You create an LDAP properties configuration file to display LDAP user information as
hover text. This configuration file queries the LDAP database for LDAP user information that is
associated with events, offenses, or assets (if
available).
Before you begin
The web server must be restarted after the LDAP properties
is created. Consider scheduling this task during a maintenance window
when no active users are logged in to the system.
About this task
The following example lists properties that
you can add to an ldap.properties configuration
file.
ldap.url=ldap://LDAPserver.example.com:389
ldap.authentication=simple
ldap.userName=user.name
ldap.password=your.encrypted.password
ldap.basedn=O=IBM,C=US
ldap.filterString=(&(objectclass=user)(samaccountname=%USER%))
ldap.attributes.displayName=Name
ldap.attributes.email=Email
ldap.attributes.employeeID=EmployeeID
ldap.attributes.department=Department
Procedure
-
Use SSH to log in to IBM®
QRadar®
as a root user.
-
To obtain an encrypted LDAP user password, run the following perl
script:
perl -I /opt/qradar/lib/Q1/ -e 'print "Password: ";my $password = <>;
$password =~ s/\n$//;use auCrypto; print Q1::auCrypto::encrypt ($password)'
-
Use a text editor to create the
/opt/qradar/conf/ldap.properties configuration
file.
-
Specify the location and authentication information to
access the remote LDAP server.
-
Specify the URL of the LDAP server and the port number.
Use ldaps:// or ldap:// to
connect to the remote server, for example, ldap.url=ldaps://LDAPserver.example.com:389.
-
Type the authentication method that is used to access
the LDAP server.
Administrators can use the simple
authentication method, for example,
ldap.authentication=simple
.
-
Type the user name that has permissions to access the LDAP server.
For example, ldap.userName=user.name
.
-
To authenticate to the remote LDAP server, type the encrypted LDAP user password for the user.
For example, ldap.password=password
.
-
Type the base DN used to search the LDAP server for users.
For example, ldap.basedn=BaseDN
.
-
Type a value to use for the search parameter filter
in LDAP.
For example, in QRadar,
when you hover over
ldap.filterString=(&(objectclass=user)(samaccountname=%USER%))
, the
%USER%
value is replaced by the user name.
-
Type one or more attributes to display in the hover text.
You must include at least one LDAP attribute.
Each value must use this format: ldap.attributes.AttributeName=Descriptive
text to show in UI.
-
Verify that there is read-level permission for the
ldap.properties configuration
file.
-
Log in to QRadar as
an administrator.
-
On
the navigation menu ( ), click
Admin.
-
Click .
Results
Administrators can hover over the Username field on the
Log Activity tab and
Offenses tab, or hover over the Last User field
on the Assets tab (if available) to display more information about the LDAP
user.