Example of Only Authenticating User Accounts Using LDAP

Download this manual as a PDF file

If you have already created Active Directory or LDAP accounts for users, you can use Active Directory or LDAP to authenticate one or more of those users. Each Active Directory or LDAP user logs in to SL1 using his/her Active Directory or LDAP username and password, and SL1 will use Active Directory or LDAP to authenticate that user.

This section will walk you through an example of authenticating a user using LDAP. Although this section will illustrate the steps and concepts for this task, the values are specific to the example LDAP server and will not work on your LDAP system.

Although some of the values in this example are specific to LDAP, you can use a very similar example to authenticate user accounts with Active Directory.

Use the following menu options to navigate the SL1 user interface:

  • To view a pop-out list of menu options, click the menu icon ().
  • To view a page containing all of the menu options, click the Advanced menu icon ().

Required Tasks

You can use LDAP or Active Directory to authenticate one or more users when they log in to SL1. You can also specify that SL1 should not authenticate other LDAP or Active Directory users.

  • Each user logs in to SL1, either through the login page, a CAC card or certificate, or HTTP. The user logs in to SL1 using an LDAP or AD attribute value as a login name and the LDAP or AD password.
  • SL1 examines the login request and applies the appropriate Authentication Profile (and the appropriate Authentication Resource(s)).
  • SL1 then authenticates the user by communicating with the LDAP or Active Directory server.

If you want to use LDAP or Active Directory to only authenticate users (that is, you do not want SL1 to import user accounts from Active Directory or LDAP), you must manually create accounts in SL1 and specify LDAP or AD authentication. To do this:

  1. . Create a user account in SL1. You can either create the account manually or you can use a user policy to create the account.
  • When creating the user policy, you must select LDAP/Active Directory in the Authentication Method field in the User Policy Properties Editor page Registry > Accounts > User Policies > create/edit User Policy.

  • When creating the user account, you must select LDAP/Active Directory in the Authentication Method field in the Account Permissions page (Registry > Accounts > User Accounts > edit user account)
  1. Create an Active Directory or LDAP credential that allows SL1 to read from (and optionally, write to) the AD or LDAP directory. This credential allows SL1 to connect to Active Directory or LDAP and authenticate user accounts.
  2. Define the LDAP/AD Authentication Resource.
  • Specify how SL1 should communicate with the LDAP or Active Directory server and exchange information with the LDAP or Active Directory server.
  • In the Type field, select the following:
  • Do not import new users or sync user policies. SL1 will use LDAP or AD only to authenticate users and will not create a new user each time an LDAP or AD user attempts to connect to SL1.
  1. Define one or more Authentication Profiles that tell SL1 how to recognize LDAP/AD users and which Authentication Resource to use with those users.
  2. After completing these steps:
  • Each LDAP/AD user must log in to SL1 using the user name and password for SL1. This username must be identical to the LDAP or AD user ID for the user; the password must be identical to the LDAP or AD password.
  • SL1 will examine the hostname or IP address in the incoming URL request to align the user with an Authentication Profile.
  • The Authentication Profile tells SL1 which Authentication Resources to use to authenticate the user.
  • SL1 will use the settings and the credentials defined in the LDAP/AD Authentication Resource to query the LDAP or AD directory to authenticate each user.

Example Entry in LDAP

Suppose we have an entry like this in LDAP:

# tkrilly, People, sciencelogic.com

dn: uid=tkrilly,ou=People,dc=sciencelogic,dc=com

uid: tkrilly

cn: Ted Krilly

objectClass: top

objectClass: person

objectClass: inetOrgPerson

userPassword:: craggy

street: 100 Commonwealth Avenue

l: Boston

st: MA

postalCode: 02134

mail: tkrilly@company.com

telephoneNumber: 617-776-2661

mobile: 617-776-3000

givenName: Ted

sn: Krilly

 

In this entry, we have a user named "tkrilly", who resides in the ou called "People", in the domain "sciencelogic.com". We'll use this information when configuring SL1 to authenticate this user.

Creating a User Account that Will Be Authenticated with Active Directory or LDAP

User accounts allow users to log in to SL1 and access pages and features in SL1. If you have already created a user account for a user in LDAP, you can create a separate user account for that user in SL1 and then ask Active Directory or LDAP to authenticate the user account.

For our example, we performed the following:

  1. Go to the User Accounts page (Registry > Accounts > User Accounts).
  2. Click the Create button. The page appears.
  3. In the page, enter values in each of the following fields:
  • First Name. User's first name. This value can be up to 24 characters in length. We entered Ted.
  • Last Name. User's last name. This value can be up to 24 characters in length. We entered Krilly.
  • Generate a unique name based on first and last name. Do not select this option.
  • Account Login Name. Enter a value that is included in the Active Directory entry or LDAP entry for the user. We entered the value of the uid for the user's account in LDAP. We entered tkrilly.
  • Primary Email. The user's primary email address. We entered tkrilly@company.com.
  • Password. Enter the user's LDAP password. We entered craggy!. To allow LDAP to authenticate the user, the password must match the user's password in LDAP.
  • Confirm Password. The user's password again. We entered craggy! again.
  • Password Strength. We selected Good. The user's password must have a strength of "Good" to be authenticated.
  • Password Expiration. We selected Disabled.
  • Password Shadowing. We selected Default. The user will not be able to reuse any password from the past year.
  • Require Password Reset. We did not select this checkbox. The user will not have to reset their password at their next login.
  • Multi-Factor Auth (MFA) User. If this user requires a different user name for Multi-factor authentication, enter the MFA user name in this field.

NOTE: For details on configuring multi-factor authentication, see the section on using multi-factor authentication.

  • Organization. The organization of which the new user-account will be a member. We selected System.

  • Account Type. Specifies whether the user is a member of a user policy.
  • Individual. We selected this option. User account is not a member of a user policy.

  • Account Type.This drop-down contains an entry for each standard account type. These account types affect the list of Access Keys for the user.
  • User. We selected this option. Accounts of type "user" are assigned Access Keys. Access Keys are customizable by the administrator and grant users access to pages and tabs and permit users to view information and perform tasks in SL1. These Access Keys are defined by a system administrator from the Access Keys page (System > Manage > Access Keys).
  • Login State. Default login state for the user account.
  • Active.We selected this option. Account is active, so the user can log in to SL1.
  • Authentication Method. Specifies how the user's username and password will be authenticated.
  • LDAP/Active Directory. Select this option. User's username and password are authenticated by an LDAP server or Active Directory server.
  • Restrict to IP. We did not select this option and left the field blank. When an IP address is entered in this field, the user will be allowed to access SL1 only from the specified IP.
  • Time Zone. Select the appropriate time zone to associate with the user account. We selected America / New York.
  1. Click the Save button to save the new user.

Defining a Credential for Authentication with LDAP

When you define user accounts that are authenticated with LDAP, you must define one or more credentials so SL1 can communicate with the LDAP server. SL1 must communicate with the LDAP server to authenticate the specified users.

For our example, we performed the following:

  1. Go to the Credential Management page (Credential Management).
  2. Click the Actions drop-down menu and then select Create LDAP/AD Credential.
  3. The Credential Editor modal page appears.
  4. Supply a value in each of the following fields:
  • Profile Name. Name of the credential. We entered OpenLDAP User.
  • LDAP Type. Specifies the type of LDAP implementation running on the directory server. We selected LDAP.
  • Hostname/IP . Hostname or IP address of the LDAP server. We entered 192.168.8.248.
  • Secure. Specifies whether you are using the "LDAP over SSL" protocol. We selected no.
  • Port . Port number on the LDAP server or Active Directory server to which SL1 will send requests. We accepted the default port, 389.
  • Timeout. We accepted the default value 10000.
  • RDN (Bind DN / bind user). Specifies the bind DN. The bind DN is an account on the Active Directory server or LDAP server that is allowed to search the directory within the specified search base.
  • In SL1, the %u variable stores the latest username from the login page.
  • In most LDAP configurations, each user has read-access to his or her own account.
  • You can include the variable %u in this field. When an LDAP user logs in to SL1, SL1 stores the username in the %u variable. SL1 then uses the %u variable to build the bind DN, uses the bind DN to communicate with the LDAP server, and then asks the LDAP server to authenticate the current user.

We typed:

uid=%u,ou=People,dc=sciencelogic,dc=com

This creates a DN using the current login name as the uid. The bind DN will be the user's UID, in the ou "People" in the domain "sciencelogic.com".

  • LDAP Domain. If your LDAP or Active Directory configuration includes multiple domains, specify the domain components to bind to in this field. Because our LDAP server includes only one domain, we left this field blank.
  • Bind Password. Password that allows access to the LDAP server. In most cases, when you specify a bind password in a credential, you are creating a "write" credential (that is, a credential that allows SL1 to make changes to the LDAP server). We left this field blank.
  • User Search Base. Specifies the area in the LDAP directory where the user to be authenticated resides, using RDN notation. The search base tells SL1 which part of the external directory tree to search. We entered:

ou=People,dc=sciencelogic,dc=com

This tells SL1 to search for users to authenticate in the ou called "People " in the domain "sciencelogic.com" and also authenticate all users in any ou underneath "People".

NOTE: For details on search syntax for Active Directory, see http://msdn.microsoft.com/en-us/library/aa746475(VS.85).aspx. For details on the search syntax for LDAP, see http://www.faqs.org/rfcs/rfc2254.html

  • User Search Scope. Specifies whether SL1 should search only the directory specified in the User Search Base field or whether SL1 should search the directory specified in the User Search Base field and all its child branches. We selected Subtree, so SL1 will search the specified directory and all child branches.
  1. Click the Save button to save your changes to the credential.

Creating an LDAP/AD Authentication Resource

An Authentication Resource is a configuration policy that describes how SL1 should communicate with a user store. In this section, the user store is an Active Directory user store. The LDAP/AD Auth Resource Editor page allows you to define an Authentication Resource for use with an AD user store. An LDAP/AD Authentication Resource specifies the connector (communication software) to use to communicate with the AD user store and the credential to use to connect to the user store. An LDAP/AD Authentication Resource can also map attributes from the user's AD account to fields in the user account on SL1.

To create an LDAP/AD Authentication Resource:

  1. Go to the Authentication Resource Manager page (System > Settings > Authentication > Resources).
  2. Click the Actions menu and then select Create LDAP/AD Resource. The LDAP/AD Auth Resource Editor page appears.
  3. Enter values in the following fields:

Basic Settings

  • Name. Name of the LDAP/AD Authentication Resource. Enter Authenticate__LDAP_Resource.
  • Read Credential. Select the credential we created earlier, OpenLDAP User. This credential allows SL1 to read data from an Active Directory server.
  • Write Credential. Leave this field blank.

NOTE: Your organization membership(s) might affect the list of credentials you can see in the Read Credential field and the Write Credential field.

  • User Name Suffix. Leave this field blank.

  • Search Filter. Specifies where to find the user's account information in LDAP . Enter the following:

(&(objectClass=person)(uid=%u))

This says to search the object class person and search for the uid attribute that matches the login name (entered when the user logs in to SL1 and then store in the variable %u).

  • Sync directory values to EM7 on login. If the LDAP administrator makes changes to an LDAP account, SL1 will automatically retrieve those updates and apply them to the user's account in SL1 (in the Account Properties page) the next time the user logs in to SL1. Wee selected enable.
  • Sync EM7 values to directory on save. If an administrator made changes to the user account in SL1, SL1 will automatically write those changes to the user's account in LDAP or Active Directory. This option requires a write credential. We accepted the default value of disable.

Attribute Mapping

In this example, SL1 uses LDAP to authenticate existing users. We therefore do not configure these settings. We deleted the default values and left each field blank.

User Policy Alignment

  • Type. Specifies whether SL1 should automatically create accounts in SL1 for each LDAP or Active Directory user in the search base (which is specified in the credential), whether SL1 should simply use LDAP or Active Directory to authenticate one or more users, or whether SL1 will refuse to authenticate specific users. Because we are using LDAP or AD to authenticate users but not automatically create new user accounts in SL1, we selected the following:
  • Do not authenticate new users from directory. Only those users who have an account already created in SL1 can log in to SL1. However, if one or more users' Account Permissions page specifies LDAP /Active Directory in the Authentication Method field, SL1 will authenticate those users with either LDAP or Active Directory, using the settings and credentials specified in this page.

  1. Click Save to save your changes to the new Authentication Resource.

Creating an Authentication Profile

An Authentication Profile is a policy for user authentication. Authentication Profiles align user accounts with one or more Authentication Resources.

  • Alignment by pattern matching. SL1 uses the URL or IP address that a user enters in a browser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URL or IP address matches the criteria specified in an authentication profile, SL1 will automatically use the matching profile to perform user authentication.
  • Credential Source. Specifies from where SL1 should extract the user name and password or certificate to be authenticated. These credentials are passed to SL1 via HTTP. SL1 then passes the credentials to each Authentication Resource specified in the Authentication Profile. The Authentication Resources authenticate the credentials with user stores.
  • Authentication Resource. Specifies the connector to use to communicate with the user store, the credential to use to connect to the user store (if applicable), and the URLs to examine during authentication.
  • Multi-factor Resource. Specifies the connector to use to communicate with the multi-factor endpoint. A Multi-factor Resource specifies the hostname or IP address of the Authentication Agent, the access key for communicating with the endpoint, and the URL of the RSA REST endpoint.

The Authentication Profiles page allows you to create a new authentication profile. To do so:

  1. Go to the Authentication Profiles page (System > Settings > Authentication > Profiles).
  2. Click the Create button. The Authentication Profile Editor modal page appears.
  3. In the Authentication Profile Editor modal page, you can define the new authentication profile.
  • Name. Name of the Authentication Profile. We entered Authenticate_LDAP_Profile.
  • Priority Order. If SL1 includes multiple Authentication Profiles, SL1 evaluates the Authentication Profiles in ascending priority order. SL1 will apply the first Authentication Profile that matches the Hostname or IP in the current URL AND has the lowest value in the Priority Order field. We accepted the default value, 1.
  • Pattern Type. Specifies how SL1 will evaluate the value in the AP Hostname Pattern field. We selected Wildcard. SL1 will perform a text match, with wildcard characters (asterisks).
  • AP Hostname Pattern. This field is used to match the URL or IP address that a user enters in a browser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URL or IP address matches the value in this field, SL1 applies the Authentication Profile to the user for the current session. We entered *.sciencelogic.com in this field.

SL1 will apply the Authentication Profile to each session on an Administration Portal, Database Server, or All-In-One Appliance where the user enters a URL ending with ".sciencelogic.com" into the browser.

  • Available Credential Sources. This field tells SL1 how to retrieve the user's credentials from the HTTP request to SL1. To align a credential source with the Authentication Profile, highlight the credential source and click the right-arrow button. You can select zero, one, or multiple credential sources for the Authentication Profile. We selected:
  • EM7 Login Page. SL1 will retrieve a user name and password from SL1 login page fields.
  • Aligned Credentials Sources. This field displays the list of credential sources that have been aligned with the Authentication Profile. The Authentication Profile will examine each credential source in the order in which it appears in this list. When the Authentication Profile finds the user's credential, the Authentication Profile stops examining any remaining credential sources in the list.
  • Available Authentication Resources.This field tells SL1 which Authentication Resources to use to authenticate the retrieved credentials. To align an Authentication Resource with the Authentication Profile, highlight the Authentication Resource and click the right-arrow button. You must select at least one Authentication Resource and can select more than one. We selected Authenticate_LDAP_Resource.
  • Aligned Authentication Resources. This field displays the list of Authentication Resources that have been aligned with the Authentication Profile. The Authentication Profile will examine each Authentication Resource in the order in which it appears in this list. When an Authentication Resource successfully authenticates the user, the Authentication Profile stops executing any remaining Authentication Resources in the list.
  • Available Multi-factor Resources. This field tells SL1 which Multi-factor Resources to use to perform multi-factor authentication. To align an Multi-factor Resource with the Authentication Profile, highlight the Multi-factor Resource and select the right-arrow button.
  • Aligned Multi-factor Resources. This field displays the list of Multi-factor Resources that have been aligned with the Authentication Profile. The Authentication Profile will examine each Multi-factor Resources in the order in which it appears in this list. When a Multi-factor Resource successfully authenticates the user, the Authentication Profile stops executing any remaining Multi-factor Resources in the list.

NOTE: For details on configuring multi-factor authentication, see the section on using multi-factor authentication.

  1. Click Save to save your changes to the new authentication profile.

User Login to SL1

After completing the steps in this section:

  1. Suppose user "tkrilly" logs in to SL1 with the following:
  • Account: tkrilly
  • Password: craggy

  1. SL1 will look for an account with an Account Login Name of "tkrilly".
  2. When examining the user's account information, SL1 will discover that this user login is to be authenticated with LDAP.
  3. SL1 will check the login request and match the originator's URL or IP address to an Authentication Profile. In our example, the originator's URL will match the Authentication Profile we created, Authenticate_LDAP_Profile.
  4. The Authentication Profile will tell the platform to extract the user's credentials from the ScienceLogic Login page and to use the Authentication Resource we created, Authenticate_LDAP_Resource.
  5. The Authentication Resource will tell SL1to use the credential we created, OpenLDAP User, to connect to the LDAP server. SL1 will connect to the LDAP server using the value from the RDN field in the credential. The value we entered was uid=%u,ou=People,dc=sciencelogic,dc=com. So we will connect to the LDAP server using the user name "tkrilly", in the ou "People", in the domains "sciencelogic" and "com".
  6. SL1 will search the LDAP server using the value specified in the Search Filter field in the Authentication Resource. In our example, SL1 will search the object class person and search for the uid attribute that matches the login name (entered when the user logs in to SL1).
  7. Based on the matching record found in the LDAP server, SL1 will ask the LDAP server to authenticate the username and password that were passed to the ScienceLogic Login page.