Using LDAP groups for authentication

As an alternate to the standard authentication mechanism, you can use LDAP groups for authentication.

Important: If useLdapAuth is true, LDAP authentication is enabled for all users and it takes precedence. All of the users who log in to PowerSC GUI must be configured for LDAP group authentication.
  1. Set useLdapAuth to true.
    pscuiserverctl set useLdapAuth true
    useLdapAuth=true
  2. Optional: Use the ldapsearch command (when available) to examine the available LDAP attributes for PowerSC GUI administrators in your environment. For example:
    ldapsearch -x -b "dc=your-company,dc=com" -h hostname-your-company.com 
    -D "CN=JUser,OU=Users,OU=Company Offices,DC=your-company,DC=com" -W "(sn=juser)"
    Note: The ldapsearch man page and rfc4515.txt provide valuable reference information for LDAP search.
  3. Set setldapgroup to a group name to check against. You can use the name of your choice. It can be, but does not have to be, an existing UNIX (AIX or Linux) group.

    The value you specify must exist in your LDAP environment and must identify all of the users who will use LDAP authentication. For example, assume that you create a group name of powersc_admin with a value of department=PowerSC Admin, where department=PowerSC Admin maps to an existing attribute in LDAP.

    pscuiserverctl setldapgroup powersc_admin "department=PowerSC Admin"
    powersc_admin=department=PowerSC Admin
  4. Add this group, powersc_admin in the example, to the logonGroupList, administratorGroupList, and endpoint list as appropriate.
    # pscuiserverctl set logonGroupList powersc_admin
    logonGroupList=powersc_admin
    
    # pscuiserverctl set administratorGroupList powersc_admin
    administratorGroupList=powersc_admin
    
    # pscuiserverctl setgroup powersc_admin [hostname]
    powersc_admin=hostname
  5. Set setldap to write the /etc/security/powersc/uiServer/ldap.conf.properties configuration file with an LDAP URL.

    To use SSL, first run the /opt/powersc/uiServer/bin/import_certificate.sh script to import the certificate of the LDAP server hostname into the PowerSC GUI server trusted store. Then, specify ldaps: in the URL.

    # pscuiserverctl setldap ldapServerUrl ldap://hostname.company.com
    ldapServerUrl=ldap://hostname.company.com
  6. Set setldap to write the /etc/security/powersc/uiServer/ldap.conf.properties file with the logonAttributeName.
    Note: The logonAttributeName must be the exact string userPrincipalName, and not the value of userPrincipalName in LDAP .
    # pscuiserverctl setldap logonAttributeName userPrincipalName
    logonAttributeName=userPrincipalName
  7. Set setldap to write the /etc/security/powersc/uiServer/passwords/ldapbindpw configuration file with the BIND user name and password.
    Important: The password is stored in clear text. Protect this file from unauthorized access.
    # pscuiserverctl setldap binddn user@company.com
    binddn=user@company.com
    # pscuiserverctl setldap bindpw "password"
  8. When the user logs in, their user name must match their LDAP userPrincipalName.
  9. PowerSC authenticates to LDAP with the Bind user name and password.
  10. If PowerSC finds the user in LDAP using the userPrincipalName, it then checks whether the user is a member of the specified LDAP group.
  11. If the user is a member of the LDAP group, PowerSC checks the group against the logonGroupList, administratorGroupList, and endpoint list as appropriate.