Configuring LDAP authentication for the Analyzer and Collector

To establish interoperability between a Real User Analyzer and Real User Collector components and an LDAP server and to assign the Observer role to LDAP users, you must configure authentication through LDAP.

The macro unmigrated-inline-wiki-markup from Confluence is no longer available.

Before you begin

A user logged on with Security permission must enable LDAP authentication and authorization on the Real User Analyzer and the Real User Collector components.

Perform the following steps on both components:

  1. Open Administration > Security settings > Account policies page.
  2. In the Device access section, click Enable for LDAP authentication and authorization.

  3. On the Action menu for LDAP authentication and authorization, click Edit.

    The Edit Automatic account creation policy pop-up appears.

  4. Ensure that the Automatically create Real User Analyzer accounts for authenticated and authorized LDAP users box is selected.

    If this box is not selected, the LDAP users are not authenticated by the Real User Analyzer.

  5. Click Save.

To configure LDAP authentication for the Analyzer and Collector

The following procedure describes how to configure LDAP authentication for the Real User Analyzer, but you can use the same procedure to configure LDAP authentication on the Real User Collector.

  1. On the Administration page of the Real User Analyzer, select General Settings > Accounts and LDAP management, and select the LDAP settings view.
  2. In the Directory Server section, select Edit from the Actionmenu, and add information specific to your LDAP server:
    1. In the Host box, enter the host name or IP address of the server where the LDAP directory resides.
    2. In the Port box, enter the TCP port of the host server (indicated in the Host box). The standard port for LDAP is port 389 for non-SSL connections and 636 for SSL connections.
    3. From the Authentication list, select the authentication for the system to use, Simple (username & password) or Anonymous.
    4. If you selected simple authentication, complete the following steps; otherwise, skip to step 3:
      1. In the Search username (bind DN) box, enter the name of the user account permitted to search the LDAP directory within the defined search base. Use the DN format — for example, cn=Administrator,cn=Users,dc=domain,dc=com.
      2. In the Password box, enter the password for the account on the directory server that corresponds to the user account in the Search User Name (bind DN) box.
    5. In the Connection security level list, select the type of communication, Non-Secure or LDAPS (Secure LDAP, also known as LDAP over SSL).
    6. (Optional) If you selected LDAPS in the Connection security level list, select Allow SSL connection to LDAP server using self-signed certificate unless your organization requires an X.509 certificate (also known as an SSL certificate) purchased from a commercial Certificate Authority (CA).
    7. In the Connection timeout box, specify the length of time that the system waits before it declares an error on the connection.
  3. (Optional) Click Test Server.
     A message indicates success or failure because of errors.
  4. In the User lookup for authentication section, add information to enable Real User Analyzerto look up users that are registered on the LDAP server:
    1. In the Base DN box, enter the base distinguished name (DN) to indicate where you want to begin the search in the LDAP directory. An LDAP directory is arranged in tree fashion, with a root and branches off this root. The base DN indicates at which node to start the search.
    2. In the Filter box, enter the query string that will return the records that you want to see.
    3. In the Filter Scope list, select the starting point of a search and the depth from the base DN to which the search should occur:
      • Base searches only the entry at the base DN, resulting in only that entry being returned (if it also meets the search filter criteria).
      • One Level searches all entries that are one level under the base DN (excluding the base DN).
      • Subtree searches all entries at all levels under and including the specified base DN.
    4. In the Username attribute box, enter a single LDAP user attribute that the system uses for the lookup — for example cn. It can be any attribute configured on the LDAP server.
    5. In the Member Attribute box, enter the name of the member attribute that contains the list of users in the group.
  5. (Optional) Click Test lookup.
     If the server and lookup are configured correctly, a list of LDAP users appears in a new window.
  6. Click Save

Where to go from here

Users authenticated through LDAP acquire Observer role access rights. For LDAP users to acquire accounts that are associated with the roles mapped to their LDAP group, you must configure authorization through LDAP.

 Related topic

Adding-a-role-mapping-rule

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*