LDAP authentication

This topic provides an overview of the tasks that you must perform to set up LDAP authentication.

The BMC Server Automation Authentication Server can authenticate users defined in an LDAP registry by validating users against LDAP servers.

When you log on and provide an LDAP distinguished name and password, the Authentication Service uses that information to bind to an external LDAP server. Binding means the Authentication Service connects to an LDAP server and authenticates you. If the binding is successful, the Authentication Service issues session credentials with a distinguished name.

LDAP configuration tasks

The following procedure is a master procedure. Each of the steps in this procedure references a subsection that describes another procedure. See Configuring LDAP authentication for a step-by-step procedure describing how to set up LDAP authentication.

1. Provision the Authentication Server with trusted certificates for all LDAP servers. For more information, see Certificate trust store.
2. Specify the LDAP servers, including any servers used for high availability purposes. For more information, see High availability configurations.

3. Define a distinguished name template. For more information, see Distinguished names.
   You can also define a distinguished name template when logging on to the client for BMC Decision Support for Server Automation. This template can be used in conjunction with the distinguished name template of the Authentication Server, or each template can be used individually.

   When you define a distinguished name template using the logon window for the BMC Decision Support for Server Automation client, that template remains in effect until you define a new distinguished name template using the logon window of client.

4. Configure the Authentication Server to refresh session credentials.

High availability configurations

When the Authentication Service needs to authenticate users by connecting to an LDAP server, you might want to provide a list of LDAP servers that it can potentially contact. Listing multiple servers ensures high availability and failover capability. When a list of multiple LDAP servers is available, LDAP connects to the first functional LDAP server in the list.

Certificate trust store

The Authentication Service uses the Transport Layer Security (TLS) protocol to encrypt its connection to the LDAP server.

The Authentication Service sends the user credentials to the LDAP server only if it can validate the LDAP server certificate. LDAP servers are authenticated via X.509 certificates that LDAP servers provide during the TLS handshake. When configuring LDAP, you must identify a file that contains trusted X.509 certificates. This file is the trust store. When provisioning X.509 certificates for the trust store of Authentication Server, you can use one of the following approaches:

• Install certificates for all LDAP servers. You must repeat this procedure each time an LDAP server certificate is updated.
• Install the certificate of the trusted Certificate Authority (CA) that issued certificates to the LDAP servers. Because all CA-issued certificates are trusted, all current and future LDAP certificates are automatically trusted. If the common names (CN) specified in the issued certificates are set to the fully-qualified domain names of the directory server, ensure that IsHostValidationEnabled is also set to True.

To add X.509 certificates to the trust store of Authentication Server, use the blcred utility. For more information, see the blcred man page.

Distinguished names

LDAP users are uniquely identified by distinguished names (DN), such as CN=admin, ou=dev, o=bladelogic. To authenticate an LDAP user, the Authentication Service requires a full DN and a corresponding password. Rather than entering a full DN, however, LDAP users only have to enter the part of a DN that is unique to their accounts. The name the LDAP user provides is transformed to a full DN by the use of a distinguished name template.

A DN template is a static string containing a {0} substring that is replaced with the name the LDAP user provides when logging on. For example, with a DN template of CN={0}, ou=dev, o=bladelogic, the LDAP user only enters a string such as "qatest3", which replaces the {0} substring. Consequently, the LDAP user DN becomes CN=qatest3, ou=dev, o=bladelogic.

DN templates can be defined in two places: the Authentication Service and the logon window for BMC Decision Support for Server Automation. These templates can be used together or by themselves.

For example,

• The DN template provided in the logon window might be CN={0}, CN=Users, DC=sub1.
  
• The Authentication Service DN template might be {0}, DC=bladelogic, DC=com.
  

If the LDAP user enters admin as a user name when logging on, the logon template transforms the name to CN=admin, CN=Users, CN=sub1 before sending it to the Authentication Service. Then, it is transformed into CN=admin, CN=Users, DC=sub1, DC=bladelogic, DC=com, where it is used to contact the LDAP server.