4. Authentication

Users are authenticated, and recieve roles depending on the authentication backend. Users are administered locally in an application specific table that can be managed using Invoke.


Two backends can be configured; local or ad. Each is explored below.

Two factor authentication can be enabled on top of the normal authentication backend. Currently only duo is supported and explored below.

4.1. First factor authentication backends

4.1.1. Local authentication

Local authentication makes Query Builder authenticate users against a table of locally configured users.

Users can be added and removed using Invoke. Note that a user role needs to be granted on a user for him to be able to access and edit a configured project.

4.1.2. AD authentication

Users logging into Query Builder can be authenticated and to some extent be authorised using an Active Directory. Prerequisites here a provisioned Project that contains an authgroup that matches one of the group memberships for the AD user. The user need not be further provisioned in the Query Builder.


An url of the form ‘ldap://ad:389’ that describes the location of the Active Directory. Note that in the query active directory mannerisms are used, so a normal ldap will not suffice.


AD administrator account. This account is used to retrieve user information after login, when the user password is no longer in context and available.


AD administrator password.


A base DN of the form ‘dc=mgrid,dc=net’ that is used as the root for all queries.


A user domain that is added to all user names when they authenticate without a backslash or at sign in the username. Typical example MGRID\

4.2. Second factor authentication backends

4.2.1. DUO

Users authenticating into Query Builder can be asked for a second authentication factor via DUO. They will then be contacted via mobile app or sms to provide further proof of identity.


Boolean; set to True to enable, False to disable.


One of the keys needed to interact with the DUO servers.


One of the keys needed to interact with the DUO servers.


Hostname of the DUO server to interact with, e.g. api-ffffffff.duosecurity.com.

4.3. Session management


Sets the lifetime of the session cookie that is set for authenticated users in seconds. Defaults to 4 hours.