Integration with LDAP¶
DataRobot can optionally be integrated with an external LDAP server.
The following LDAP servers are supported:
To configure these options, refer to the Tuning DataRobot Environment Variables section of this guide.
LDAP authentication types¶
DataRobot supports two authentication types: ldap and ldapsearch.
Authentication Type ldap¶
To use ldap, all DataRobot users must belong to one level of an LDAP node. This is less flexible than ldapsearch, but there is no need to store LDAP credentials in the configuration.
The authentication flow is as follows:
- User enters a username in the UI.
ldapbackend interpolates dist name template (replaces$usernamewith an actual username) and gets DN (distinguished name) of the user.ldapbackend tries to bind to LDAP server using the DN above and the password entered by the user.- If DataRobot fails to bind, it assumes the username or password is incorrect.
- If the bind process was successful, DataRobot optionally retrieves LDAP attrs (using the bound LDAP session) for impersonation.
Limitations:
- Limited by dist name template and can't authenticate users from different organization units.
- Attribute that's not a part of DN can't be used as a DataRobot username (e.g., if corporate DN is
uid=john.smith,cn=users,cn=accounts,dc=datarobot,dc=com, DataRobot can only usejohn.smithas a username).
Authentication Type ldapsearch¶
Backend ldapsearch does not make any assumptions on LDAP structure and is more flexible than ldap authentication type, but requires more configuration options to be set. This requires LDAP credentials to be stored in the configuration.
The authentication flow is as follows:
- User enters a username in the UI.
ldapsearchbackend performs an LDAP query using a predefined query pattern (e.g.(uid=$username),(sAMAccount=$username),(email=$username)or((cn=$username)|(foo=bar)))- DataRobot takesBIND_DN/BIND_PASSWORDfrom the configuration for making this query.- If exactly one user is found,
ldapsearchtakes the appropriate DN from the search results and tries to bind using the password entered by the user to check if the password is correct. - If
USER_AUTH_LDAP_ORGANIZATION_NAME_ACCOUNT_ATTRIBUTEis configured, the backend tries to find an organization the user belongs to using the config value as an attribute name. If the attribute is set in the LDAP user profile, the user is mapped to the organization on the DataRobot side. - If the
USER_AUTH_LDAP_GROUP_SEARCH_BASE_DNconfig value is specified, the backend tries to map the user group on AD with a DataRobot group by making another request. The query for the group search looks like(&(objectClass=groupOfNames)( | (member=cn={username},{base_dn})(member=uid={username},{base_dn}))).
備考
This query is applied on top of the value set in USER_AUTH_LDAP_GROUP_SEARCH_BASE_DN.
If the backend found a group with the same name as a group in the DR database, the logged-in user is automatically assigned to this group. Also, it's important to mention when the user is part of an organization, this is also considered during group mapping, i.e., the group on the DR side must also be within the organization.
LDAP configuration options¶
Common options¶
USER_AUTH_TYPE-ldaporldapsearchUSER_AUTH_LDAP_URI- protocol, host, and port, e.g.,ldap://1.2.3.4:389(protocol can beldap,ldapsorldapi)USER_AUTH_LDAP_REQUIRED_GROUP(optional) - users outside of this group won't have access to DataRobot, e.g.,CN=datarobot-group,OU=Groups,DC=example,DC=orgUSER_AUTH_LDAP_MAPPING(optional) - account attribute mapping rules for LDAP integration.USER_AUTH_LDAP_MAPPING={"<DR_USER_PROFILE_ATTRIBUTE>": "<LDAP_USER_PROFILE_ATTRIBUTE>"}USER_AUTH_LDAP_GLOBAL_OPTIONS(optional) - JSON-encoded dict (usually used for advanced TLS configuration)USER_AUTH_LDAP_CONNECTION_OPTIONS(optional) - JSON-encoded dict (usually used for advanced TLS configuration)
Options for ldap authentication type¶
USER_AUTH_LDAP_DIST_NAME_TEMPLATE- template for converting DataRobot usernames into LDAP DN, e.g.,CN=$username,OU=Users,DC=example,DC=org
Options for ldapsearch authentication type¶
USER_AUTH_LDAP_BIND_DN- DN of the service LDAP accountUSER_AUTH_LDAP_BIND_PASSWORD- password for the service LDAP accountUSER_AUTH_LDAP_SEARCH_BASE_DN- LDAP node that contains all the DR users, (e.g.,OU=Users,DC=example,DC=org)USER_AUTH_LDAP_SEARCH_SCOPE- LDAP search scope (ONELEVEL or SUBTREE, default is SUBTREE)USER_AUTH_LDAP_SEARCH_FILTER- LDAP search query (default:(cn=$username), LDAP = (&(objectClass=user)(uid=$username)), AD = (&(objectClass=user)(sAMAccountName=$username)))USER_AUTH_LDAP_ORGANIZATION_NAME_ACCOUNT_ATTRIBUTE- the organization name attribute in the LDAP user profile. If not configured, user organization mapping isn't performed.
Options for S3 impersonation¶
See User-Specific IAM Role Usage for more details on S3 Impersonation
ENABLE_S3_ROLE_ASSUMPTION- Bool value to enable S3 role assumption (default: False)USER_AUTH_LDAP_ATTR["s3_role_arns"]- The name of the LDAP attribute containing zero or more Amazon Resource Name(s) (ARN) that should be utilized when ingesting data for the DataRobot user. When multiple ARNs are specified for a user, they're tried iteratively until DataRobot locates one with access to the object.S3_ROLE_ASSUMPTION_DEFAULT- An optional ARN to add to the user-specific list of ARNs supplied via ldapS3_ROLE_ASSUMPTION_SESSION_PREFIX- String prefix to add to AWS session names when assuming roles for ingest; see Assumed Session Names for more details (default: DataRobot-APP)
Email notifications for LDAP users¶
Use the USER_AUTH_LDAP_MAPPING["email_address"] configuration option to configure DataRobot to send email notifications to users with LDAP accounts.
DataRobot uses this mapping to find the email address of the user in the corresponding LDAP record.
For example, users in the FreeIPA directory have a mail attribute, so in order to configure DataRobot to use that, configure the app in the following way:
# helm chart values snippet
core:
config_env_vars:
USER_AUTH_LDAP_MAPPING: '{"email_address":"mail"}'
With this configuration, DataRobot reads the email address found in the mail attribute in the directory and uses it for sending notifications, such as the email about autopilot completion.
Note: Emails in DataRobot with LDAP authentication are read-only, meaning users aren't able to edit their email address from the DataRobot Application. Email is synchronized with the directory each time the user signs into the application and the only way to change a user's email address is to change it in the LDAP directory and re-log in.
Initial users for LDAP deployments¶
DataRobot Helm charts automatically create an initial user (admin@datarobot.com) when installing the chart.
When the Generative AI service is enabled, additional service users are created.
For LDAP integration, it may be necessary to define a list of users to allow the setup to proceed.
This can be done by setting the following variable:
USER_AUTH_SERVICE_USERNAMES: localadmin@datarobot.com,admin@datarobot.com,genai@datarobot.com,genai-admin@datarobot.com
Helm chart values example¶
To enable DataRobot LDAP integration, one needs to:
- Update
core.config_env_vars:
# helm chart values snippet
core:
config_env_vars:
USER_AUTH_TYPE: ldapsearch
USER_AUTH_LDAP_URI: ldap://1.2.3.4:389
USER_AUTH_LDAP_BIND_DN: CN=datarobot-bot,OU=Users,DC=example,DC=org
USER_AUTH_LDAP_BIND_PASSWORD: **********
USER_AUTH_LDAP_SEARCH_BASE_DN: OU=Users,DC=example,DC=org
Nested group membership¶
By default, when USER_AUTH_LDAP_REQUIRED_GROUP is set, only direct membership in that group is checked. You can enable nested group evaluation so that users who belong to child groups (subgroups) of the required group can authenticate as well.
This is useful when LDAP groups are organized hierarchically—for example, a top-level DR_Access_Allowed group contains department-level subgroups and users are assigned to those subgroups rather than to the top-level group directly.
Nested group evaluation is used only to verify whether a user can access DataRobot through USER_AUTH_LDAP_REQUIRED_GROUP. It does not create DataRobot groups, sync LDAP group membership into DataRobot, or assign users to DataRobot Application groups. DataRobot group mapping is handled separately by USER_AUTH_LDAP_GROUP_SEARCH_BASE_DN.
Prerequisites for nested groups¶
- DataRobot is configured to use
ldapsearchauthentication type (USER_AUTH_TYPE=ldapsearch). - A required group is configured via
USER_AUTH_LDAP_REQUIRED_GROUP. - The LDAP Nested Groups feature flag is enabled for your deployment. The
USER_AUTH_LDAP_REQUIRED_GROUP_NESTING_MODEsetting only appears in the System Configuration UI when the feature flag is active.
Nesting mode setting¶
| 設定 | 値 | デフォルト | 説明 |
|---|---|---|---|
USER_AUTH_LDAP_REQUIRED_GROUP_NESTING_MODE |
NONE, TWO_NESTED_LEVELS, FULL_RECURSIVE |
NONE |
Strategy used to evaluate required-group membership when USER_AUTH_LDAP_REQUIRED_GROUP is set. |
Nesting mode: NONE (default)¶
Only direct membership in the required group is checked. The system verifies that the user's DN (or the configured account attribute) is listed in the group's member (or configured member attribute) list. This is the legacy behavior.
Use when: Users are added directly to the required group.
Nesting mode: TWO_NESTED_LEVELS¶
Checks whether the user belongs to one of the direct child groups of the required group:
- The system reads the required group's member list from LDAP.
- It reads the user's
memberOfattribute from LDAP. - If any of the required group's members overlap with the user's
memberOfmemberships (case-insensitive comparison), access is granted. - If no nested match is found, the system falls back to the standard direct membership check.
Use when: Your group hierarchy has at most two levels (a parent group containing child groups, and users are members of those child groups). This mode does not require Active Directory and works with any LDAP server that populates the memberOf attribute.
Example structure:
DR_Access_Allowed (required group)
├── DataScientists (child group) ← user "alice" is a member
├── Engineers (child group) ← user "bob" is a member
└── user "charlie" (direct member)
In this setup, alice, bob, and charlie would all pass the group membership check.
Nesting mode: FULL_RECURSIVE¶
Evaluates transitive (recursive) group membership using the LDAP matching rule 1.2.840.113556.1.4.1941 (LDAP_MATCHING_RULE_IN_CHAIN). The system issues a search on the user's own entry with a filter like:
(memberOf:1.2.840.113556.1.4.1941:=<required_group_dn>)
This delegates the entire recursive traversal to the LDAP server.
Use when: Your group hierarchy has more than two levels, or you want the LDAP server to handle full recursive resolution. This mode is designed for Active Directory environments that support the LDAP_MATCHING_RULE_IN_CHAIN OID. Some other directory servers (e.g., 389 Directory Server) also support this OID via inChainMatch.
注意
If your LDAP server does not support the 1.2.840.113556.1.4.1941 matching rule, authentication will fail for all users when this mode is active.
Related settings for nested groups¶
The USER_AUTH_LDAP_REQUIRED_GROUP_NESTING_MODE setting interacts with several other LDAP settings. The table below summarizes how each setting is used per nesting mode.
| 設定 | NONE |
TWO_NESTED_LEVELS |
FULL_RECURSIVE |
|---|---|---|---|
REQUIRED_GROUP |
必須 | 必須 | 必須 |
REQUIRED_GROUP_MEMBER_ATTR |
Used for direct check | Used to read child groups + fallback | Fallback only |
REQUIRED_GROUP_ACCOUNT_ATTR |
Used for direct check | Used in fallback only | Fallback only |
GROUP_OBJECT_CLASS |
Separate DataRobot group mapping only | Separate DataRobot group mapping only | Separate DataRobot group mapping only |
GROUP_SEARCH_BASE_DN |
Separate DataRobot group mapping only | Separate DataRobot group mapping only | Separate DataRobot group mapping only |
BIND_DN / BIND_PASSWORD |
Read group members | Read group members + user memberOf |
Read user memberOf |
User's memberOf attribute |
Not required | Required on user entries | Required on user entries |
USER_AUTH_LDAP_REQUIRED_GROUP_MEMBER_ATTR¶
Defaults to member. Used to check whether the user's DN (or account attribute) is listed in the group's member list. In TWO_NESTED_LEVELS mode, this attribute is also used to read the list of child groups from the required group record—if this attribute name is wrong, the system cannot discover child groups and nested membership will always fail.
Change this if your directory uses a different attribute for group membership (e.g., uniqueMember for groupOfUniqueNames object classes). For Active Directory with group object class, the default member is correct.
USER_AUTH_LDAP_REQUIRED_GROUP_ACCOUNT_ATTR¶
Defaults to empty (the user's full DN is used). When set, the system compares the value of this user attribute against the group's member list instead of comparing the user's DN. This affects the direct membership check used by NONE mode and as a fallback in TWO_NESTED_LEVELS. It does not affect the FULL_RECURSIVE matching rule check.
In most Active Directory deployments, leave this empty.
USER_AUTH_LDAP_GROUP_OBJECT_CLASS¶
Defaults to groupOfNames. Defines the object class used for LDAP group searches. For Active Directory, set this to group. For OpenLDAP or 389 DS, use groupOfNames or groupOfUniqueNames depending on your schema.
Service account permissions¶
The service account (USER_AUTH_LDAP_BIND_DN / USER_AUTH_LDAP_BIND_PASSWORD) must have read access to:
- The required group's
memberattribute (needed forTWO_NESTED_LEVELSto discover child groups). - User entries'
memberOfattribute (needed for bothTWO_NESTED_LEVELSandFULL_RECURSIVE).
If the service account lacks read permissions on these attributes, nested group checks will silently return empty results and users will be denied access. Verify permissions with an ldapsearch using the service account credentials.
Nested groups example configuration¶
Below is an example of a working configuration for an Active Directory environment with nested groups:
| 設定 | 値 |
|---|---|
USER_AUTH_LDAP_BIND_DN |
ldap-svc@dr.lab |
USER_AUTH_LDAP_BIND_PASSWORD |
(service account password) |
USER_AUTH_LDAP_REQUIRED_GROUP |
CN=DR_Access_Allowed,OU=DataRobot,DC=dr,DC=lab |
USER_AUTH_LDAP_SEARCH_BASE_DN |
OU=DataRobot,DC=dr,DC=lab |
USER_AUTH_LDAP_URI |
ldap://xx.xxx.xxx.xxx:xxxxx |
USER_AUTH_LDAP_REQUIRED_GROUP_NESTING_MODE |
FULL_RECURSIVE |
All other LDAP settings use their default values:
| 設定 | Default Value |
|---|---|
USER_AUTH_LDAP_REQUIRED_GROUP_MEMBER_ATTR |
member |
USER_AUTH_LDAP_REQUIRED_GROUP_ACCOUNT_ATTR |
(empty — uses account DN) |
USER_AUTH_LDAP_SEARCH_SCOPE |
SUBTREE |
USER_AUTH_LDAP_SEARCH_FILTER |
(cn=$username) |