Authentication Settings
The Authentication Settings page enables you to configure SevOne NMS users to access the application via LDAP protocol authentication. The System Authentication tab enables you to upload security certificates.
To access the Authentication Settings page from the navigation bar, click the Administration menu, select Access Configuration, and then select Authentication Settings.
LDAP
The LDAP subtab enables you to configure communication with the LDAP protocol authentication server.
LDAP refers to the Lightweight Directory Access Protocol. It is an industry standard application protocol for accessing and maintaining distributed directory information services over the IP network. Using LDAP, organizations can maintain centralized directories of users, groups, systems, networks, services, etc. Various distributed applications use LDAP to authenticate against those directories.
- Trunk
- Branches
- Leaves
The trunk is the directory root. It will most likely be named after a domain. For example, if your domain is example.com, the root of your directory would be named dc=example, dc=com. The branches of the trunk are organizational units. If your organization has multiple sites, you might have an organizational unit, or ou, for each site. For example, you could have one ou for California, another one for Texas, and another for Pennsylvania and as many ou’s as you wish.
Just as an individual branch can have its own branches, an ou can have, or contain, its own ou’s. The ou’s mentioned above might each contain three subordinate ou’s: Users ou, a Groups ou, and a Machines ou. These ou’s can also contain ou’s, but they do not have to. The Users ou, for instance, might just contain the users for that location. The actual user entries would be considered leaves because they cannot contain any subordinate entries.
- Increased ease of administration and maintenance
- Flexible application of security policies and access controls
- Scalability
- Simplified resource sharing
Common systems that provide implementations of LDAP include Microsoft's ActiveDirectory, the open source OpenLDAP project, and the Oracle Internet Directory product line.
SevOne NMS supports LDAP authentication for individual users and LDAP group synchronization for Active Directory and OpenSSL. Group synchronization occurs once per hour. A user group in LDAP creates a user role in SevOne NMS, however, manually adding a user to that role may result in automatically removing the added user from that role and/or deleting it from SevOne NMS.
- givenname -> Given Name
- sn -> Surname
- mail -> Email
Perform the following steps to manage LDAP authentication.
LDAP Servers
- In the LDAP Servers section, click Add Server above the server list or click
to display the Add/Edit LDAP Server pop-up.
- In the Server field, enter the host name or IP address of the LDAP server.
- In the Port field, enter the network port of the LDAP server. The default LDAP port is 389. The default LDAP port is 636 which has been deprecated.
- In the Bind DN field, enter the name of the user SevOne NMS is to use to authenticate to the directory. This is the username that is authorized to perform searches within the context of the Base DN in the previous step, which means that the bind DN's authorizations also allow SevOne NMS to search the directory tree.
Note: Example: Bind DN
CN=SevOne Bind,OU=Public Users and Groups 01,DC=itl-pub-ad01,DC=sevitlab,DC=net
- In the Bind Password field, enter the password for the user name you enter in the previous step. This is not required in LDAP version 3 (LDAPv3).
- In the Confirm Password field, reenter the bind password.
- In the Base DN field, enter the base distinguished name (DN) on which to perform the LDAP queries. For standard configuration, the top level of the LDAP directory tree is the base, referred to as the base DN from which a search starts.
Note: Example: Base DN
DC=itl-pub-ad01,DC=sevitlab,DC=net
- In the Username Field, enter the Distinguished Name that uniquely identifies and describes an entry in a directory (LDAP) server. For example, sAMAccountName is suggested to be used as the Distinguished Name.
- Click the Encryption drop-down.
- Select No Encryption to not use encryption.
- Select StartTLS to use StartTLS. StartTLS secures the LDAP credentials and data. StartTLS is sometimes referred to as the TLS upgrade operation because it upgrades a normal LDAP connection to a connection that is protected by TLS/SSL.
- Select SSL (LDAPS, dep) to use Secure Socket Layers (SSL). SSL secures LDAP data. A method to secure LDAP communication is to use an SSL tunnel. This is denoted in LDAP URLs by using the URL scheme "ldaps". The use of LDAP over SSL was common in LDAPv2. This usage has been deprecated along with LDAPv2.
Example
- Click Save.
- Repeat to add additional servers.
- In the server list, the StartTLS column and the SSL column enable you to change the related settings.
- Click
in the Actions column to test the connection to the LDAP server.
Standard LDAP Configuration
SevOne NMS 6.x System Administration Guide The LDAP database settings are available from the Command Line Interface and are not exposed from SevOne NMS Graphical User Interface.
By default, SevOne is delivered with the following in the LDAP's settings table.
- Using ssh, log in to SevOne NMS appliance as root.
$ ssh root@<NMS appliance> - Enter the following command to see what the database looks like for a standard NMS LDAP setup.
$ mysqldata -e "select * from settings where setting like '%ldap%';" +-------------------------+-------------------------------------------------------------+ | setting | value | +-------------------------+-------------------------------------------------------------+ | ldap_never_cert | 0 | | ldap_group_criteria | (|(groupType=*)(objectClass=group)(objectClass=posixGroup)) | | ldap_possible_members | member,memberuid | | ldap_member_criteria | user,posixAccount | | ldap_subgroup_criteria | group,posixGroup | | ldap_member_criteria_ad | (|(objectClass=user)(objectCategory=person)) | +-------------------------+-------------------------------------------------------------+Important: Please make a note of the following values:- (|(groupType=*)(objectClass=group)(objectClass=posixGroup)) returned for setting ldap_group_criteria.
- (|(objectClass=user)(objectCategory=person)) returned for setting ldap_member_criteria_ad.
If any changes are made to these database entries, the changes can be verified using the following LDAP search commands with your specified changes.
- LDAP search can be performed on Groups or Users.
LDAP-search for GROUPS
where ldap_group_criteria is returned from mysqldata command for the standard NMS LDAP setup above.$ ldapsearch -H ldap:<enter LDAP server:Port Number> \ -b "<enter Base DN>" \ -D "<enter Bind DN>" \ -w '<enter your password for LDAP search>' "<enter ldap_group_criteria>" -LExample: for group 'Group A-M',
where, Michelle Doe, Edward Doe, Brad Doe, and Aaron Doe are the users in Group A-M.$ ldapsearch -H ldap://itl-pub-ad01.sevitlab.net:389 \ -b "DC=itl-pub-ad01,DC=sevitlab,DC=net" \ -D "CN=SevOne Bind,OU=Public Users and Groups 01,DC=itl-pub-ad01,DC=sevitlab,DC=net" \ -w 'sevoneldap' "(|(groupType=*)(objectClass=group)(objectClass=posixGroup))" -L ... ... ... # Group A-M, Public Users and Groups 01, itl-pub-ad01.sevitlab.net dn: CN=Group A-M,OU=Public Users and Groups 01,DC=itl-pub-ad01,DC=sevitlab,DC=net objectClass: top objectClass: group cn: Group A-M member: CN=Michelle Doe,OU=Public Users and Groups 01,DC=itl-pub-ad01,DC=sevit lab,DC=net ... ... member: CN=Edward Doe,OU=Public Users and Groups 01,DC=itl-pub-ad01,DC=sevitla b,DC=net ... ... member: CN=Brad Doe,OU=Public Users and Groups 01,DC=itl-pub-ad01,DC=sevitlab, DC=net ... ... member: CN=Aaron Doe,OU=Public Users and Groups 01,DC=itl-pub-ad01,DC=sevitlab ,DC=net distinguishedName: CN=Group A-M,OU=Public Users and Groups 01,DC=itl-pub-ad01, DC=sevitlab,DC=net instanceType: 4 whenCreated: 20150630232826.0Z whenChanged: 20150701135404.0Z uSNCreated: 12740 uSNChanged: 20927 name: Group A-M objectGUID:: Ufjdj9pv6Uul+UyW1eG+UA== objectSid:: AQUAAAAAAAUVAAAAh4KcDHX6ddRUL+l8UAQAAA== sAMAccountName: Group A-M sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=itl-pub-ad01,DC=sevitla b,DC=net dSCorePropagationData: 16010101000000.0Z ... ... ...For standard configuration, sAMAccountName is used as a Distinguished Name that uniquely identifies and describes an entry in a directory (LDAP) server.
In the example above, sAMAccountName for Group A-M is Group A-M.
LDAP-search for USERS
where ldap_group_criteria is returned from mysqldata command for the standard NMS LDAP setup above.$ ldapsearch -H ldap:<enter LDAP server:Port Number> \ -b "<enter Base DN>" \ -D "<enter Bind DN>" \ -w '<enter your password for LDAP search>' "<enter ldap_group_criteria>" -LExample: for user 'Edward Doe',
For standard configuration, sAMAccountName is used as a Distinguished Name that uniquely identifies and describes an entry in a directory (LDAP) server.$ ldapsearch -H ldap://itl-pub-ad01.sevitlab.net:389 \ -b "DC=itl-pub-ad01,DC=sevitlab,DC=net" \ -D "CN=SevOne Bind,OU=Public Users and Groups 01,DC=itl-pub-ad01,DC=sevitlab,DC=net" -w 'sevoneldap' "(|(objectClass=user)(objectCategory=person))" -L ... ... ... # Edward Doe, Public Users and Groups 01, itl-pub-ad01.sevitlab.net dn: CN=Edward Doe,OU=Public Users and Groups 01,DC=itl-pub-ad01,DC=sevitlab,DC =net objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Edward Doe sn: Doe c: EN givenName: Edward initials: ED distinguishedName: CN=Edward Doe,OU=Public Users and Groups 01,DC=itl-pub-ad01 ,DC=sevitlab,DC=net instanceType: 4 whenCreated: 20150630234233.0Z whenChanged: 20150630234233.0Z displayName: Doe,ED Edward uSNCreated: 20624 memberOf: CN=Group A-M,OU=Public Users and Groups 01,DC=itl-pub-ad01,DC=sevitl ab,DC=net uSNChanged: 20630 name: Edward Doe objectGUID:: jFD3wo4Ruk2MPY3/inMOHg== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 130801813536586777 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAh4KcDHX6ddRUL+l8YgQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: msad-edward sAMAccountType: 805306368 userPrincipalName: msad-edward@itl-pub-ad01.sevitlab.net objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=itl-pub-ad01,DC=sevitl ab,DC=net dSCorePropagationData: 20150630234233.0Z dSCorePropagationData: 16010101000000.0Z manager: CN=Manager Dude,OU=Public Users and Groups 01,DC=itl-pub-ad01,DC=sevi tlab,DC=net ... ... ...In the example above, sAMAccountName for user Edward Doe is msad-edward which is the username (login name).
Synchronized Groups
From SevOne NMS > Administration > Access Configuration > Authentication Settings > under tab User Authentication, choose LDAP and add an LDAP Server as described in section LDAP Servers above. In the Synchronized Groups section, click the Group drop-down and select the server group to which to associate the server you select.
If no group is available, add a group; please refer to section Add Group below. Once you have added a group, you will see itl-pubad01.sevitlab.net Group A-M, for example, from the Group drop-down list.
Select group itl-pub-ad01.sevitlab.net Group A-M and it will list all the users in Group A-M.
LDAP groups are the equivalent of SevOne NMS user roles.
Since group itl-pub-ad01.sevitlab.net Group A-M is selected from Group drop-down list, all users assigned to Group A-M are added to Administration > Access Configuration > User Manager. For example, msad-michelle, msad-edward, msad-brad, msad-aaron, etc.
Example
From SevOne NMS > Administration > Access Configuration > User Role Manager > under Roles in left navigation bar, you will now see LDAP and it contains group Group A-M under All Roles > System Administrators > Administrators. Click LDAP and in the right pane, tab Permissions > you can set the desired permissions. The permissions set will apply to all group(s) available under LDAP.
Example
- Create or delete User Roles within the LDAP folder hierarchy for any LDAP groups present during the sync.
- Create new user accounts for any users present in the LDAP groups.
- Add or remove User Roles to individual user accounts based on their LDAP group assignment.
Add Group
- If the group you are looking for does not appear, click Add Group to display the Add Group pop-up.
Example
- Click the LDAP Server drop-down and select a server. For example, LDAP server, itl-pub-ad01.sevitlab.net.
- In the Search field, enter at least one letter to filter the search results and press Enter.
- In the list of groups, click the + next to the group name to display the group members.
- Select the check box for each group to add. For example, Group A-M.
- Click Add to add the groups you select.
- Click on Delete Selected to remove the group that is currently displayed in the Group: input box. Use the down arrow to select any group you wish to delete. All users that are only assigned to this group will be deleted. Users that have other group memberships will be retained.
Settings
In the Settings section, click the Guest User drop-down and select the guest user to provide permissions for anyone who logs on with a valid LDAP ID but no SevOne NMS account.
- Select the Ignore SSL/TLS Certificates check box to skip verification of the server (not recommended). If you change this setting you must contact SevOne Support for it to properly take effect.
Click Save LDAP Settings.
System Authentication
The System Authentication tab enables you to upload security certificates. SevOne NMS uses authentication certificates for LDAP. You also need to upload a certificate if you want to use the HTTP plugin and/or the Web Status plugin with a log on via https. You must upload the CA Root Certificates to enable SevOne NMS to communicate with an LDAP server that has certificates that are signed by an unknown CA. The certificates must be base64-encoded PEM files. It can take up to fifteen minutes for a certificate to synchronize across your SevOne cluster.
- Click Add Certificate to display the Upload SSL/TLS Root Certificate pop-up.
- Click
to locate and select the certificate. - \Click Upload to upload the certificate.
Certificate Information
- Common Name - The hostname that the certificate is associated with.
- >Organization - The organization that the certificate is associated with.
- ValidityFrom - The date and time from which the certificate is valid.
- ValidityTo - The date and time at which the certificate stops being valid.
- Version - The certificate version number.
- SerialNumber - The certificate's serial number.
Troubleshooting
Check the basics
It is a good idea to start with the basics. If you have added a server and the connection test has failed, double-check that all the basic settings are correct. Select the server in question and click to display the Edit LDAP Server pop-up. Check line-by-line to confirm that the information in the fields is accurate. If you used a bind password, try reentering it to see if that fixes the problem.
You uploaded a certificate, and the server connection test fails when using StartTLS or SSL
There are a few possibilities here:
- The newly uploaded certificate may not have taken effect yet. Just give it a few minutes and try again. If that does not work, proceed to the next step.
- Something went wrong during the upload. Try uploading your certificate again and wait about five minutes for it to take effect. If that does not work, proceed to step 3.
- There is a problem with your certificate. If there is a problem with the certificate itself, you may need to get another copy of the certificate file. Upload the new certificate file and wait about five minutes for it to take effect. If you are still having problems after that, the original certificate file may be corrupted. If it is, you will need to get a good certificate file and upload that. Once again, give it about five minutes to take effect.
Relevant Terms
- Authentication
- The process of verifying that someone is who they claim to be.
- Authorization
- The process of allowing someone access or information
- Certificate
- A file used to verify that its owner (for example, a server) is who it says it is.
- Certificate Authority (CA)
- A trusted third party that issues digital certificates, which certify that the certificate owners are who they say they are.
- Encryption
- The process of converting data into a format that can only be read by authorized users.