Configuring LDAP authentication


Users can be authenticated against an external LDAP directory service such as Active Directory.

Note

Internal authentication settings under Configuration > Authentication Configuration are not applicable after LDAP authentication is configured.

Before you begin

Before you begin the integration with Active Directory, make sure that the following requirements are met:

  • The Manager must be installed on the node. 
  • Accounts to be used from the LDAP directory must also contain a corresponding account within the Manager, with one exception: the sysadmin account, which can be bound to a single Active Directory user account. This account assumes all sysadmin privileges. Additional accounts can be set up after authentication is switched to LDAP by using the equivalent sysadmin account.
    • To create an LDAP user in BMC Database Automation (BDA):
      1. Log on to the BDA Manager server.
      2. Run the following command:

        /app/clarity/manager_scripts/bin/adduser.pl --ldap <ldap_username> <ldap_user_firstname> <ldap_user_lastname>
  • (Required for Red Hat Enterprise Linux (RHEL) 7) Configure the optional repository by running the following command in order to download the mod_ldap package:
    subscription-manager repos --enable rhel-7-server-optional-rpms
  • (Required only for RHEL 6 and RHEL 7) Install the mod_ldap module by running the following command: yum install mod_ldap -y
  • Ensure that the required LDAP port is open for the non-SSL mode by running the following command:
    openssl s_client -connect <LDAPserverName>:389 -state -nbio 2>&1
  • Ensure that the required LDAP port is open for the SSL mode by running the following command:
    openssl s_client -connect <LDAPserverName>:636 -state -nbio 2>&1

To integrate Active Directory by using RHEL 5, 6, and 7

Note

Beginning with BDA version 8.7, there is no longer Manager support for servers running RHEL 4.

  1. Confirm that the /etc/httpd/conf/httpd.conf file includes the following lines:
    LoadModule ldap_module modules/mod_ldap.so
    LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
  2. Open the /etc/httpd/conf.d/gridapp.conf file and add the following lines as global configuration entries (outside of the <VirtualHost></VirtualHost> section). (The following steps are not applicable for Apache version 2.4)
    LDAPSharedCacheSize 200000
    LDAPCacheEntries 1024
    LDAPCacheTTL 600
    LDAPOpCacheEntries 1024
    LDAPOpCacheTTL 600
    (The following lines are required only when LDAP over SSL is to be implemented):
    (For Apache versions earlier than 2.2):# LDAPTrustedCA /etc/ssl/certs/certnew.cer# LDAPTrustedCAType BASE64_FILE
    (For Apache versions 2.2 or later):# LDAPTrustedGlobalCert CA_BASE64 pathOfCertificate

    The LDAPTrustedCA directive points to the file on the Manager node that contains information about the trusted Certificate Authority. LDAPTrustedCAType contains additional information defining the file format of the previously specified *.cer.
  3. Within the VirtualHost in the /etc/httpd/conf.d/gridapp.conf file, configure the URL for LDAP authentication and the ldap-status handler.
    The following example specifies ldap-status.

    Note

    In the example, you can use any URL unless you are configuring a secure connection to LDAP/AD using SSL (Secure LDAP). In that case, the URL must start with ldaps://.

    The LDAPURL, LDAPBindDN, LDAPBindPassword must be correct for your LDAP server. A dedicated domain User account should also be created for use with the AuthLDAPBind directives for security purposes. This User account does not need any special privileges, it can be a domain user that is not in a built-in group.

    Italicized entries must be populated with information specific to customer environments before this configuration is activated.

    If SSL is enabled on BDA Manager, add the following lines under VirtualHost *:443. If SSL is not enabled, add the lines under VirtualHost _default_:80.

    <Location /ldap-status>
    SetHandler ldap-status
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative Off (This configuration parameter is not applicable for Apache version 2.4)
    AuthLDAPURL
    ldap://server.domain.com/DC=domain,DC=com?sAMAccountName?sub?(objectClass=user)
    AuthLDAPBindDN binduser@domain.com
    AuthLDAPBindPassword password
    AuthType Basic
    AuthName "Domain.com Active Directory"
    Require valid-user
    </Location>

  4. Configure the BDA Apache module for external authentication by setting the following directives inside the VirtualHost block (but not inside any Location blocks):
    # This is the only directive that needs to be changed if you wish to
    switch back to local authentication.
    GridAppExternalAuthEnabled <on|off>
    # This will match what was chosen for the location block - in this case it would be -
    GridAppExternalAuthUri /ldap-status
    # Optional. If set, logins as ldap_user will be treated as sysadmin in Clarity. If not configured, you will need a 'sysadmin' user in the Active Directory.
    GridAppSysadminAlias <ldap-user>
  5. Reload the httpd service, and then test authentication from the Manager by using an account that exists in both the LDAP directory as well as the Manager.
  6. Depending on the mode you are using, use one of the following commands to confirm whether LDAP is configured properly. If the command finds one or more entries, each entry is written to standard output in LDAP Data Interchange Format (ldif).
    • For non-SSL mode, run the following command:
      ldapsearch -x -H ldap://<LDAPserverName> -b dc=<example>,dc=<com> -D "cn=<Smith>" -w <SmithPassword> "(&(objectClass=organizationalPerson)(isMemberOf=<cn=users,dc=groups,dc=domain,dc=com>))" uid
    • For SSL mode, run the following command:
      ldapsearch -x -H ldaps://<LDAPserverName> -b dc=<example>,dc=<com> -D "cn=<Smith>" -w <SmithPassword> "(&(objectClass=organizationalPerson)(isMemberOf=<cn=users,dc=groups,dc=domain,dc=com>))" uid
      In the commands, replace the variables enclosed in < > with actual values.

To grant Active Directory authorization to specific users in a group

Mapping Active Directory groups to BDA groups is not supported. However, you can configure BDA to enable and limit access to specific users in a group.

Note

Active Directory is used only for authentication, meaning that it enables users to access the BDA GUI. It differs from capabilities, which are granted to users by configuring specific security groups in BDA.

To enable users from certain groups to log on to BDA, add the following lines to the <Location> section of the /etc/httpd/conf.d/gridapp.conf configuration file:

AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=bmccompany,ou=Group,dc=domain,dc=com

Example
<Location /ldap-status>
SetHandler ldap-status
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off (This configuration parameter is not applicable Apache version 2.4)
AuthLDAPURL
ldap://server.domain.com/DC=domain,DC=com?sAMAccountName?sub?(objectClass=user)
AuthLDAPBindDN binduser@domain.com
AuthLDAPBindPassword password
AuthType Basic
AuthName "Domain.com Active Directory"
Require valid-user
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=bmccompany,ou=Group,dc=domain,dc=com
</Location>

Note

The AuthLDAPGroupAttributeIsDN parameter can be set to on or off, depending on how auth is configured. For more information, see the Apache HTTP Server Version 2.2 documentation.

If the following error message appears for Apache version 2.4, comment the Listen 443 line in the gridapp.conf file.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*