Knowledge Base

Configure Neo4j to authenticate users from different OUs using the Active Directory attribute samAccountName

Beginning with Neo4j version 3.2.2, it is possible to authenticate using the Active Directory attribute samAccountName as opposed to the LDAP Display Name attribute. This is described in detail in the following KB article: How do I allow for authentication using Active Directory attribute samAccountName

However, when you need to authenticate and authorize users who are defined under different OUs, and cannot define a System Account in the Neo4j configuration file, a slightly different configuration is needed. This is specific to Active Directory, and requires logging in with the samAccountName attribute (which we have found to be the common case).

The following conf/neo4j.conf parameters must be set to use samAccountName and support authenticating users from multiple OUs:

dbms.security.auth_enabled=true
dbms.security.auth_provider=ldap
dbms.security.ldap.host=<the LDAP hostname>

dbms.security.ldap.authentication.user_dn_template={0}@example.com
dbms.security.ldap.authorization.user_search_base=dc=example,dc=com
dbms.security.ldap.authorization.user_search_filter=(&(objectClass=user)(sAMAccountName={0}))

dbms.security.ldap.authorization.group_membership_attributes=memberOf
dbms.security.ldap.authorization.group_to_role_mapping=\
"cn=Neo4j Read Only,cn=Users,dc=example,dc=com" = reader ;\
"cn=Neo4j Read-Write,cn=Users,dc=example,dc=com" = publisher ;\
"cn=Neo4j Schema Manager,cn=Users,dc=example,dc=com" = architect ;\
"cn=Neo4j Administrator,cn=Users,dc=example,dc=com" = admin ;\
"cn=Neo4j Procedures,cn=Users,dc=example,dc=com" = allowed_role

Key points:

  1. The main difference that allows this to work is specifying the {0}@example.com pattern in the user_dn_template. This allows the authentication to start at the root Domain, and check the whole tree, regardless of where the User is located within it.

  2. Notice you should NOT set dbms.security.ldap.authentication.use_samaccountname. It will not work properly.

With the following AD setup we successfully authenicate both users Admin User and Support User. They would login with adminuser and supportuser1 respectively:

image

image