Enable LDAP/LDAPS Authentication

You can enable Lightweight Directory Access Protocol (LDAP)/Secure LDAP (LDAPS) authentication.
As an Administrator, you can require that users authenticate to an LDAP server in your environment by enabling Lightweight Directory Access Protocol (LDAP)/Secure LDAP (LDAPS) authentication. You can further secure user authentication by instructing data sources to use the same LDAP scheme as
NetOps Portal
. Enabling LDAP/LDAPS authentication integrates Single Sign-On with LDAP. The Single Sign-On server maps the users to a predefined or a custom user account that the Administrator has specified.
Single Sign-On supports encrypted connections using the DIGEST-MD5 or Generic Security Service Application Programming Interface (GSSAPI) authentication mechanisms.
While enabling LDAP authentication, you define the following:
  • How the Single Sign-On server connects to the LDAP server.
  • The mapping of individual
    NetOps Portal
    users to the user accounts that support their workflow, while protecting sensitive data.
  • The integration of
    DX NetOps Performance Management
    and the data sources into an existing authentication scheme. For example, you define that the LDAP server authorize groups of users who are mapped to a single custom user account in
    NetOps Portal
    .
  • The actual account names and LDAP groups.
  • How the directory search is conducted.
  • The user account properties the LDAP server considers when validating users.
Use the following process to enable LDAP/LDAPS authentication:
  1. Enable LDAP/LDAPS authentication. You can use
    one
    of the following options:
    This lists the common options, but the options are not limited to this list. For example, you can enable LDAP/LDAPS authentication with encryption and an LDAP group.
  2. (If you configured the settings for LDAP/LDAPS authentication using the
    remote value
    option and you have
    DX NetOps Network Flow Analysis
    or
    CA Application Delivery Analysis
    as registered data sources) Configure the NFA and ADA settings.
  3. (If you enabled LDAPS authentication) Restart the services.
Verify the Prerequisites
Before enabling LDAP/LDAPS authentication, ensure that you have completed the following prerequisite steps:
  • (If you plan to enable LDAPS authentication) You have imported the LDAP certificate from a certificate authority (CA) into the Jave keystore.
    For more information, see Import the LDAP Certificate.
  • (If you are enabling LDAP/LDAPS authentication with GSSAPI encryption) Encrypt the connection to the LDAP server using GSSAPI. Open the
    <installation_directory>
    /PerformanceCenter/sso/webapps/sso/configuration/krb5.conf
    file, and set the required parameters as follows:
    /opt/CA
    is the default installation directory.
    [libdefaults] default_realm =
    <domain.com>
    [realms]
    <domain.com>
    = { kdc = EXAMPLE.
    <domain.com>
    default_domain =
    <domain.com>
    } [domain_realm] .
    <domain.com>
    =
    <domain.com>
    • [libdefaults]
      Contains default values for the Kerberos V5 library.
    • default_realm
      Maps subdomains and domain names to Kerberos realm names. Lets programs determine the realm for a host, based on its fully qualified domain name. In this example, the default realm is
      domain.com
      .
    • [realms]
      Contains information about Kerberos realm names, which describe the location of Kerberos servers and include other realm-specific information.
    • kdc
      Is the Kerberos key distribution center to support authentication services. For example,
      EXAMPLE.domain.com
      .
    • default_domain
      Is the default IP domain. For example,
      domain.com
      .
Enable LDAP/LDAPS
Follow these steps:
  1. Log in to the server where
    NetOps Portal
    or a supported data source is installed (as root or with the
    sudo
    command).
  2. Launch the Single Sign-On Configuration tool by running the
    ./SsoConfig
    command in the following directory:
    <installation_directory>
    /PerformanceCenter
    /opt/CA
    is the default installation directory.
    The
    SSO Configuration
    menu is displayed. You are prompted to select an option. The available options correspond to the data sources running on the local server.
    Use the following commands as needed while you are selecting settings:
    • q
      (quit)
    • b
      (go back to the previous menu)
    • u
      (update)
    • r
      (reset)
    For more information about this tool, see Single Sign-On.
  3. Enter
    1
    to select the
    1. DX NetOps
    option to configure
    NetOps Portal
    (CAPC).
    The
    SSO Configuration/CA Performance Center
    menu is displayed. You are prompted to select an option.
  4. Enter
    1
    to select the
    1. LDAP Authentication
    option.
    The
    SSO Configuration/CA Performance Center/LDAP Authentication
    menu is displayed. You are prompted to specify the priority.
    The
    Priority
    property only applies to
    NetOps Portal
    .
  5. Enter
    one
    of the following options:
    • 1. Remote Value
      Select this option if you are enabling LDAP/LDAPS authentication for the data sources that are registered to this instance of
      NetOps Portal
      , such as
      DX NetOps Network Flow Analysis
      and
      CA Application Delivery Analysis
      . This includes the Event Manager service, which embeds the
      NetOps Portal
      URL.
      NetOps Portal
      uses these settings only if a corresponding
      Local Override
      value is not present.
      The
      SSO Configuration/CA Performance Center/LDAP Authentication/Remote Value
      menu is displayed.
    • 2. Local Override
      Select this option if you are enabling LDAP/LDAPS authentication only for
      NetOps Portal
      and the data aggregator. These settings take precedence over the
      Remote Value
      settings and the default settings.
      The
      SSO Configuration/CA Performance Center/LDAP Authentication/Local Override
      menu is displayed.
    You are prompted to select a property to configure.
  6. Enter
    one or more
    of the following properties:
    When prompted, enter
    u
    to update the value and supply a new value.
    • 1. Connection User
      Defines the user ID for the service account or the user account that the
      NetOps Portal
      server uses to connect to the LDAP server and that Single Sign-On uses to secure (bind) to the LDAP server. This option associates the users in the LDAP catalog with a predefined or custom user account in
      NetOps Portal
      . Supply the full distinguished name (DN) of the service account.
      LDAP authentication does not typically require a service account (the DN). Therefore, if you are enabling LDAP/LDAPS authentication with encryption, enter
      {0}
      .
      • This user requires read and search access to the LDAP server.
      • For security reasons, do not define the connection user as a fixed account.
      Example:
      If the
      NetOps Portal
      server uses a fixed account, enter text with the following syntax:
      CN=The User,cn=Users,dc=domain,dc=com
      Examples for user account logging in:
      {0} {0}@domain.com DOMAIN\{0}
      • {0}
        The username of the login user in the LDAP to check. This can be a login ID or email address depending on the LDAP setup.
    • 2. Connection Password
      Defines the password that the
      NetOps Portal
      server uses to connect to the LDAP server. This password can be the service account's password or
      {1}
      to indicate the login user's password entered during login. LDAP authentication does not check the password. Therefore, if you are enabling LDAP/LDAPS authentication with encryption, enter
      {1}
      .
      Example:
      If the
      NetOps Portal
      server uses a fixed account, enter text like the following example:
      SomePassword
      If you have defined the connection user as a fixed account, any user that exists in the LDAP tree can log in with any password.
    • 3. Search Domain
      Identifies the LDAP server and port to which Single Sign-On connects, and the location in the directory tree where the search looks for users when verifying user account credentials.
      Use
      one
      the following formats based on the protocol that you plan to use:
      • LDAP
        ldap://
        <ldap_server>
        :
        <port>
        /
        <path_to_search>
        Example:
        ldap://domain.com:389/OU=Users,OU=Accounts,DC=Broadcom,DC=net
        • path_to_search
          The path to search.
          Required:
          Yes
        If you do not also supply a port number after the server in the string, Single Sign-On uses port 389.
      • LDAPS
        ldaps://
        <ldap_server>
        :
        <port>
        /
        <path_to_search>
        Example:
        ldaps://domain.com:636/OU=Users,OU=Accounts,DC=Broadcom,DC=net
        • path_to_search
          The path to search.
          Required:
          Yes
        If you do not also supply a port number after the LDAP server in the string, Single Sign-On uses port 636.
    • 4. Search String
      Specifies the criteria that the LDAP server uses to locate the correct user in the directory. This property works with the
      Search Scope
      property. If only a subset of LDAP users can log in, the LDAP server uses the value for this property to search the record for multiple properties.
      Possible values:
      Can include any valid LDAP search criterion.
      Example:
      (saMAccountName={0})
    • 5. Search Scope
      Specifies the criteria that Single Sign-On uses to locate the correct record for the user. This property works with the
      Search String
      property. Determines the scope of the search that the LDAP server performs for the user account. Type one of the following values:
      • onelevel
        Includes the current directory in the search. Matches objects in the current directory and prevents unexpected matches deeper in the directory.
      • subtree
        Includes all subdirectories in the search.
        Recommended for most installations.
      • base
        Limits the search to the base object.
    • 6. User Bind
      Specifies whether to validate the supplied user credentials (the DN found during search and the user-entered password) to the LDAP server when using a service account.
      Options:
      • 1. Enabled:
        Enter this value if you have entered a service account for the
        Connection User
        and
        Connection Password
        properties.
      • 0. Disabled:
        Enter this value if you have not entered a service account for the
        Connection User
        and
        Connection Password
        properties.
      Default:
      Disabled
    • 7. Encryption
      (If you are enabling LDAP/LDAPS authentication
      with
      encryption) Specifies the authentication mechanism that Single Sign-On uses when binding to the LDAP server. Enter the mechanism based on the mechanisms of your LDAP server. If you are enabling LDAPS authentication, you can leave this property blank or accept the default (Simple).
      Default:
      Simple
      Accepted Values:
      Simple, GSSAPI, DIGEST-MD5
    • 8. Account User
      Specifies the
      NetOps Portal
      default account to which to map validated LDAP users who are not members of an LDAP group. This property works with the
      Account Password
      property. If a valid user does not match any of the group definitions, Single Sign-On authenticates the user with the default user ID specified for this property. To allow all users to log in with their own username, enter
      {saMAccountName}
      or
      {saMAccountName} or {CN}
      .
      This property corresponds to a field from the directory entry for this user. Typically, the value matches your search filter.
    • 9. Account User Default Clone
      Specifies a user account to clone if validated LDAP users are members of an LDAP group that is not specified for the
      Group
      property.
      An existing and enabled user account is required.
      Options:
      • user:
        Use this option to clone the user account and to have these users have minimal privileges.
      • admin:
        Use this option to clone the admin account.
      • {sAMAccountName}:
        Use this option to require that the account already exist.
    • 10. Group
      (If you are enabling LDAP/LDAPS authentication
      with
      an LDAP group) Defines the default account handling for selected user accounts or groups of accounts.
      Example:
      This example enables the members of the Admin group to log in using an administrator account, and the members of the Operator group to log in using a user account.
      <LDAPGroups><Group searchTag="memberOf" searchString="CN=Admin Group,CN=Users,DC=domain,DC=com" user="{sAMAccountName}" passwd="" userClone="
      <admin>
      "/><Group searchTag="memberOf" searchString="CN=Operator Group,CN=Users,DC=domain,DC=com" user="{sAMAccountName}" passwd="" userClone="
      <userClone>
      "/></LDAPGroups>
      • userClone
        Specify one of the following options:
        Options:
        • user:
          Use this option to clone the user account and to have these users have minimal privileges.
        • admin:
          Use this option to clone the admin account.
        • {sAMAccountName}:
          Use this option to require that the account already exist.
    • 11. Krb5ConfigFile
      Define the
      krb5.conf
      file location:
      <installation_directory>
      /PerformanceCenter/sso/webapps/sso/configuration/krb5.conf
      /opt/CA
      is the default installation directory.
      Example:
      /opt/CA/PerformanceCenter/sso/webapps/sso/configuration/krb5.conf
    • 12. Status
      Verify that this property is set to
      Enabled
      . Otherwise, authentication uses the internal
      NetOps Portal
      user database.
    • 13. Timeout
      Specifies the amount of time that
      NetOps Portal
      waits while making authorization checks to the LDAP server. When the authorization check times out, users who try to log in are denied access. To view the errors, open the
      SSOService.log
      file.
      Default:
      10000
    • Enter
      b
      to go back to previous menu.
      The
      SSO Configuration/CA Performance Center/LDAP Authentication
      menu is displayed.
  7. Enter
    b
    to go back to previous menu.
    The
    SSO Configuration/CA Performance Center
    menu is displayed.
  8. Enter
    q
    to quit.
    The configuration tool closes.
Configure the NFA and ADA Settings
This step is required
only
if you configured the settings for LDAP/LDAPS authentication using the
remote value
option and you have
DX NetOps Network Flow Analysis
or
CA Application Delivery Analysis
as registered data sources.
Override the values that
NetOps Portal
sends by configuring them for the data sources using the
local override
option.
Follow these steps:
  1. Log in to the server where
    DX NetOps Network Flow Analysis
    or
    CA Application Delivery Analysis
    are installed (as root or with the
    sudo
    command).
  2. Launch the Single Sign-On Configuration tool by running the
    ./SsoConfig
    command in the following directory:
    <installation_directory>
    \Portal\SSO\bin
    C:\CA\NFA
    (or
    C:\CA\ADA
    ) is the default installation directory.
    The
    SSO Configuration
    menu is displayed. You are prompted to select an option. The available options correspond to the data sources running on the local server.
    Use the following commands as needed while you are selecting settings:
    • q
      (quit)
    • b
      (go back to the previous menu)
    • u
      (update)
    • r
      (reset)
    For more information about this tool, see Single Sign-On.
  3. Enter
    2
    to select the
    DX NetOps Network Flow Analysis
    or
    CA Application Delivery Analysis
    .
    The
    SSO Configuration/CA Network Flow Analysis (or CA Application Delivery Analysis)
    menu is displayed. You are prompted to select an option.
  4. Enter
    1
    to select the
    1. LDAP Authentication
    option.
    The
    SSO Configuration/CA Network Flow Analysis (or CA Application Delivery Analysis)/LDAP Authentication
    menu is displayed. You are prompted to specify the priority.
    The
    Priority
    property only applies to
    NetOps Portal
    .
  5. Enter the
    2. Local Override
    option.
    You are prompted to select a property to configure.
  6. Enter
    11
    to configure the
    11. Krb5ConfigFile
    property.
    When prompted, enter
    u
    to update the value and supply a new value.
  7. Define the
    krb5.conf
    file location:
    <installation_directory>
    \Portal\SSO\webapps\sso\configuration\krb5.conf
    C:\CA\NFA
    (or
    C:\CA\ADA
    ) is the default installation directory.
    Example:
    C:\CA\NFA\Portal\SSO\webapps\sso\configuration\krb5.conf
  8. Enter
    b
    to go back to previous menu.
    The
    SSO Configuration/CA Performance Center
    menu is displayed.
  9. Enter
    q
    to quit.
    The configuration tool closes.
Restart the Services
This step is required
only
if you enabled LDAPS authentication.
Restart the services by issuing the following commands:
  1. Start the SSO service:
    service caperfcenter_sso restart
  2. Wait one minute, then start the device manager:
    service caperfcenter_devicemanager restart
  3. Wait one minute, then start the event manager:
    service caperfcenter_eventmanager restart
  4. Wait one minute, then start the console service:
    service caperfcenter_console restart
Reference
Example Configuration: Enable LDAP Authentication with No Encryption or LDAP Group
SSO Configuration/DX NetOps/LDAP Authentication:
Connection User: CN=********,OU=Role-Based,OU=North America,DC=ca,DC=com
Connection Password: ***
Search Domain: LDAP://******.net:389/DC=******,DC=net
Search String: (sAMAccountName={0})
Search Scope: Subtree
User Bind: Enabled
Encryption: false
Account User: {sAMAccountName}
Account User Default Clone: user
Status: Enabled
Timeout: 10000
Example Configuration: Enable LDAP/LDAPS authentication with GSSAPI Encryption and No LDAP Group
SSO Configuration/DX NetOps/LDAP Authentication:
Connection User: {0}
Connection Password: {1}
Search Domain: LDAP://******.net:389/DC=******,DC=net
Search String: (sAMAccountName={0})
Search Scope: Subtree
User Bind: Disabled
Encryption: GSSAPI
Account User: {sAMAccountName}
Account User Default Clone: user
Krb5ConfigFile: /opt/CA/PerformanceCenter/sso/webapps/sso/configuration/krb5.conf
Status: Enabled
Timeout: 10000
Example Configuration: Enable LDAP Authentication with DIGEST-MD5 Encryption and No LDAP Group
SSO Configuration/DX NetOps/LDAP Authentication:
Connection User: {0}
Connection Password: {1}
Search Domain: LDAP://******.net:389/DC=******,DC=net
Search String: (sAMAccountName={0})
Search Scope: Subtree
User Bind: Disabled
Encryption: DIGEST-MD5
Account User: {sAMAccountName}
Account User Default Clone: user
Status: Enabled
Timeout: 10000
Example Configuration: Enable LDAPS Authentication with an LDAP Group and No Encryption
SSO Configuration/DX NetOps/LDAP Authentication/Remote Value
Connection User: {0}
Connection Password: {1}
Search Domain: ldaps://******.net:636/OU=Users,OU=Accounts,DC=******,DC=net
Search String: CN=Admin Group,CN=Users,DC=domain,DC=com
Search Scope: Subtree
User Bind: Disabled
Encryption: false
Account User: {sAMAccountName}
Account User Default Clone: user
Group: <LDAPGroups><Group searchTag="memberOf" searchString="CN=Admin Group,CN=Users,DC=domain,DC=com" user="{sAMAccountName}" passwd="" userClone="admin"/><Group searchTag="memberOf" searchString="CN=Operator Group,CN=Users,DC=domain,DC=com" user="{sAMAccountName}" passwd="" userClone="user"/></LDAPGroups>'
Status: Enabled
Timeout: 10000