Enable Login with LDAP

The Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services over an IP network.
uim901
Login_LDAP
The
Lightweight Directory Access Protocol
(LDAP) is an application protocol for accessing and maintaining distributed directory information services over an IP network.
The LDAP solution:
  • Makes it possible to log in to the management consoles using LDAP rather than the login method
  • Allows the primary hub to check all login requests against the LDAP server before trying the standard login method
  • Is supported on Windows and Linux
  • Requires certain configuration tasks on the hub and in Infrastructure Manager
Supported LDAP software:
  • Active Directory
  • eDirectory
  • Red Hat Directory Server (RHDS) 10
Supported LDAP versions:
  • V2
  • V3
Contents
Basic LDAP Configuration
Configure your hub to forward login requests to an LDAP server and to access the container with the user groups.
Follow these steps:
  1. On the hub system, start Infrastructure Manager.
  2. Select the hub probe for the domain (domain/hub/robot/hub probe).
  3. Right-click the hub probe and select
    Configure
    to open the hub configuration window.
  4. On the
    General
    tab, click
    Settings
    . Go to the
    LDAP
    tab and specify the following settings.
    • Direct LDAP
      Select this if the hub connects directly to the LDAP server.
    • Nimsoft Proxy Hub
      Select this if the hub does not connect directly to the LDAP server.
    • Server Name
      Hostname or IP for the LDAP server to which the hub will connect (click Lookup to test the communication).
    • Server Type
      LDAP server type, either Active Directory, eDirectory, or RHDS 10.
    • Authentication Sequence
      Specify the order in which
      Unified Infrastructure Management
      authenticates users.
    • Use SSL
      Select to use SSL during LDAP communication (most LDAP servers are configured to use SSL).
    • User/Password
      Name and password for an account on the LDAP server that the hub will use when accessing the LDAP server. How you specify it depends on the server type:
      • Active Directory
        -- ordinary user name
      • eDirectory
        -- path to the user in the format CN=
        username
        ,O=
        organization
        , where
        username
        and
        organization
        are replaced by appropriate values
      Note:
      This account does not need administrative privileges but does need the appropriate lookup privileges.
    • Group Container (DN)
      Location in the LDAP structure where you want to search for users (click
      Test
      to check if the container is valid).
    • User Container (DN)
      Location in the Group Container where you want to search for users.
  5. Click
    Test
    to verify that the user/password and container settings are valid.
Advanced LDAP Configuration
If you do not want to use the default configuration values, you can add tree keys to the hub configuration. These keys are read by the hub LDAP engine and affect how the hub communicates with the LDAP protocol.
  1. On the hub system, start Infrastructure Manager.
  2. Select the hub robot's hub probe (domain/hub/robot/hub probe).
  3. Shift-right-click the hub probe to open the
    Raw Configure
    window.
  4. In the left pane, navigate to
    ldap > server
    .
  5. Click
    New Key
    and enter the following tree keys and values:
    • Timeout
      Number of seconds to spend on each searching or binding (authentication) LDAP operation.
      Accepted values are:
      • 10 (default)
      • Desired number
    • codepage
      Specifies which codepage to use when translating characters from UTF-8 encoding to ANSI (which all CA Unified Infrastructure Management components use internally). Text in the LDAP library is encoded as UTF-8. Because CA Unified Infrastructure Management products do not have true Unicode support, all characters are translated into ANSI using this codepage.
      Accepted values are:
      • 28591* (Windows default)
      • Valid codepage number (Windows)
      • ISO-8859-1* (Linux default)
      • Text string that is passed to the iconv_open function (Linux)
      * ISO 8859-1 Latin 1; Western European (ISO)
  6. Click
    OK
    .
The tree key is added.
Hub LDAP Client Authentication
This feature will enable the Hub to send client certificates to the LDAP server which will then be validated at the server end.
For Linux Hub
Follow these steps:
  1. If there are no server/client certificates, download openssl application and use the documentation of openssl to create self-signed certificates.
    When creating the certificates CN (common name) of the certificates should be FQDN of that target machines where the certificates are to be installed.
  2. Convert all the client certificates into PEM format, if the format of certificates are different (eg. crt, der etc.).
  3. Copy the client certificates to the hub machine. For instance it is copied to “/root/certs/”
  4. Create a .ldaprc file in the ‘/root/’ folder of the hub machine.
  5. Edit the .ldaprc file and point the certificate file and key file to the path where the certificates are copied.
    1. Contents of .ldaprc:
      TLS_CACERT /root/certs/cacert.pem
      TLS_CACERTDIR /root/certs/
      TLS_REQCERT allow
      TLS_CERT /root/certs/client.pem
      TLS_KEY /root/certs/client.key
  6. Refer to
    5.2 Client
    of the OpenLDAP Server With Server-Side SSL/TLS and Client Authentication documentation for the detailed explanation of the above parameters of the OpenLdap Client.
  7. Create a new Environment variable for robot in the robot.cfg of that hub, name it as
    LDAPRC
    and point to the .ldaprc path.
  8. Restart the hub robot.
For Windows Hub
Follow these steps:
  1. If there are no server/client certificates, download openssl application and use the documentation of openssl to create self-signed certificates.
    When creating the certificates CN (common name) of the certificates should be FQDN of that target machines where the certificates are to be installed.
  2. Convert the client certificates and 'ca chain' certificates to a single p12 or pfx, so that it can be imported to windows certificate store.
  3. Install the client p12/pfx file into windows “local machine” using the Certificate Import Wizard.
    The certificates will be imported to your “local machine” personal store and can be verified by opening "mmc certificate console".
  4. Go to "computer account" in the certificates snap-in wizard of mmc and add the certificates.
    The Hierarchy of the certificates is displayed by double clicking the certificates.
  5. If the ca certificates chain is not installed properly then it shows a warning “
    The issuer of this certificate could not be found.
    ” Try importing certificate into "trusted root certification authority" by browsing the p12/pfx file.
  6. Download and run the LdapAdminExe tool and create a new connection with “SSL” checkbox. Verify the connection by clicking on the "Test Connection", proper certificate installation will give the "Connection is successful" message. Successful connection in the tool ensures the successful connection in the hub as well.
Windows operating system internally maintains certificates in its trust store and forwards the matching certificate to the server without intervention of the application (Hub) and then server validates the certificate for the legitimacy of the client.
Codepage Values
The hub LDAP library uses these functions.
  • Windows:
    MultibyteToWideChar
    and
    WideCharToMultiByte
    These functions translate to and from ANSI/UTF-8. Both take a code page as a parameter. For a list of Windows code page numbers, go to http://www.microsoft.com
    (not affiliated with CA)
    and search for
    Code Page Identifiers
    .
  • Linux:
    iconv functions
    For further reference, go to http://www.gnu.org/software/libiconv
    (not affiliated with CA).
The code page key is not shipped with the hub configuration file.
Connecting Access Control Lists to LDAP Users
You can create Access Control Lists (ACLs) and can associate them with specific LDAP groups. The users in the LDAP group are then assigned the privileges for the associated ACL.
For example, if an LDAP user logs in to a UIM component, the request is directed to the LDAP server for authentication. If the user name is found in a group that is attached to an ACL, the user is assigned privileges as defined in the ACL. If the user belongs to multiple groups, privileges are assigned from the ACL with the most extended privileges.
LDAP users must be direct members of the group that you are connecting to an ACL. UIM does not support the use of Nested or
Role Based
groups. Bus users should not share an ACL with LDAP users, or bus users will inherit LDAP accounts..
Follow these steps:
  1. In Infrastructure Manager, select
    Security > Manage Access Control List
    .
  2. To create an ACL:
    1. Click
      New
      under
      Access Control List
      .
    2. Name the new ACL, then select an ACL (if any exist) to copy its settings. Click
      OK
      .
    3. Select the desired options in the
      Permissions
      area.
  3. To associate a group with an ACL:
    1. Select the new or existing ACL.
    2. Click
      Set LDAP Group
      . All groups in the container are listed.
    3. Select a group and click
      OK.
  4. Click
    OK
    in the
    Manage Access Control List
    dialog.
The new setting is active. To verify the configuration, start Infrastructure Manager and log in as an LDAP user who is not a CA Unified Infrastructure Management user. Verify that you have the appropriate privileges and can access the expected contents.