You can configure LDAP authentication on your IBM®
QRadar® system.
Before you begin
If you plan to use SSL encryption or use TLS authentication with your LDAP server, you must
import the SSL or TLS certificate from the LDAP server to the
/opt/qradar/conf/trusted_certificates directory on your QRadar Console. For more
information about configuring the certificates, see Configuring SSL or TLS certificates.
If you are using group authorization, you must configure a QRadar user role or security
profile on the QRadar console
for each LDAP group that is used by QRadar. Every QRadar user role or security
profile must have at least one Accept group. The mapping of group names to
user roles and security profiles is case-sensitive.
About this task
Authentication establishes proof of identity for any user who attempts to log in to
the QRadar server. When a user
logs in, the username and password are sent to the LDAP directory to verify whether the credentials
are correct. To send this information securely, configure the LDAP server connection to use Secure
Socket Layer (SSL) or Transport Layer Security (TLS) encryption.
Authorization is the process of determining what access permissions a user has.
Users are authorized to perform tasks based on their role assignments. You must have a valid bind
connection to the LDAP server before you can select authorization settings.
The user base DN is where QRadar queries and finds users.
Enable query permissions to allow your users to query against the user base DN.
User attribute values are case-sensitive. The mapping of group names to user roles and security
profiles is also case-sensitive.
Procedure
On the Admin tab, click Authentication.
Click Authentication Module Settings.
From the Authentication Module list, select
LDAP.
Click Add and complete the basic configuration parameters.
There are three configuration types and each has specific requirements for the Server
URL, SSL Connection, and TLS
Authentication parameters:
Secure LDAP (LDAPS)
The Server URL parameter must use ldaps:// as the protocol, and specify
an LDAP over SSL encrypted port (typically 636). For example
ldaps://ldap1.example.com:636
If you are using Global Catalog because you're using multiple domains, use port 3269. For
example ldaps://ldap1.example.com:3269
The SSL Connection parameter must be set to True and the
TLS Authentication parameter must be set to False.
LDAP with StartTLS
The Server URL parameter must use ldap:// as the protocol, and specify an
LDAP unencrypted port that supports the StartTLS option (typically 389). For example
ldap://ldap1.example.com:389
The SSL Connection parameter must be set to False and the
TLS Authentication must be set to True.
TLS 1.2 using StartTLS is not the same as the LDAP SSL port.
TLS Authentication does not support referrals, so referrals must be set to ignore, and
the LDAP server must include a complete structure to search.
Unencrypted
An unencrypted LDAP configuration is not recommended.
The Server URL parameter must use the ldap:// protocol and specify an
unencrypted port (typically 389). For example ldap://ldap1.example.com:389
The SSL Connection parameter and the TLS
Authentication parameter must both be set to False.
Table 1. LDAP Basic Configuration parameters
Parameter
Description
Repository ID
The Repository ID is an alias for the User Base DN (distinguished name)
that you use when you enter your login details to avoid having to type a long string. When you have
more than one repository in your network, you can place the User Base DN before the user name or you
can use the shorter Repository ID.
For example, the User Base DN is: CN=Users,DC=IBM,DC=com. You create a
repository ID such as UsersIBM that is an alias for the user base DN.
You can type the short repository ID UsersIBM instead of typing the
following example of a complete User Base DN CN=Users,DC=IBM,DC=com
Here's an example where you configure the repository ID to use as an alias for the User Base
DN.Figure 1. LDAP repository
When you enter your user name on the login page, you can enter the Repository ID
UsersIBM\<username>, instead of typing the full User
Base DN.
Note: The Repository ID and User Base DN must be unique.
Search entire base
Select True to search all subdirectories of the specified Directory Name
(DN).
Select False to search only the immediate contents of the Base DN. The
subdirectories are not searched. This search is faster than one which searches all directories.
LDAP User Field
The user field identifier that you want to search on.
You can specify
multiple user fields in a comma-separated list to allow users to authenticate against multiple
fields. For example, if you specify uid,mailid, a user can be authenticated
by providing either their user ID or their mail ID.
User Base DN
The Distinguished Name (DN) of the node where the search for a user would start. The
User Base DN becomes the start location for loading users. For performance
reasons, ensure that the User Base DN is as specific as possible.
For
example, if all of your user accounts are on the directory server in the Users folder, and your
domain name is ibm.com, the User Base DN value would be
cn=Users,dc=ibm,dc=com.
Referral
Select Ignore or Follow to specify how
referrals are handled.
Under Connection Settings, select the type of bind connection.
Table 2. LDAP bind
connections
Bind connection type
Description
Anonymous bind
Use anonymous bind to create a session with the LDAP directory server that doesn't require
that you provide authentication information.
Authenticated bind
Use authenticated bind when you want the session to require a valid user name and password
combination. A successful authenticated bind authorizes the authenticated user to read the list of
users and roles from the LDAP directory during the session. For increased security, ensure that the
user ID that is used for the bind connection does not have permissions to do anything other than
reading the LDAP directory.
Provide the Login DN and
Password. For example, if the login name is admin and
the domain is ibm.com, the Login DN would be
cn=admin,dc=ibm,dc=com.
Click Test connection to test the connection information.
You must provide user information to authenticate against the user attributes that you
specified in the LDAP User Field. If you specified multiple values in the
LDAP User Field, you must provide user information to authenticate against
the first attribute that is specified.
Note: The Test connection function
tests the ability of QRadar to
read the LDAP directory, not whether you can log in to the directory.
Select the authorization method to use.
Table 3. LDAP authorization
methods
Authorization method parameter
Description
Local
The user name and password combination is verified for each user that logs in, but no
authorization information is exchanged between the LDAP server and QRadar server. If you chose
Local authorization, you must create each user on the QRadar console.
User attributes
Choose User Attributes when you want to specify which user role and
security profile attributes can be used to determine authorization levels.
You must specify both
a user role attribute and a security profile attribute. The attributes that you can use are
retrieved from the LDAP server, based on your connection settings. User attribute values are
case-sensitive.
Group based
Choose Group Based when you want users to inherit role-based access
permissions after they authenticate with the LDAP server. The mapping of group names to user roles
and security profiles is case-sensitive.
Important: If you map an Active Directory group
to the Admin user role, you must map the same Active Directory group to the Admin security profile,
or the user will not be able to log in.
Group base DN
Specifies the start node in the LDAP directory for loading groups.
For example, if all of your groups are on the directory server in the
Groups folder, and your domain name is ibm.com, the
Group Base DN value might be
cn=Groups,dc=ibm,dc=com.
Query limit enabled
Sets a limit on the number of groups that are returned.
Query result limit
The maximum number of groups that are returned by the query. By default, the query results are
limited to show only the first 1000 query results.
By member
Select By Member to search for groups based on the group members. In the
Group Member Field box, specify the LDAP attribute that is used to define the
users group membership.
For example, if the group uses the memberUid attribute to determine group membership, type
memberUid in the Group Member Field box.
By query
Select By Query to search for groups by running a query. You provide the
query information in the Group Member Field and Group Query
Field text boxes.
For example, to search for all groups that have at least one memberUid
attribute and that have a cn value that starts with the letter s, type
memberUid in Group Member Field and type
cn=s* in Group Query Field.
If you specified Group Based authorization, click Load Groups and click
the plus (+) or minus (-) icon to add or remove privilege groups.
The user role privilege options control which QRadar components the user has
access to. The security profile privilege options control the QRadar data that each user has
access to.
Note: Query limits can be set by selecting the Query Limit Enabled checkbox
or the limits can be set on the LDAP server. If query limits are set on the LDAP server, you might
receive a message that indicates that the query limit is enabled even if you did not select the
Query Limit Enabled checkbox.
Click Save.
Click Manage synchronization to exchange authentication and
authorization information between the LDAP server and the QRadar console.
If you are configuring the LDAP connection for the first time, click Run
Synchronization Now to synchronize the data.
Specify the frequency for automatic synchronization.
Click Close.
Repeat the steps to add more LDAP servers, and click Save Authentication
Module when complete.
