LDAP authentication

This topic provides an overview of the tasks that you must perform to set up LDAP authentication.

The TrueSight Server Automation Authentication Server can authenticate users defined in an LDAP registry by validating users against LDAP servers. When you log in and provide an LDAP distinguished name and password, the Authentication Service uses that information to bind to an external LDAP server. Binding means the Authentication Service connects to an LDAP server and authenticates you. If the binding is successful, the Authentication Service issues session credentials with a distinguished name.

To set up LDAP-based authentication, perform the following steps:

1. Provision the Authentication Server with trusted certificates for all LDAP servers. 
2. Define the distinguished name template and enable LDAP authentication.

To provision the Authentication Server with trusted certificates for all LDAP servers

The Authentication Service uses the Transport Layer Security (TLS) protocol to encrypt its connection to the LDAP server.

The Authentication Service sends the user credentials to the LDAP server only if it can validate the LDAP server certificate. LDAP servers are authenticated through X.509 certificates that LDAP servers provide during the TLS handshake. When configuring LDAP, you must identify a file that contains trusted X.509 certificates. This file is the trust store. When provisioning X.509 certificates for the trust store of Authentication Server, you can use one of the following approaches:

• Install certificates for all LDAP servers. You must repeat this procedure each time an LDAP server certificate is updated.
• Install the certificate of the trusted Certificate Authority (CA) that issued certificates to the LDAP servers. Because all CA-issued certificates are trusted, all current and future LDAP certificates are automatically trusted. If the common names (CN) specified in the issued certificates are set to the fully-qualified domain names of the directory server, ensure that IsHostValidationEnabled is also set to True.

To add X.509 certificates to the trust store of Authentication Server, do the following:

1. Log in to the server where TrueSight Server Automation - Data Warehouse is installed.
2. Navigate to the <TSSA-DWInstallationDirectory>\bin (Windows) or <TSSA-DWInstallationDirectory>/br (UNIX) directory.

3. Either add certificates from individual LDAP servers or import a certificate from a PEM file by using the blcred utility. For more information about the blcred utility, see the blcred man page.

   For example, to add the certificate for an LDAP server called ldap1.mycompany.com with a port number of 389, use the following blcred command:

   blcred -x ldapTrustStore.p12 cert -add -host ldap1.mycompany.com:389 -protocol ldap

   To import a certificate from a PEM file, use the following blcred command:

   blcred -x ldapStore.pem cert -add -host <host>:<port> -protocol ldap

   Example:

   blcred -x certStore.pem cert -add -host test.bmc.com:389 -protocol ldap
4. Navigate to the following directory to start the blasadmin  utility.
   • (Windows)<TSSA-DWInstallationDirectory>\bin directory and enter the following command: blasadmin.
   • (UNIX)<TSSA-DWInstallationDirectory>/br directory and enter the following command: blasadmin.

5. Identify the trust store containing trusted certificates by using the following blasadmin commands:

   set Ldap TrustStore <storeLocation>
   

   where <storeLocation> is the local path to a trust store.

6. Do one of the following:

   • Run the following blasadmin commands when the enhanced LDAP authentication is enabled:

     set AuthServer IsLdapAuthEnabled true
     set LDAP TrustStore ldapTrustStore.p12
     set LDAP LoginAttribute entryDN
     set LDAP UseEnhancedLDAPAuth true
     set LDAP UserLDAPFilter (objectclass=*)
     set LDAP UserLookupAttribute cn
     set LDAP UserSearchBaseDn ou=qa,o=bm

   • Run the following blasadmin commands when the enhanced LDAP authentication is not enabled:

     set LDAP LdapServerURLs hostname1.bmc.com, hostname2.bmc.com
     set LDAP IsHostValidationEnabled false
     set LDAP DefaultPassword password
     set LDAP DefaultUser "cn=user,ou=qa,o=bmc"
     set AuthServer LdapUserDnTemplate " "
     set AuthServer LdapUserValidationFilter "(!(nsAccountLock=true))"
     set AuthServer IsSSOCredRefreshEnabled true
     

   The following table describes the command usage:

   Command	Used to
   set Ldap UseEnhancedLdapAuth false	Enable the Enhanced LDAP Authentication feature for accepting a shorter version of an LDAP user name.
   set Ldap UserSearchBaseDn <baseDistinguishedName>	Defines the base distinguished name to be used for searching users. For example, if the full distinguished user name is "uid=jdoe,ou=my_ou,dc=my_company,dc=com", set the UserSearchBaseDn to "dc=my_company,dc=com".
   set Ldap UserLookupAttribute <shortNameAttribute>	Defines the attribute of an LDAP user object whose value should match the short name given by each user during logon. For example, if the full distinguished name of the user is "uid=jdoe,ou=my_ou,dc=my_company,dc=com", then the UserLookupAttribute can be uid. This attribute value should be the same as the name for the corresponding BMC Server Automation user.
   set Ldap LoginAttribute <distinguishedNameAttribute>	Defines the attribute of an LDAP user object whose value should be the full distinguished name of the user. For example, for Sun LDAP servers, the value can be "entryDN".
   set Ldap defaultUser <serviceAccountUser>	Defines the full distinguished name of a service account with read access to the list of users stored in the LDAP directory in the database.
   set Ldap defaultPassword <password>	Defines the password of the service account. The password is stored as an encoded string.
   set Ldap UserLdapFilter <filter>	(Optional) Defines a filter to optimize the query to the LDAP server when obtaining user information. For example, (objectClass=user) or (objectclass=*). If no filter is set, the objectClass of the service account is used as the default filter.

7. (optional) If you want LDAP authentication to accept an alias version of the LDAP user name that is shorter and simpler than the full distinguished LDAP user name (so that users do not need to know their full distinguished LDAP names), run these commands: 

   set Ldap UseEnhancedLdapAuth true
   set Ldap UserSearchBaseDn <baseDistinguishedName>
   set Ldap UserLookupAttribute <shortNameAttribute>
   set Ldap LoginAttribute <distinguishedNameAttribute>
   set Ldap defaultUser <serviceAccountUser>
   set Ldap defaultPassword <password>
   set Ldap UserLdapFilter <filter>

   Examples:

   set Ldap UseEnhancedLdapAuth true
   set Ldap UserSearchBaseDn ou=qa,o=bmc
   set Ldap UserLookupAttribute cn
   set Ldap LoginAttribute entryDN
   set Ldap defaultUser "cn=user,ou=qa,o=bmc"
   set Ldap defaultPassword password
   set Ldap UserLdapFilter (objectclass=*)

   Depending on the value that you specify for the set LDAP UseEnhancedLDAPAuth command, the TrueSight Server Automation - Data Warehouse login page changes as follows:

   • set LDAP UseEnhancedLDAPAuth false
     Indicates that the enhanced LDAP feature is disabled. In this case, you must provide a value for the distinguished name template along with user name and password.
     
     
     
   • set LDAP UseEnhancedLDAPAuth true
     Indicates that the enhanced LDAP feature is enabled. In this case, you need to provide only the user name and password
     
8. (optional) To view the changes done in the AuthServer, run the following command:
   show Auth all
9. (optional) To view the changes done in the LDAP, run the following command:
   show Ldap All
10. Restart the Authentication service.

To define the distinguished name template and enable LDAP authentication

LDAP users are uniquely identified by distinguished names (DN), such as CN=admin, ou=dev, o=bladelogic. To authenticate an LDAP user, the Authentication Service requires a full DN and a corresponding password. Rather than entering a full DN, however, LDAP users only have to enter the part of a DN that is unique to their accounts. The name the LDAP user provides is transformed to a full DN by the use of a distinguished name template.

A DN template is a static string containing a {0} substring that is replaced with the name the LDAP user provides when logging on. For example, with a DN template of CN={0}, ou=dev, o=bladelogic, the LDAP user only enters a string such as "qatest3", which replaces the {0} substring. Consequently, the LDAP user DN becomes CN=qatest3, ou=dev, o=bladelogic.

DN templates can be defined in two places: the Authentication Service and the logon window for TrueSight Server Automation - Data Warehouse. These templates can be used together or by themselves.

For example,

• The DN template provided in the logon window might be CN={0}, CN=Users, DC=sub1.
  
• The Authentication Service DN template might be {0}, DC=bladelogic, DC=com. 
  

If the LDAP user enters admin as a user name when logging on, the logon template transforms the name to CN=admin, CN=Users, CN=sub1 before sending it to the Authentication Service. Then, it is transformed into CN=admin, CN=Users, DC=sub1, DC=bladelogic, DC=com, where it is used to contact the LDAP server.

You can also define a distinguished name template when logging on to the client for TrueSight Smart Reporting for Server Automation. This template can be used in conjunction with the distinguished name template of the Authentication Server, or each template can be used individually. When you define a distinguished name template using the logon window for the TrueSight Smart Reporting for Server Automation client, that template remains in effect until you define a new distinguished name template using the logon window of client.