Important

   

This space contains documentation for TrueSight Server Automation 8.9.03 and the later service packs for 8.9. For earlier releases, see BMC Server Automation 8.9.

Implementing LDAP authentication

This topic was edited by a BMC Contributor and has not been approved.  More information.

The TrueSight Server Automation Authentication Service can authenticate users defined in an LDAP registry. You can configure LDAP authentication to accept not only the full distinguished LDAP user name but also a shorter, simpler alias of the user name. TrueSight Server Automation then automatically determines the corresponding full distinguished name and approves the LDAP authentication.

Note: Using Active Directory as the LDAP Server

If you are using Active Directory as the LDAP Server, BMC recommends to configure and use Domain Authentication. For more information, see Implementing Domain Authentication.

This topic provides information about the concepts and the steps involved in setting up LDAP-based authentication.

  1. Specify the LDAP servers
  2. Provision the authentication server with trusted certificates
  3. Define the distinguished name template and enable LDAP authentication
  4. Cross-register LDAP users with the RBAC user database


The following figure illustrates the process of setting up LDAP-based authentication:



Specify the LDAP servers


Identify the LDAP server(s) you will authenticate against.  Multiple LDAP servers can be provided.

  1. The LDAP server(s) identified must support LDAPv3 over STARTTLS.  LDAPS is not supported.
  2. On the Application Server, start the Application Server Administration console (the blasadmin utility).
  3. Specify the LDAP servers by performing the following steps:
    1. Specify the URLs of all available LDAP servers:

      set Ldap LdapServerURLs <serverList>

      where <serverList> is a list of one or more URLs of the LDAP servers in the environment. Each URL contains a server name or IP address (IPv4 or IPv6) and port.  For example:

      set Ldap LdapServerURLs ldap://server1:998,ldap://server2:1021,ldap://121.121.121.121:389,ldap://[2001::::::1]:389
    2. If using multiple LDAP servers, optionally configure the timeout value the authentication request will wait for a response before moving on to the next LDAP server in the list.:

      set Ldap ConnectionTimeoutMs <#>


      where <#> is the number of milliseconds to wait.  The default value is set to 7000 milliseconds and should be sufficient for most environments.

Provision the Authentication Service with trusted certificates

Communication between the Authentication Service and the LDAP server uses STARTTLS.  In order to validate establish the TLS connection, the Authentication Service must be able to validate the LDAP server(s) certificate.  This can be accomplished one of two ways:

  • Import certificates for all LDAP servers. You must repeat this procedure each time an LDAP server's certificate is updated.
  • Import the certificate chain of the trusted Certificate Authority that issued certificates to the LDAP servers.

Importing LDAP Server Certificates

  1. To import each LDAP server's certificate, use the blcred command to create the trust store file and add the server certificate as described in Obtaining a certificate used to trust the LDAP server. For example, use the following command:

    blcred -x ldapStore.pem cert -add -host <host>:<port> -protocol ldap

    Repeat this command for each LDAP server, using the same trust store file.

Importing CA chain certificates:

<steps>

Configuring the Authentication Service to use the trusted certificates

  1. To identify the trust store containing trusted certificates, use the following command:

    set Ldap TrustStore <certificateStore>

    where <certificateStore> is the local path to a trust store

  2. To require the LDAP server(s)' hostname configured in the LDAPUrls setting above match the common name or alternate name on the certificate, set the following setting to true.  If the name does not match, the connection from the Authentication Service to the LDAP server will not be allowed.

    set Ldap IsHostValidationEnabled true

    The Application Server only reads its certificate store when it starts up. If you change the certificate trust store, ensure that you restart the Application Server.


If you are using basic LDAP authentication, perform the following steps:

Define the distinguished name template and enable LDAP authentication

LDAP users are uniquely identified by distinguished names (DN), such as CN=user1,CN=Users,DC=ad,DC=example,DC=net. To authenticate a user, the Authentication Service requires a full DN and a corresponding password. Rather than specifying a full DN, users can enter the part of a DN that is unique to their accounts. The name the user provides is transformed to a full DN with the use of a distinguished name template. A DN template is a static string containing a {0} substring, which is replaced with the name the user provides when logging in.

You can define DN templates in two ways: the Authentication Service and LDAP authentication profiles. The two templates can be used together or by themselves.

Example

With a DN template of CN={0},CN=Users, DC=ad,DC=example,DC=net the user only enters a string such as "user1", which replaces the {0} substring. Consequently, the user's DN becomes CN=user1,CN=Users,DC=ad,DC=example,DC=net.

Setting up a distinguished name template and enabling LDAP authentication

  1. To define an LDAP distinguished name template, enter the following:

    set AuthServer LdapUserDnTemplate "<text> {0} <text>"


    where <text> represents any distinguished name objects that should be included in the template.
    For example,

    set AuthServer LdapUserDnTemplate "CN={0},CN=Users,DC=ad,DC=example,DC"


    Note

    Enhanced LDAP authentication settings that define a short version of LDAP user names (see step 4) take precedence over an LDAP distinguished name template. Therefore, if you plan to define enhanced LDAP authentication settings, you do not need to define an LDAP distinguished name template.

  2. On the TrueSight Server Automation client:
    1. Set up a distinguished name template, as necessary. ***if the dn template is set in blasadmin, you don't do this****
    2. Set up an authentication profile for LDAP authentication.
      For more information, see System capabilities related to security, Setting up an authentication profile, and Managing authorizations.
  3. Enable LDAP authentication with the following command:

    set AuthServer IsLdapAuthEnabled true

    Note

    By default, LDAP authentication is not turned on.





If you are using Enhanced LDAP Authentication, perform the following steps:

  1. If you want LDAP authentication to accept an alias version of the LDAP user name that is shorter and simpler than the full distinguished LDAP user name (so that users do not need to know their full distinguished LDAP names), enter the following settings:

    • set Ldap UseEnhancedLdapAuth true
      Enables the use of the Enhanced LDAP Authentication feature for accepting a shorter version of the LDAP user name.

    • set Ldap UserSearchBaseDn <baseDistinguishedName>
      Defines the base distinguished name to use for searching for users. For example, if the full distinguished name of the user is "uid=jdoe,ou=my_ou,dc=my_company,dc=com", then UserSearchBaseDn should be set to "dc=my_company,dc=com".

    • set Ldap UserLookupAttribute <shortNameAttribute>
      Defines the attribute of an LDAP user object whose value should match the short name given by each user at logon.  For example, if the full distinguished name of the user is "uid=jdoe,ou=my_ou,dc=my_company,dc=com", then the UserLookupAttribute can be uid.  The value of this attribute should be the same as the name for the corresponding TrueSight Server Automation user.

    • set Ldap LoginAttribute <distinguishedNameAttribute>
      Defines the attribute of an LDAP user object whose value should be the full distinguished name of the user. For example, with Sun LDAP servers, this is most likely "entryDN".

    • set Ldap defaultUser <serviceAccountUser>
      Defines the full distinguished name of a service account with read access to the list of users stored in the LDAP directory in the database.

    • set Ldap defaultPassword <password>
      Defines the password of the service account. This will be stored as an encoded string.

    • set Ldap UserLdapFilter <filter>
      (Optional) Defines a filter to use to optimize the query to the LDAP server when obtaining user information.  For example, using a filter of (objectClass=user) would be faster than using a filter of (objectclass=*). If no filter is set, the objectClass of the service account is used as the default filter.

  2. Restart the Application Server (see Restarting a specific Application Server).

Create RBAC User Objects for LDAP Users

Cross-registration enables LDAP users to be authorized for RBAC roles. When cross-registering users, be sure to enter the users full distinguished name in both the RBAC and the LDAP registry. Use RBAC to add users to the TrueSight Server Automation database. While creating users in RBAC, ensure that you select the Allow LDAP Authentication check box. For more information about adding users to RBAC, see Creating users.

Was this page helpful? Yes No Submitting... Thank you

Comments