Using LDAP groups for authentication
As an alternate to the standard authentication mechanism, you can use LDAP groups for authentication.
-
Set useLdapAuth to true.
pscuiserverctl set useLdapAuth true useLdapAuth=true
- Optional:
Use the ldapsearch command (when available) to examine the
available LDAP attributes for PowerSC GUI administrators in your
environment. For example:
ldapsearch -x -b "dc=your-company,dc=com" -h hostname-your-company.com -D "CN=JUser,OU=Users,OU=Company Offices,DC=your-company,DC=com" -W "(sn=juser)"
Note: The ldapsearch man page and rfc4515.txt provide valuable reference information for LDAP search. -
Set setldapgroup to a group name to check against. You can
use the name of your choice. It can be, but does not have to be, an existing
UNIX (AIX or Linux) group.
The value you specify must exist in your LDAP environment and must identify all of the users who will use LDAP authentication. For example, assume that you create a group name of powersc_admin with a value of
department=PowerSC Admin
, wheredepartment=PowerSC Admin
maps to an existing attribute in LDAP.pscuiserverctl setldapgroup powersc_admin "department=PowerSC Admin" powersc_admin=department=PowerSC Admin
-
Add this group, powersc_admin in the example, to the
logonGroupList,
administratorGroupList, and endpoint list as
appropriate.
# pscuiserverctl set logonGroupList powersc_admin logonGroupList=powersc_admin # pscuiserverctl set administratorGroupList powersc_admin administratorGroupList=powersc_admin # pscuiserverctl setgroup powersc_admin [hostname] powersc_admin=hostname
-
Set setldap to write the
/etc/security/powersc/uiServer/ldap.conf.properties
configuration file with an LDAP URL.
To use SSL, first run the /opt/powersc/uiServer/bin/import_certificate.sh script to import the certificate of the LDAP server hostname into the PowerSC GUI server trusted store. Then, specify
ldaps:
in the URL.# pscuiserverctl setldap ldapServerUrl ldap://hostname.company.com ldapServerUrl=ldap://hostname.company.com
-
Set setldap to write the
/etc/security/powersc/uiServer/ldap.conf.properties
file with the logonAttributeName.
Note: The logonAttributeName must be the exact string userPrincipalName, and not the value of userPrincipalName in LDAP .
# pscuiserverctl setldap logonAttributeName userPrincipalName logonAttributeName=userPrincipalName
-
Set setldap to write the
/etc/security/powersc/uiServer/passwords/ldapbindpw
configuration file with the BIND user name and password.
Important: The password is stored in clear text. Protect this file from unauthorized access.
# pscuiserverctl setldap binddn user@company.com binddn=user@company.com # pscuiserverctl setldap bindpw "password"
- When the user logs in, their user name must match their LDAP userPrincipalName.
- PowerSC authenticates to LDAP with the Bind user name and password.
- If PowerSC finds the user in LDAP using the userPrincipalName, it then checks whether the user is a member of the specified LDAP group.
- If the user is a member of the LDAP group, PowerSC checks the group against the logonGroupList, administratorGroupList, and endpoint list as appropriate.