LDAP/Active directory authentication

The Lightweight Directory Access Protocol (LDAP) is a standard protocol utilized by many popular user repositories including Microsoft Active Directory, ACF2, and RACF. Selecting the LDAP/Active Directory option configures the Authentication Server to connect to an LDAP server to authentication the user and (optionally) obtain group membership information.

Theory of operation

For each authentication request received, the Authentication Server performs the following steps:

  1. Obtain the list of LDAP servers.
  2. Connect to the LDAP server of the highest priority.
  3. Perform a search for the user.
  4. Extract group membership information.
  5. Re-connect to the user's entry using the user's credentials.
  6. If any step produces an error, repeat the process with the next LDAP server.

The remainder of this section describes each step.

Obtain the list of LDAP servers

The Authentication Server will either use a specified list, or perform a DNS SRV record lookup to obtain the list of DNS servers.

Connect to the LDAP server

The connection URI for the LDAP server is used, along with the Connect DN and Connect Password to connect to the selected LDAP server.

If the Connect DN is not specified, then the Authentication Server will perform a token replacement on the Base DN, and connect using the Base DN and the user's password. If this connect succeeds, the user is authenticated if access is allowed, or rejected if access is not allowed. If the user is authenticated, the search step is skipped.

Search

Use the Search Filter dialog to enable a search for specific criteria starting at the Base DN. You can make specifications for any of the following search criteria:

  • Text 
  • Message ID
  • Color
  • System 
  • Job ID
  • WTOR 
  • Time Range

You can also select the following options to refine the criteria used for the search as follows:

  • Ignorecase - Ignores case-sensitive text
  • Backward - Searches for previous messages

Note

When you have specified search filter criteria, if none of the criteria are found during authentication, the request is rejected with a bad user name/password status.

Similarly, if one instance of the criteria are found, the authentication continues to process.


Reconnect using user's credentials

Now that the user's directory entry has been found, the Authentication Server re-connects using the DN of the user's entry and the password entered by the user. If the connection succeeds, the user is authenticated.

If Resource Level Authorization is enabled and the Group Attribute is specified, that attribute is extracted and interpreted as a list of distinguished names for all the group entries to which the user belongs. Each entry is retrieved, and the attribute specified by the Group Entry Name Attribute parameter is extracted. The list of groups is then tested against the Resource Level Authorization to determine if the user is allowed access.

LDAP authentication configuration

In order to use an LDAP server for authentication, several configuration parameters must be given to allow the Authentication Server to perform authentication requests against the LDAP server.

Common LDAP configuration information

Several fields are common across the different LDAP connection methods.

Connect DN/Password

Many LDAP servers are set up to require a well known Distinguished Name (DN) and password to perform a search to find a user's record. The Connect DN, and Connect Password fields are provided when credentials are required to perform the search.

Base DN

The Base DN parameter defines the point at which searches begin.

Search filter

The Search Filter specifies which records are matched during the search phase. This format of string follows http://www.ietf.org/rfc/rfc2254.txt.

Group attribute

The optional Group Attribute field is used when Resource Level Authorization is enabled. This specifies the attribute name of the user's record that should be interpreted as a list of groups to which the user belongs. This is most useful for Active Directory implementations where it's setting may be 'memberOf'. In Active Directory the 'memberOf'attribute is an array of distinguished names referring to the groups to which the user belongs.

Group entry name attribute

When Resource Level Authorization is enabled and a Group Attribute is specified, the Group Entry Name Attribute is used to extract the actual name of the group. For an Active Directory implementation, this may be 'CN'.

Request parameter replacement

The Connect DN, Base DN, DNS Domain, and Search Filter configuration items are subject to token replacement. The values are taken from the authentication request as follows:

Token ID

Description

{0}

User name (as entered by the user)

{1}

Password (as entered by the user)

{2}

Domain (as entered by the user)

{3}

Requestor name. For CCS, this will be the CCS Server Name.

{4}

Client host name. This is the name of the user's computer.

{5}

Client IP address. This is the IP address of the user's computer.

{6}

Requester host name. For CCS, this will be the host name of the computer where CCS is running.

DNS SRV record lookup

LDAP servers may be located by either selecting the 'DNS SRV' record lookup, or by explicitly specifying a set of servers in the configuration.

Use DNS SRV record lookup

When the 'Use DNS SRV Record Lookup' is checked, the Authentication Server will perform a DNS SRV record lookup against the DNS server(s) defined for the BMC AMI Console Management server (see Network status). The configuration dialog shows the common LDAP configuration parameters and may be modified. If the Authentication Server is configured to perform a DNS SRV record lookup, these parameters must be the same for all servers.

Configure LDAP servers

When the Use DNS SRV Record Lookup check box is cleared, a list of LDAP servers must be provided and a list of LDAP servers is displayed. When an authentication request is received, the Authentication Server will create an LDAP connection to each server in the order displayed until the authentication is accepted or rejected.

Add

The Add button will display a page to enter the Uniform Resource Identifier (URI) for the LDAP server. The URI is of the form: ldap://hostname:port/ or ldaps://hostname:port/. The ldap: form is used for un-encrypted network connections and the ldaps: form is used for encrypted network connections. The :port component may be omitted if the LDAP servers are running on the standard port (389 for ldap: and 636 for ldaps:).

Load from DNS SRV records

The Load from DNS SRV Records button will display a page that allows an administrator to enter a DNS domain field. When the Show DNS Lookup Results button is pressed, a DNS SRV query is issued and the results are listed on the page along with fields for the basic LDAP configuration information. When the Add Selected Entries button is pressed, the LDAP server list is populated with the selected servers and the LDAP parameters given.

Edit

Clicking the Edit option navigates to an edit page for the LDAP server. The basic LDAP information for that server may be modified.

Delete

The Delete option will delete the server on that row, after a warning prompt.

Move Up/Move down

Clicking the Move Up or Move Down option will reorder the list accordingly.

Test

Clicking the Test button will navigate to a page for testing the LDAP server information.

Enter a user name and a password, Test. The results of the LDAP authentication will be displayed on the page.


Related topics

Administering

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*