Configuring LDAP authentication for an Analyzer or a Collector
When you configure authentication between your LDAP server and the Real User Analyzer and Real User Collector components, users are authenticated by the LDAP server and they acquire user roles established by the Administrator.
- If you enable automatic account creation, the Analyzer and Collector components create accounts for users the first time they log on. If you do not change the default user role, users log on with Observer permission.
- If you do not enable automatic account creation, you must manually create the user accounts in the Analyzer and Collector.
To configure LDAP authentication for the Analyzer and Collector, complete the following procedures on each component:
- To enable authentication and authorization for an Analyzer or a Collector
- To configure LDAP authentication for an Analyzer or Collector
To enable authentication and authorization for an Analyzer or a CollectorTo perform this procedure, you must have Security-level access.
Open Administration > Security settings > Account policies page.
In the Device access section, click Enable for LDAP authentication and authorization.
On the Action menu for LDAP authentication and authorization, click Edit.
The Edit Automatic account creation policy pop-up appears.
Ensure that the Automatically create Real User Analyzer accounts for authenticated and authorized LDAP users box is selected.
If you do not select this box, the Analyzer and Collector accounts are not automatically created for your LDAP users, and you must create the user accounts in the Analyzer and Collector.
To configure LDAP authentication for an Analyzer or Collector
To perform this procedure, you must have Administrator-level access, or higher.
On the Administration page, select General Settings > Accounts and LDAP management, and select the LDAP settings view.
- In the Directory Server section, select Edit from the Action menu, and add information specific to your LDAP server:
- In the Host box, enter the host name or IP address of the server where the LDAP directory resides (The possible values are: 192.168.1.1 or 2001:500:100:1222:250:56ff:fe8f:5b1f or ldap.example.com).
- In the Port box, enter the TCP port of the host server (indicated in the Host box). The standard port for LDAP is port 389 for non-SSL connections and 636 for SSL connections.
- From the Authentication list, select the authentication for the system to use, Simple (username & password) or Anonymous.
- If you selected simple authentication, complete the following steps; otherwise, skip to step 3:
- In the Search username (bind DN) box, enter the name of the user account permitted to search the LDAP directory within the defined search base. Use the DN format — for example, cn=Administrator,cn=Users,dc=domain,dc=com.
- In the Password box, enter the password for the account on the directory server that corresponds to the user account in the Search User Name (bind DN) box.
- In the Connection security level list, select the type of communication, Non-Secure or LDAPS (Secure LDAP, also known as LDAP over SSL).
- (Optional) If you selected LDAPS in the Connection security level list, select Allow SSL connection to LDAP server using self-signed certificate unless your organization requires an X.509 certificate (also known as an SSL certificate) purchased from a commercial Certificate Authority (CA).
- In the Connection timeout box, specify the length of time that the system waits before it declares an error on the connection.
- (Optional) Click Test Server.
A message indicates success or failure because of errors.
In the User lookup for authentication section, add information to enable the Analyzer to look up users that are registered on the LDAP server:
- In the Base DN box, enter the base distinguished name (DN) to indicate where you want to begin the search in the LDAP directory. An LDAP directory is arranged in tree fashion, with a root and branches off this root. The base DN indicates at which node to start the search.
- In the Filter box, enter the query string that will return the records that you want to see.
- In the Filter Scope list, select the starting point of a search and the depth from the base DN to which the search should occur:
- Base searches only the entry at the base DN, resulting in only that entry being returned (if it also meets the search filter criteria).
- One Level searches all entries that are one level under the base DN (excluding the base DN).
- Subtree searches all entries at all levels under and including the specified base DN.
- In the Username attribute box, enter a single LDAP user attribute that the system uses for the lookup — for example cn. It can be any attribute configured on the LDAP server.
- In the Member Attribute box, enter the name of the member attribute that contains the list of users in the group.
- (Optional) Click Test lookup.
If the server and lookup are configured correctly, a list of LDAP users appears in a new window.
- Click Save.
Where to go from here
Select one of the following options:
- To create LDAP users on the Analyzer or Collector, see Adding an LDAP-managed account on an Analyzer or a Collector (Use LDAP for Authentication only).
- To enable user authorization from the LDAP server, proceed to Configuring LDAP group lookup for an Analyzer or a Collector (Use LDAP for authentication and authorization).