×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

Important

   

This space contains documentation for TrueSight Smart Reporting for Server Automation 20.02.01. For earlier releases, see TrueSight Smart Reporting for Sever Automation 19.2 Open link .
TrueSight Smart Reporting for Server Automation 20.02.01 ... Administering Implementing authentication

LDAP authentication

This topic provides an overview of the tasks that you must perform to set up LDAP authentication.

The TrueSight Server Automation Authentication Server can authenticate users defined in an LDAP registry by validating users against LDAP servers. When you log in and provide an LDAP distinguished name and password, the Authentication Service uses that information to bind to an external LDAP server. Binding means the Authentication Service connects to an LDAP server and authenticates you. If the binding is successful, the Authentication Service issues session credentials with a distinguished name.

Note

If you are configuring LDAP authentication for users in TrueSight Server Automation - Data Warehouse for the first time, you must create domain users (user@domainName) in TrueSight Server Automation and run ETL with the rbac.properties file. If you do not create domain users in TrueSight Server Automation, you cannot log on to TrueSight Server Automation - Data Warehouse by using LDAP authentication.

To set up LDAP-based authentication, perform the following steps:

  1. Provision the Authentication Server with trusted certificates for all LDAP servers. 
  2. Define the distinguished name template and enable LDAP authentication.

To provision the Authentication Server with trusted certificates for all LDAP servers

The Authentication Service uses the Transport Layer Security (TLS) protocol to encrypt its connection to the LDAP server.

The Authentication Service sends the user credentials to the LDAP server only if it can validate the LDAP server certificate. LDAP servers are authenticated through X.509 certificates that LDAP servers provide during the TLS handshake. When configuring LDAP, you must identify a file that contains trusted X.509 certificates. This file is the trust store. When provisioning X.509 certificates for the trust store of Authentication Server, you can use one of the following approaches:

  • Install certificates for all LDAP servers. You must repeat this procedure each time an LDAP server certificate is updated.
  • Install the certificate of the trusted Certificate Authority (CA) that issued certificates to the LDAP servers. Because all CA-issued certificates are trusted, all current and future LDAP certificates are automatically trusted. If the common names (CN) specified in the issued certificates are set to the fully-qualified domain names of the directory server, ensure that IsHostValidationEnabled is also set to True.

To add X.509 certificates to the trust store of Authentication Server, do the following:

  1. Log in to the server where TrueSight Server Automation - Data Warehouse is installed.
  2. Navigate to the <TSSA-DWInstallationDirectory>\bin (Windows) or <TSSA-DWInstallationDirectory>/br (UNIX) directory.

  3. Either add certificates from individual LDAP servers or import a certificate from a PEM file by using the blcred utility. For more information about the blcred utility, see the blcred man page.

    For example, to add the certificate for an LDAP server called ldap1.mycompany.com with a port number of 389, use the following blcred command:

    blcred -x ldapTrustStore.p12 cert -add -host ldap1.mycompany.com:389 -protocol ldap

    To import a certificate from a PEM file, use the following blcred command:

    blcred -x ldapStore.pem cert -add -host <host>:<port> -protocol ldap

    Example:

    blcred -x certStore.pem cert -add -host test.bmc.com:389 -protocol ldap
  4. Navigate to the following directory to start the blasadmin  utility.
    • (Windows)<TSSA-DWInstallationDirectory>\bin directory and enter the following command: blasadmin.
    • (UNIX)<TSSA-DWInstallationDirectory>/br directory and enter the following command: blasadmin.

  5. Identify the trust store containing trusted certificates by using the following blasadmin commands:

    set Ldap TrustStore <storeLocation>

    where <storeLocation> is the local path to a trust store.

  6. Do one of the following:

    • Run the following blasadmin commands when the enhanced LDAP authentication is enabled:

      set AuthServer IsLdapAuthEnabled true
set LDAP TrustStore ldapTrustStore.p12
set LDAP LoginAttribute entryDN
set LDAP UseEnhancedLDAPAuth true
set LDAP UserLDAPFilter (objectclass=*)
set LDAP UserLookupAttribute cn
set LDAP UserSearchBaseDn ou=qa,o=bm

    • Run the following blasadmin commands when the enhanced LDAP authentication is not enabled:

      set LDAP LdapServerURLs hostname1.bmc.com, hostname2.bmc.com
set LDAP IsHostValidationEnabled false
set LDAP DefaultPassword password
set LDAP DefaultUser "cn=user,ou=qa,o=bmc"
set AuthServer LdapUserDnTemplate " "
set AuthServer LdapUserValidationFilter "(!(nsAccountLock=true))"
set AuthServer IsSSOCredRefreshEnabled true

    The following table describes the command usage:

    CommandUsed to
    set Ldap UseEnhancedLdapAuth falseEnable the Enhanced LDAP Authentication feature for accepting a shorter version of an LDAP user name.
    set Ldap UserSearchBaseDn <baseDistinguishedName>Defines the base distinguished name to be used for searching users. For example, if the full distinguished user name is "uid=jdoe,ou=my_ou,dc=my_company,dc=com", set the UserSearchBaseDn to "dc=my_company,dc=com".
    set Ldap UserLookupAttribute <shortNameAttribute>Defines the attribute of an LDAP user object whose value should match the short name given by each user during logon. For example, if the full distinguished name of the user is "uid=jdoe,ou=my_ou,dc=my_company,dc=com", then the UserLookupAttribute can be uid. This attribute value should be the same as the name for the corresponding BMC Server Automation user.
    set Ldap LoginAttribute <distinguishedNameAttribute>Defines the attribute of an LDAP user object whose value should be the full distinguished name of the user. For example, for Sun LDAP servers, the value can be "entryDN".
    set Ldap defaultUser <serviceAccountUser>Defines the full distinguished name of a service account with read access to the list of users stored in the LDAP directory in the database.
    set Ldap defaultPassword <password>Defines the password of the service account. The password is stored as an encoded string.
    set Ldap UserLdapFilter <filter>(Optional) Defines a filter to optimize the query to the LDAP server when obtaining user information. For example, (objectClass=user) or (objectclass=*). If no filter is set, the objectClass of the service account is used as the default filter.

  7. (optional) If you want LDAP authentication to accept an alias version of the LDAP user name that is shorter and simpler than the full distinguished LDAP user name (so that users do not need to know their full distinguished LDAP names), run these commands: 

    set Ldap UseEnhancedLdapAuth true 
set Ldap UserSearchBaseDn <baseDistinguishedName>
set Ldap UserLookupAttribute <shortNameAttribute>
set Ldap LoginAttribute <distinguishedNameAttribute>
set Ldap defaultUser <serviceAccountUser>
set Ldap defaultPassword <password>
set Ldap UserLdapFilter <filter>

    Examples:

    set Ldap UseEnhancedLdapAuth true
set Ldap UserSearchBaseDn ou=qa,o=bmc
set Ldap UserLookupAttribute cn
set Ldap LoginAttribute entryDN
set Ldap defaultUser "cn=user,ou=qa,o=bmc"
set Ldap defaultPassword password
set Ldap UserLdapFilter (objectclass=*)

    Depending on the value that you specify for the set LDAP UseEnhancedLDAPAuth command, the TrueSight Server Automation - Data Warehouse login page changes as follows:

    • set LDAP UseEnhancedLDAPAuth false
      Indicates that the enhanced LDAP feature is disabled. In this case, you must provide a value for the distinguished name template along with user name and password.


    • set LDAP UseEnhancedLDAPAuth true
      Indicates that the enhanced LDAP feature is enabled. In this case, you need to provide only the user name and password

  8. (optional) To view the changes done in the AuthServer, run the following command:
    show Auth all

  9. (optional) To view the changes done in the LDAP, run the following command:
    show Ldap All

  10. Restart the Authentication service.

To define the distinguished name template and enable LDAP authentication

LDAP users are uniquely identified by distinguished names (DN), such as CN=adminou=devo=bladelogic. To authenticate an LDAP user, the Authentication Service requires a full DN and a corresponding password. Rather than entering a full DN, however, LDAP users only have to enter the part of a DN that is unique to their accounts. The name the LDAP user provides is transformed to a full DN by the use of a distinguished name template.

A DN template is a static string containing a {0} substring that is replaced with the name the LDAP user provides when logging on. For example, with a DN template of CN={0}, ou=dev, o=bladelogic, the LDAP user only enters a string such as "qatest3", which replaces the {0} substring. Consequently, the LDAP user DN becomes CN=qatest3, ou=dev, o=bladelogic.

You can use DN templates when the enhanced LDAP authentication is disabled. These templates are not required for enhanced LDAP authentication.

DN templates can be defined in two places: the Authentication Service and the logon window for TrueSight Server Automation - Data Warehouse. These templates can be used together or by themselves.

For example,

  • The DN template provided in the logon window might be CN={0}, CN=Users, DC=sub1.
  • The Authentication Service DN template might be {0}, DC=bladelogic, DC=com

If the LDAP user enters admin as a user name when logging on, the logon template transforms the name to CN=admin, CN=Users, CN=sub1 before sending it to the Authentication Service. Then, it is transformed into CN=admin, CN=Users, DC=sub1, DC=bladelogic, DC=com, where it is used to contact the LDAP server.

You can also define a distinguished name template when logging on to the client for TrueSight Smart Reporting for Server Automation. This template can be used in conjunction with the distinguished name template of the Authentication Server, or each template can be used individually. When you define a distinguished name template using the logon window for the TrueSight Smart Reporting for Server Automation client, that template remains in effect until you define a new distinguished name template using the logon window of client. 

Was this page helpful? Yes No Submitting... Thank you
Last modified by Bipin Inamdar on Aug 19, 2020
security authentication ldap

Comments

  1. Sathish Kanth Swarna

    Setting LDAP URL is missing in above steps

    -> set Ldap LdapServerURLs ldap://:389

    Jan 19, 2021 09:39
    1. Bipin Inamdar

      Hello Sathish,

      We have added the command for the LDAP Server URL. See the first point under the second bullet list in step 6:
      set LDAP LdapServerURLs hostname1.bmc.com, hostname2.bmc.com

      Jan 24, 2021 11:31

Log in or register to comment.

RSA SecurID authentication
PKI authentication
© Copyright 1996-2020 BladeLogic, Inc.
© Copyright 2014-2020 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.