Configuring authorization through LDAP

Unlike in hybrid approach (authentication only), where users acquire Observer accounts, when you use the full LDAP (authentication and authorization), you can assign different access levels to groups of users registered on the LDAP server.

To establish interoperability between a Real User Analyzer and Real User Collector components and an LDAP server and to assign the Observer role to LDAP users, you must configure authentication through LDAP.

The macro unmigrated-inline-wiki-markup from Confluence is no longer available.

Before you begin

A user logged on with Security permission must enable LDAP authentication and authorization on the Real User Analyzer and the Real User Collector components.

Perform the following steps on both components:

  1. Open Administration > Security settings > Account policies page.
  2. In the Device access section, click Enable for LDAP authentication and authorization.

  3. On the Action menu for LDAP authentication and authorization, click Edit.

    The Edit Automatic account creation policy pop-up appears.

  4. Ensure that the Automatically create Real User Analyzer accounts for authenticated and authorized LDAP users box is selected.

    If this box is not selected, the LDAP users are not authenticated by the Real User Analyzer.

  5. Click Save.

To configure LDAP authorization

The procedure below describes the process for the Real User Analyzer. The process of LDAP authentication configuring for the Real User Collector is the same.

  1. On the Administration page of the Real User Analyzer, click Accounts and LDAP management and select the LDAP settings view.
  2. In the Directory Serversection, add information specific to your LDAP server:
    1. In the Host box, enter the name of the server where the LDAP directory resides.
    2. In the Port box, enter the TCP port of the host server (indicated in the Host box). The standard port for LDAP is port 389 for non-SSL connections and 636 for SSL connections.
    3. Authentication list, select the authentication for the system to use, Simple (username & password) or Anonymous.
    4. If you selected simple authentication, continue with the following steps; otherwise, skip to step 4:
      • In the Search username (bind DN) box, enter the user name of the account that is permitted to search the LDAP directory within the defined search base. Use the distinguished name (DN) format, which is a series of key-value pairs separated by commas (for example, cn=administrator,cn=Users,dc=domain,dc=com, where cn is common name and dc is domain component).
      • In the Password box, enter the password for the account on the directory server that corresponds to the user account in the Search User Name (bind DN) box.
    5. In the Connection security level list, select the type of communication, such as Non-Secure or LDAPS (Secure LDAP, also known as LDAP over SSL).
    6. (Optional) If you selected LDAPS in the Connection security level list, select Allow SSL connection to LDAP server using self-signed certificate unless your organization requires an X.509 certificate (also known as an SSL certificate) purchased from a commercial Certificate Authority (CA).
    7. In the Connection timeout box, specify the time that the system waits before it declares an error on the connection.
  3. (Optional) Click Test Server.
     A message indicates success or failure because of errors.
  4. In the User lookup for authentication section, add information to enable the Real User Analyzer to look up users that are registered on the LDAP server:
    1. In the Base DN box, enter the base distinguished name (DN) to indicate where you want to begin the search in the LDAP directory. An LDAP directory is arranged in tree fashion, with a root and branches off this root. The base DN indicates at which node to start the search.
    2. In the Filter box, enter the query string that will return the records that you want to see.
    3. In the Filter Scopelist, select the starting point of a search and the depth from the base DN to which the search should occur:
      • Base searches only the entry at the base DN, resulting in only that entry being returned (if it also meets the search filter criteria).
      • One Level searches all entries that are one level under the base DN, but not including the base DN.
      • Subtree searches all entries at all levels under and including the specified base DN.
    4. In the Username attribute box, enter a single LDAP user attribute that the system uses for the lookup — for example cn. It can be any attribute configured on the LDAP server.
  5. (Optional) Click Test lookup.
     If the server and lookup are configured correctly, a list of LDAP groups appears in a new window.
  6. Click Save.

    The authenticated and authorized users acquire accounts that are associated with the roles mapped to their LDAP group.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*