LDAP authentication
This topic provides an overview of the tasks that you must perform to set up LDAP authentication.
The TrueSight Server Automation Authentication Server can authenticate users defined in an LDAP registry by validating users against LDAP servers. When you log in and provide an LDAP distinguished name and password, the Authentication Service uses that information to bind to an external LDAP server. Binding means the Authentication Service connects to an LDAP server and authenticates you. If the binding is successful, the Authentication Service issues session credentials with a distinguished name.
Note
If you are configuring LDAP authentication for users in TrueSight Server Automation - Data Warehouse for the first time, you must create domain users (user@domainName) in TrueSight Server Automation and run ETL with the rbac.properties file. If you do not create domain users in TrueSight Server Automation, you cannot log on to TrueSight Server Automation - Data Warehouse by using LDAP authentication.
To set up LDAP-based authentication, perform the following steps:
- Provision the Authentication Server with trusted certificates for all LDAP servers.
- Specify the LDAP servers, including any servers used for high-availability purposes.
- Define the distinguished name template and enable LDAP authentication.
- Configure the Authentication Server to refresh session credentials.
- Validate that users can log on by using LDAP.
To provision the Authentication Server with trusted certificates for all LDAP servers
The Authentication Service uses the Transport Layer Security (TLS) protocol to encrypt its connection to the LDAP server.
The Authentication Service sends the user credentials to the LDAP server only if it can validate the LDAP server certificate. LDAP servers are authenticated through X.509 certificates that LDAP servers provide during the TLS handshake. When configuring LDAP, you must identify a file that contains trusted X.509 certificates. This file is the trust store. When provisioning X.509 certificates for the trust store of Authentication Server, you can use one of the following approaches:
- Install certificates for all LDAP servers. You must repeat this procedure each time an LDAP server certificate is updated.
- Install the certificate of the trusted Certificate Authority (CA) that issued certificates to the LDAP servers. Because all CA-issued certificates are trusted, all current and future LDAP certificates are automatically trusted. If the common names (CN) specified in the issued certificates are set to the fully-qualified domain names of the directory server, ensure that
IsHostValidationEnabled
is also set toTrue
.
To add X.509 certificates to the trust store of Authentication Server, do the following:
- Log in to the server where TrueSight Server Automation - Data Warehouse is installed.
- Navigate to the <TSSA-DWInstallationDirectory>\bin (Windows) or <TSSA-DWInstallationDirectory>/br (UNIX) directory.
Either add certificates from individual LDAP servers or import a certificate from a PEM file by using the
blcred
utility. For more information about theblcred
utility, see theblcred man
page.For example, to add the certificate for an LDAP server called ldap1.mycompany.com with a port number of 389, use the following
blcred
command:blcred -x ldapTrustStore.p12 cert -add -host ldap1.mycompany.com:389 -protocol ldap
For example, to import a certificate from a PEM file, use the following
blcred
command:blcred -x ldapStore.pem cert -add -host <host>:<port> -protocol ldap
- Start the Application Server Administration console (the
blasadmin
utility) as follows.- (Windows) Navigate to the <TSSA-DWInstallationDirectory>\bin directory and enter the following command:
blasadmin
. - (UNIX) Navigate to the <TSSA-DWInstallationDirectory>/br directory and enter the following command:
blasadmin
.
- (Windows) Navigate to the <TSSA-DWInstallationDirectory>\bin directory and enter the following command:
Identify the trust store containing trusted certificates by using the following
blasadmin
command:set Ldap TrustStore <storeLocation>
where
<storeLocation>
is the local path to a trust store.Check that common name (CN) of the certificate matches the fully qualified domain name (FQDN) of the LDAP server by using the following
blasadmin
command:set Ldap IsHostValidationEnabled True
Setting this value to true causes the Authentication Server to reject X.509 certificates, if the LDAP server's fully qualified domain name (FQDN) is not contained in one of the alternative names or the common name (CN).
Note
The Authentication Server only reads its certificate store when it starts. If you change the certificate trust store, be sure to restart the Authentication Service.
To specify the LDAP servers, including any servers used for high-availability purposes
When the Authentication Service needs to authenticate users by connecting to an LDAP server, provide a list of LDAP servers that it can potentially contact. Listing multiple servers ensures high availability and failover capability. When a list of multiple LDAP servers is available, LDAP connects to the first functional LDAP server in the list.
To identify LDAP servers, including any servers used for high availability configurations, do the following:
- Start the Application Server Administration console (the
blasadmin
utility) as follows.- (Windows) Navigate to the <TSSA-DWInstallationDirectory>\bin directory and enter the following command:
blasadmin
. - (UNIX) Navigate to the <TSSA-DWInstallationDirectory>/br directory and enter the following command:
blasadmin
.
- (Windows) Navigate to the <TSSA-DWInstallationDirectory>\bin directory and enter the following command:
Specify the URLs of all available LDAP servers by using the following
blasadmin
command:set Ldap LdapServerURLs <serverList>
where
<serverList>
is a list of one or more URLs of the LDAP servers in the environment. Each URL contains a server name or IP address (IPv4 or IPv6) and port. URLs must point to LDAPv3 servers that support the StartTLS extension. Separate URLs with commas or other delimiters.
For example,set Ldap LdapServerURLs ldap://server1:998,ldap://server2:1021,ldap://121.121.121.121:389,ldap://[2001::::::1]:389
Specify the amount of time to wait for an LDAP server to respond before terminating the connection by using the following
blasadmin
command:set Ldap ConnectionTimeoutMs <#>
where
<#>
is the number of milliseconds to wait. In a high availability configuration, this time is the amount of time that the service waits for a response from one URL before trying the next URL in the list you provided.
To define the distinguished name template and enable LDAP authentication
LDAP users are uniquely identified by distinguished names (DN), such as CN=admin, ou=dev, o=bladelogic. To authenticate an LDAP user, the Authentication Service requires a full DN and a corresponding password. Rather than entering a full DN, however, LDAP users only have to enter the part of a DN that is unique to their accounts. The name the LDAP user provides is transformed to a full DN by the use of a distinguished name template.
A DN template is a static string containing a {0} substring that is replaced with the name the LDAP user provides when logging on. For example, with a DN template of CN={0}, ou=dev, o=bladelogic, the LDAP user only enters a string such as "qatest3", which replaces the {0} substring. Consequently, the LDAP user DN becomes CN=qatest3, ou=dev, o=bladelogic.
DN templates can be defined in two places: the Authentication Service and the logon window for TrueSight Server Automation - Data Warehouse. These templates can be used together or by themselves.
For example,
- The DN template provided in the logon window might be CN={0}, CN=Users, DC=sub1.
- The Authentication Service DN template might be {0}, DC=bladelogic, DC=com.
If the LDAP user enters admin as a user name when logging on, the logon template transforms the name to CN=admin, CN=Users, CN=sub1 before sending it to the Authentication Service. Then, it is transformed into CN=admin, CN=Users, DC=sub1, DC=bladelogic, DC=com, where it is used to contact the LDAP server.
You can also define a distinguished name template when logging on to the client for TrueSight Smart Reporting for Server Automation. This template can be used in conjunction with the distinguished name template of the Authentication Server, or each template can be used individually. When you define a distinguished name template using the logon window for the TrueSight Smart Reporting for Server Automation client, that template remains in effect until you define a new distinguished name template using the logon window of client.
Do the following:
Define an LDAP distinguished name template by using the following
blasadmin
command:set AuthServer LdapUserDnTemplate "<text> {0}<text>"
where <text> represents any distinguished name objects that should be included in the template.
Enable LDAP authentication by using the following
blasadmin
command:set AuthServer IsLdapAuthEnabled true
By default LDAP authentication is not turned on.Restart the Authentication Service.
Note
On UNIX, if umask is not set to
022
, the Authentication Service will not start. Run the following commands from <TSSA-DWInstallationDirectory>and start the authentication service:#chmod –R 775 br/
#umask 022
#cd br
#./blauthservice start
To configure the Authentication Server to refresh session credentials
TrueSight Smart Reporting for Server Automation relies on the ability to refresh session credentials when executing scheduled jobs. This feature allows you to run scheduled reports without requiring you to authenticate again.
When refreshing session credentials, the Authentication Service validates the user account on the directory server. The account must exist and be enabled for logging on.
User account attributes that indicate whether an account has been disabled or locked differ across directory servers. The Authentication Service relies on the user validation filters to specify how to validate account attributes. If a custom user validation filter is not defined, the Authentication Service can only verify that the user account has not been deleted.
To refresh session credentials, the Authentication Service might need to authenticate itself to the directory server. If authentication is required, you must define a default LDAP user name and password.
Do the following:
Provide a default LDAP user name and password that can be used to log on when refreshing session credentials by using the following
blasadmin
commands:set Ldap DefaultUser <name>
set Ldap DefaultPassword <password>
Restart the Authentication Service.
To validate that users can log on by using LDAP
TrueSight Server Automation - Data Warehouse uses user validation filters when refreshing LDAP session credentials. These filters help determine whether a user account is in good standing.
A user validation filter is applied to a search query of the distinguished name of a user. If an account is disabled, locked, or not authorized to log on, the query must return empty results. The filter checks schema-specific attributes for values that indicate an account is not in good standing. If a custom validation filter is not defined, the Authentication Service can only verify whether a user account still exists. The Authentication Service cannot determine, for example, whether the account has been locked. User validation filters must be properly formatted LDAP search filters. See below for descriptions of some common validation filters.
Directory servers enforce different access controls on user account attributes. A directory server might allow anonymous connections to browse user account data, but a directory server typically restricts access to attributes that indicate whether an account is disabled. To take advantage of a custom user validation filter, the Authentication Service must log on to the directory server with a privileged account. The name and password of the privileged account are defined by the LDAP DefaultUser
and LDAP DefaultPassword
settings. If you are not employing user validation filters and your directory server allows anonymous connections, you do not need to define a default LDAP user and password.
Enter the following command:
set AuthServer LDAPUserValidationFilter <filter>
<filter>
is a validation filter used to validate users for a particular LDAP schema. Depending upon the type of LDAP directory server, use the following user validation filters:Configuring LDAP with Active Directory
Configuring LDAP with Novell eDirectory
Configuring LDAP with Sun Java System Directory Server
- Restart the Authentication Service.
Comments
Log in or register to comment.