliable, and aligns with the administrative credentials and network settings of the LDAP server.

Key configuration fields

  • hostName: Specifies the host name of the LDAP server.
  • port: Indicates the port on which the LDAP server listens (e.g., 389 for standard and 636 for SSL).
  • timeout: Defines the maximum time in milliseconds the server waits for a connection to be established before timing out.
  • username: The distinguished name of the service account used by the C3 Agentic AI Platform to connect to the directory server. This is treated as a sensitive field.
  • password: The corresponding password for the service account, also treated as sensitive.
  • queryParams: Specifies additional parameters required to query the LDAP server effectively.

Secure communication configuration

To enable TLS and secure the connection to the LDAP server, the tlsCert field should be populated. This field specifies the TLS certificate used for securing communications. The certificate ensures that data transmitted between the C3 Agentic AI Platform and the LDAP server is encrypted, safeguarding against eavesdropping and tampering.

  • tlsCert: A TlsCertificate object that contains the necessary certificates to establish a secure TLS connection. The fields trustStorePath and trustStorePassword within tlsCert are required to configure this securely.

Incorporating the tlsCert in your LDAP configuration is essential for complying with security best practices when handling sensitive user data and authentication credentials.

Examples of username variable:

  • cn=administrator,cn=users,dc=ad,dc=example,dc=com
  • cn=user,dc=domain,dc=name
  • user@domain.name

When querying an LDAP directory, you can set additional parameters to refine the search. Below are the fields on the LdapIdp.QueryParams Type.

FieldsDescription
baseDNRoot location for the LDAP server
userDNLocation of users in the LDAP server. Example: ou=people,dc=example,dc=com
groupDNLocation of groups in the LDAP server. Example: ou=groups,dc=example,dc=com
groupObjectClassThe LDAP server's group type of object class. Example: groupOfUniqueNames, groupOfNames
peopleObjectClassThe LDAP server's people type of object class. Example: uniqueMember, member
passwordKeyThe password attribute name in the LDAP server. Example: password, userPassword, passcode

Just-In-Time authentication

After an LDAP integration is configured, the C3 Agentic AI Platform allows users to log in to the application even if they do not yet have a user record. When a user attempts to log in, the C3 Agentic AI Platform authenticates against the LDAP server using the credentials provided by the user. If a matching LDAP account is found, the C3 Agentic AI Platform creates/updates the user record, assigns the user to the default group (if configured) or the group membership provided by the LDAP server, and completes the authentication flow.

The groups provided by the LDAP server must be registered with the C3 AI Application.

LDAP attribute mapping

When integrating with an LDAP server a minimum set of user information is stored in the C3 AI database. The following information is stored in the C3 AI database:

  • uid – the unique identifier of the user

  • cn – first name

  • sn - last name

  • mail – the user's email address

  • group member – the groups the user is a member of

Prerequisites

LDAP integration requires:

  • An LDAP v3 compliant directory server
  • The external IP address or fully qualified domain name of the LDAP server
  • A read-only LDAP account
  • Certificates if secure LDAP is used for communication to the LDAP server. Certificates must be registered with the TlsCertificate. The LDAP client makes a call to the TlsCertificate to initiate a secure connection to the LDAP server.

Note: The configuration settings for the LDAP integration include a reference to a TLS certificate.

Configuration example (non-Secure)

Use the following steps to create a configuration integration with an LDAP Server.

  1. Create an application URL configured for LDAP.
JavaScript
AppUrl.make("lightbulb.acme.org").withEnv("team").withApp("c3").upsert();
  1. Query parameters you can use to query user and group information from the LDAP server.

Example:

JavaScript
var queryParams = LdapIdp.QueryParams.make({
    baseDn: 'dc=example,dc=com',
    userDn: 'ou=people,dc=example,dc=com',
    groupDn: 'ou=groups,dc=example,dc=com',
    userPrefix: LdapQueryKind.UID,
    groupPrefix: LdapQueryKind.UID,
    groupObjectClass: LdapQueryKind.GROUP_U_NAMES,
    peopleObjectClass: LdapQueryKind.UNIQUE_MEMBER,
    passwordKey: 'userPassword'
});
  1. Set the LdapIdp.Config configuration to enable connectivity to the LDAP server.

Example:

JavaScript
var ldapIdpConfig = LdapIdp.Config.make(appUrl.id).config();
ldapIdpConfig.setConfigValue('hostName', 'apacheds', ConfigOverride.APP);
ldapIdpConfig.setConfigValue('port', 10389, ConfigOverride.APP);
ldapIdpConfig.setConfigValue('timeout', 999999, ConfigOverride.APP);
ldapIdpConfig.setConfigValue('queryParams', queryParams, ConfigOverride.APP);
ldapIdpConfig.setConfigValue('secureMode', true, ConfigOverride.APP);
  1. Set your LDAP secrets.

Example:

JavaScript
ldapIdpConfig.setSecretValue('username', '<username>');
ldapIdpConfig.setSecretValue('password', '<secret value>');

See also

Was this page helpful?