Displaying hover text for LDAP information

You create an LDAP properties configuration file to display LDAP user information as hover text. This configuration file queries the LDAP database for LDAP user information that is associated with events, offenses, or assets (if available).

Before you begin

The web server must be restarted after the LDAP properties is created. Consider scheduling this task during a maintenance window when no active users are logged in to the system.

About this task

The following example lists properties that you can add to an ldap.properties configuration file.

ldap.url=ldap://LDAPserver.example.com:389
ldap.authentication=simple
ldap.userName=user.name
ldap.password=your.encrypted.password
ldap.basedn=O=IBM,C=US 
ldap.filterString=(&(objectclass=user)(samaccountname=%USER%))
ldap.attributes.displayName=Name
ldap.attributes.email=Email
ldap.attributes.employeeID=EmployeeID
ldap.attributes.department=Department

Procedure

  1. Use SSH to log in to IBM® QRadar® as a root user.
  2. To obtain an encrypted LDAP user password, run the following perl script: 
    perl -I /opt/qradar/lib/Q1/ -e 'print "Password: ";my $password = <>;
$password =~ s/\n$//;use auCrypto; print Q1::auCrypto::encrypt ($password)'
  3. Use a text editor to create the /opt/qradar/conf/ldap.properties configuration file.
  4. Specify the location and authentication information to access the remote LDAP server.
    1. Specify the URL of the LDAP server and the port number.

      Use ldaps:// or ldap:// to connect to the remote server, for example, ldap.url=ldaps://LDAPserver.example.com:389.

    2. Type the authentication method that is used to access the LDAP server.

      Administrators can use the simple authentication method, for example, ldap.authentication=simple.

    3. Type the user name that has permissions to access the LDAP server.
      For example, ldap.userName=user.name.
    4. To authenticate to the remote LDAP server, type the encrypted LDAP user password for the user.
      For example, ldap.password=password.
    5. Type the base DN used to search the LDAP server for users.
      For example, ldap.basedn=BaseDN.
    6. Type a value to use for the search parameter filter in LDAP.

      For example, in QRadar, when you hover over ldap.filterString=(&(objectclass=user)(samaccountname=%USER%)), the %USER% value is replaced by the user name.

  5. Type one or more attributes to display in the hover text.

    You must include at least one LDAP attribute. Each value must use this format: ldap.attributes.AttributeName=Descriptive text to show in UI.

  6. Verify that there is read-level permission for the ldap.properties configuration file.
  7. Log in to QRadar as an administrator.
  8. On the navigation menu ( Navigation menu icon ), click Admin.
  9. Click Advanced > Restart Web Server.

Results

Administrators can hover over the Username field on the Log Activity tab and Offenses tab, or hover over the Last User field on the Assets tab (if available) to display more information about the LDAP user.