Versions Compared

Old Version 3

changes.mady.by.user Unknown User (anna)

Saved on

compared with

New Version Current

changes.mady.by.user The Force

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from this space and version 8.3.0

LDAP Authentication

 

We currently have an LDAP server running on ad.6connect.com.  Like Radius, the purpose of the LDAP server is central authentication. You supply the server with a username and a password and, if everything checks out, the server spits back a list of all groups the user belongs to.

 

 

 

 

To query the LDAP server, punch this line into any server which has openLDAP enabled, which is almost all of them.

 

 ldapsearch -h [IPADDRESS] -D [DOMAIN] -w [PASSWORD] [USER]

 

 

 

The "-h" flag is straightforward, indicating the IP of the server. Don't even try getting this to accept IPv6 addresses -- every site mentions a different format; none of them work.

 

 

 

The "-w" flag indicates the password.

 

 

 

The "-D" flag marks the descent into crazypants wackytown.  This is the "domain" of the LDAP search, which I don't understand one bit, but is apparently super-important.  I guess its analogous to the database selector when querying off a MySQL server?  I dunno.  You should not need to modify this field.

 

 

 

And at the end you add in the User (or users, or groups, or whatever) you want to query the LDAP server on, again in that fun fun LDAP format.

 

 

 

Here is a practical example of an LDAP query:

 

 

 

Image Added

LDAP authentication options are accessed by clicking the "Authentication" sub-tab at the top of the Admin Settings page, then selecting "LDAP" from the "Authentication Options" module.

ProVision authenticates against an LDAP server by using the following three steps:

  1. Attempts to do an LDAP query for the user based on the Auth DN provided
  2. Pulls the user's own object from the LDAP server
  3. Attempts to match group names in the "LDAP Group Attribute" against existing groups in ProVision.

Before you enter LDAP settings, ensure that you have the LDAP server set up and configured for ProVision.


Table of Contents


Set up an LDAP Server for Authentication


To setup an LDAP server for this authentication, you must perform the following three procedures:

  1. Configure the LDAP server using the 6connect LDAP Schema
  2. Create the LDAP user(s) in a 'LDIF' file ( testing the query using LDAP Search, if desired)
  3. Configure ProVision with the LDAP authentication settings by enabling LDAP then entering (at minimum) the following information
    1. LDAP Server Address
    2. Port
    3. LDAP Auth DN List
    4. LDAP Fetch DN
    5. LDAP Filter DN
    6. LDAP Group Attribute

Configure the LDAP Server:

Configuring the LDAP server involves adding the schema and adding LDAP users / groups to the server:

LDAP Schema - Example

Code Block
attributetype (1.3.6.1.4.1.5023215.2.3.21 NAME 'sixConnGroup' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) objectclass ( 1.3.6.1.4.1.5023215.2.4.2 NAME 'sixConnectPermissionsV2' DESC '6Connect Permissions Object v2' SUP top AUXILIARY MUST ( sixConnGroup ) )


Creating a LDAP User:

SSH into your openLDAP server and create a new 'LDIF' file.  Example:

Code Block
dn: cn=JoeSmith,ou=people,dc=6connect,dc=com
cn: JoeSmith
sn: JoeSmith
objectclass: top
objectclass: person
objectclass: sixConnectPermissionsV2
sixConnGroup: "Global Admins"
sixConnGroup: "IT Engineering"
sixConnGroup: "Sales"
sixConnGroup: "Customer Admin"
userPassword: testpass

 To create a new user, make a new LDIF file and change all instances of "JoeSmith" to whatever username you wish to create and update the password.  Keep all of the object class definitions as listed above.  Add a sixConnGroup declaration for each ProVision user group a user is in.

 After the file is created, run the following command to add the new user to LDAP server in the following format:

Code Block
 ldapadd -h [SERVER] -x -f [LDIF FILE] -D [ROOTDN] -w [ROOT PW] -v

 Example:

Code Block
 ldapadd -h localhost -x -f 6connect.ldif -D "cn=JoeSmith,dc=6connect,dc=com" -w secret -v

The user will now be active in openLDAP and can be used to login to ProVision. 

Test the LDAP Server with LDAP Search

The best method to confirm the LDAP server settings is to perform an LDAP search. 

To query the LDAP server, run the following command while SSH'ed into your LDAP Server, replacing the placeholders (in brackets) with your specific LDAP information:

Code Block
ldapsearch -b [BASE] -h [IPADDRESS] -D [DOMAIN] -w [PASSWORD] [USER]

Note:  We have not been able to use a v6 address at with this tool, even though multiple sources say it should work.

At the end of the command where [USER] is specified, user or groups can be used (in LDAP format) to query.

Example with User: 

Code Block
languagetext
ldapsearch -b "dc=6connect,dc=com" -h sometestserver.lab.com -D "cn=JoeSmith,ou=people,dc=6connect,dc=com" -w testpass "cn=JoeSmith"

Example with Group: 

Code Block
languagetext
ldapsearch -b "dc=6connect,dc=com" -h sometestserver.lab.com -D "cn=JoeSmith

...

,ou=people,dc=6connect,dc=com" -w testpass "cn=

...

JoeSmith"

...

 memberOf

The LDAP search should return the extended LDIF information similar to the following:


Code Block
languagepowershell
# extended LDIF
#
# LDAPv3
# base <dc=6connect,dc=com> with scope subtree
# filter: cn=JoeSmith
# requesting: memberOf
#

# JoeSmith, 6connect.com
dn: cn=JoeSmith,dc=6connect,dc=com
memberOf: cn=Global Admins,ou=groups,dc=6connect,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


The Auth DN is used to derive the ldapsearch base and domain, then uses the Fetch DN to pull the user, and the Group Attribute to filter on the list of groups the user is a part of.  The end result is this list of user groups:

memberOf: cn=Global Admins,ou=groups,dc=6connect,dc=com

Configure ProVision for LDAP Authentication 

Image Added

To configure the use of LDAP authentication with ProVision:

 

 

 

When configuring the ProVision tool, you don't have to worry about much of that.  Use the following settings on admin.php:

 

 

 

    LDAP Enable:  check

 

    LDAP Server Address:  50.240.195.129

 

    LDAP Port:  389 (SSL/TLS port is 636, but is not enabled on ad.6connect.com)

 

    LDAP Security:  None

 

...

  1. Log into 6connect ProVision
  2. Go to Settings Tab → Admin Settings -> Authentication
  3. Select "LDAP" under "Authentication Options"
  4. Move the LDAP Enable selector to the "ON" position.
  5. Fill in the hostname or ip address, authentication port, LDAP Security, Auth DN List, and Fetch DN, and LDAP Group Attribute.

    1. Some example values in this case would be: 

      • LDAP Enable: (Checked)
      • LDAP Server Address:  IP or Domain, such as 1.2.3.4 or somelabserver.lab.com
      • LDAP Port:  389 ( or SSL/TLS port is 636)
      • LDAP Security:  None
      • LDAP Auth DN:  cn=%LOGIN%,

...

      • dc=6connect,dc=com

 

...

      • LDAP Fetch DN:

...

      •   cn=%LOGIN%

 

 

 

Right now the only configured user is:

 

 

 

    Login:  MajorMiner

 

    Password:  testpass

 

 

 

This user is part of the Global Admins group, as well as a few nonexistant groups.

 

 

 

Adding new users to LDAP is an incredible pain.  You have to SSH into ad.6connect.com and create an 'ldif' file.  Example:

 

 

 

    dn: cn=MajorMiner,ou=people,dc=6connect,dc=com

 

    cn: MajorMiner

 

    sn: MajorMiner

 

    objectclass: top

 

    objectclass: person

 

    objectclass: sixConnectPermissionsV2

 

    sixConnGroup: "Global Admins"

 

    sixConnGroup: "bonk"

 

    sixConnGroup: "poof"

 

    sixConnGroup: "grood"

 

    userPassword: testpass

 

 

 

To create a new user, make a new ldif file and change all instances of "MajorMiner" to whatever username you wish to create.  Do not remove any of the objectclass definitions.  Change the userPassword to whatever the password is going to be.  Yes, in plaintext.  I KNOW.  Add as many "sixConnGroup" declarations as groups the user is in.

 

 

 

After the file is created, run the following command to add the new user to LDAP server:

 

 

 

ldapadd -h [SERVER] -x -f [LDIF FILE] -D [ROOTDN] -w [ROOT PW] -v

 

 

 

Example:

 

 

 

ldapadd -h localhost -x -f 6connect.ldif -D "cn=Manager,dc=6connect,dc=com" -w secret -v

 

 

 

I'm just going to say straight-up that I don't know what the -x and -v flags do, but they sure do do it.

 

 

 

[SERVER] and [LDIF FILE] are self, explanitory, but "-D [ROOTDN]" is another spate of LDAP-speak tourettes.  Just don't change it.

 

 

 

...

      • LDAP Filter DN: cn=%LOGIN%
      • LDAP Group Attribute List:  memberOf
      • LDAP Username / LDAP Password: Optionally, you may enter LDAP admin credentials to allow ProVision to import and sync LDAP contacts. See Contact Manager for details on LDAP contacts.
  2. Click "Save Changes".
    1. NOTE: If you experience authentication errors at this step, confirm the LDAP settings using an LDAP Search, as described in the previous section.



Note
titleSetting default login authentication options

In the login screen, you would select the authentication method from the dropdown. If you like, you can set the default login option in the following way:

Go to the /data/globals.php and open in vi (or other editor). Add in the following text as the last line of the file (before the closing ?>)

define('DEFAULT_LOGIN_TYPE', 'ldap');

Acceptable values are "local", "radius", "ldap" and "saml". If this line is not present in globals.php, the default option is "local".


Note
titleUsing SSL encryption

To use SSL encryption with LDAP, the ldap.conf file must be correctly configured on the ProVision server.

Typically, the LDAP configuration file is kept at "/etc/ldap/ldap.conf".  Make sure the following line is present:

    TLS_REQCERT allow

and restart the webserver. 

 

Add or Update LDAP Settings

To view, add, or update LDAP settings, go to the Settings Tab → Admin to enter the Admin area of ProVision.

Then, click the "Authentication" sub-tab at the top of the Admin Settings page, and select "LDAP" from the "Authentication Options" module.

Image Added

The following settings are available to add or update:

  • List of LDAP Servers: View / Add LDAP servers
  • LDAP Enable: Check the box to enable LDAP functionality.
  • LDAP Server Address: The IP address or domain of your LDAP server.
  • LDAP Port: 389 ( or SSL/TLS port is 636)
  • LDAP Security: Select the security method of your LDAP server - SSL, TLS or None
  • LDAP Auth DN List: A query string that will be used to authenticate the user against the LDAP server.   %LOGIN% is a variable string that will be replaced with the user name.  This may be in list format, and the auth system will try each to authenticate the user. (ex: cn=%LOGIN%,ou=people,dc=6connect,dc=com)
  • LDAP Fetch DN List: The LDAP query that will be used to pull the user object
  • LDAP Filter DN List: Used to construct the LDAP query.
  • LDAP Group Attributes List:The LDAP attribute that will hold the LDAP-GNI group links. If using an internal list of user groups instead of 6connect groups, enter the attribute name for the LDAP groups here. If a Group Attribute is set, it will be used first, otherwise the 6connect schema will be used.
  • LDAP Username / LDAP Password: Optionally, you may enter LDAP admin credentials to allow ProVision to import and sync LDAP contacts. See Contact Manager for details on LDAP contacts.
  • Use system user for login queries: Enable / Disable to use the system user for queries
  • Try socket connection first: Enable / Disable to attempt socket connection as the first method.


  • NOTE: Mapping Permissions to 6connect schema: To integrate 6connect permissions with your existing directory structure then you will need the 6connect schema. It should snap in with any existing LDAP structure and allow you to assign 6connect permissions to your existing users. You can download a copy of the schema.

When done, click "Save Changes". 


Expand
titleAdding a Secondary LDAP Server

Once at least one LDAP server has been added, a list will appear at the top of the Radius module. Add an additional Radius server by clicking "Add new server".

Image Added

ProVision will try to connect to each server listed in the order listed, until a success is returned. Disabled servers will display in grey, and the currently selected server will display in bold.

LDAP Authentication on a Windows Server

For information on settings up LDAP for a Windows server, see the following section: