Version 9.5 SP1
 —  Authentication Topics and LDAP  —

Configuring LDAP


Principles of Configuring against LDAP

CentraSite supports various LDAP configurations and provides standard settings that allow you to set up your authentication quickly against these standard systems.

There are many questions that are involved when you configure against an LDAP system:

In general, before you begin to specify the configuration, we recommend you to study the LDAP structure and contents using an LDAP browser. There are various freeware tools such as JXplorer (http://jxplorer.org/) that allow you to do this. Using the LDAP browser, you can bind to an LDAP server, then navigate through the hierarchy to see the structures that contains the users and groups. Also, you can open the nodes that contain the definitions of individual users or groups, and view the properties that are stored for each user or group. An example of a node for a user testuser01 might show the following properties:

Property name Value
cn testuser01
objectClass OpenLDAPperson
Mail JohnSmith@MyCompany.com
Phone +1 234 555 678

The path to the node for this user might be com/People/Location3/testuser01, where com is the root node. The setup on this LDAP server might be that all users are stored under the People node (com/People/…) and all groups are stored under the Groups node (com/Groups/…). Since every CentraSite customer can define their LDAP user and group structures differently, the details of the LDAP configuration that you will perform in CentraSite vary accordingly, since you must map explicitly to the customer LDAP structures.

Top of page

Performing the LDAP Configuration

The general values that you can specify for an LDAP configuration (see the section Creating Authentication Configurations above) are described in the following table.

Value Description
Domain ID

(As described in the section Specifying the Domain ID)

LDAP server (host:port)

This is the host name (server and domain) of the machine where the LDAP server is located.

You can specify a Host:Port combination in this field, where Port is the port number of the LDAP server on the host machine.

You can specify multiple hosts in this field, using the blank character as a separator, for example

Host:Port Host:Port ...

If you specify multiple hosts, they are tried in the given order until a connection can be established.

Each host can also be specified with a scheme such as "ldap" or "ldaps", using the syntax ldap://Host:Port or ldaps://Host:Port.

Server Type

This field allows you to specify the type of LDAP server that will be used.

You can specify Active Directory as the server type if the Active Directory server is accessed via LDAP (e.g. from a UNIX system).

Caching time for user credentials

The number of seconds that the user is cached in the server after successful authentication. Changes made to the user, e.g. deletion or password changes, do not take effect until this time has elapsed.

This setting is provided for performance reasons. The default value is 120 seconds. If the connection to the LDAP server is slow, you can increase this figure.

The user-specific settings that you can specify are the standard LDAP settings. Refer to the documentation of your LDAP system supplier for details. Here are some examples.

User-specific Value Description Example

DN

The directory tree part of the distinguished name (standard LDAP terminology) of the entry.

The method of specifying the path uses the standard LDAP path convention: first, a unique property of the DN node is specified, along with the property's value. Usually the property "ou" (organizational unit) is the property chosen for this purpose. Then the next higher "dc" node (i.e. a node with a "dc" property), then the next higher "dc" node and so on, until finally the root node.

ou=people,dc=MyServer,dc=com

This example identifies the node whose "ou" property has the value "people" and is located under the node whose "dc" property is "MyServer", which in turn is located under the node whose "dc" property has the value "com".

Object

This identifies a property value that is used to categorize nodes as user nodes. For example, if you specify "OpenLDAPperson", this means that user nodes can be recognized by being of object class "OpenLDAPperson".

inetOrgPerson
Group Attribute

If the user repository specifies a property linking users to the groups to which they belong, specify the name of the property here. If there is no such property, leave this field blank.

memberOf
Field

This is the name of the property in the user node that uniquely identifies the user. (The attribute name of he RDN of users.)

cn

The group-specific settings that you can specify are the standard LDAP settings. Refer to the documentation of your LDAP system supplier for details. Here are some examples.

Group-specific Value Description Example
DN

This is similar to the DN property for users, as described above, but identifies a DN node for groups rather than for users.

ou=Groups,dc=abc,dc=de
Object

This identifies a property value that is used to categorize nodes as group nodes. For example, if you specify "groupOfNames", this means that group nodes can be recognized by being of object class "groupOfNames".

groupOfUniqueNames
User Attribute

If the user repository specifies a property linking a group to the users who are members of the group, specify the name of the property here. If there is no such property, leave this field blank.

member
Resolution

This specifies whether group nodes contain links to the users who are members of the group, or whether user nodes contain links to the groups they belong to. The option "recurse down" means that group nodes contain links to users. The option "recurse up" means that user nodes contain links to groups.

Recurse Up

Note:
If you are using LDAP, note that only the "recurse up" option is supported for group resolution.

Top of page

Technical Principal for LDAP

Background

CentraSite can only find and authenticate a user name via the LDAP mechanism if either:

The technical principal is a user name or user account that preferably should not belong to a real user; in other words, the technical principal is normally the ID of a fictitious user. It is intended for organizations that store their user entries in branched LDAP directory structures, for example uid=Username,loc=Germany,ou=People,dc=mydomain,dc=com but do not allow anonymous bind. The technical principal must be defined in LDAP as having (at least) read access to all users and groups that are to be used by CentraSite.

When CentraSite is configured to use this feature, all LDAP accesses take place using the technical principal. For example, if a user with user name "user1" and password "pwd1" wants to log in to CentraSite Control, LDAP is accessed using the technical principal and the record for the user "user1" is checked.

Creating a Credentials File

CentraSite provides a simple command-line tool to generate the credentials file for a given technical principal. You will need this credentials file in the next step, when you set up CentraSite to use the technical principal for authenticating user name.

Note:
Before using this tool on UNIX systems, please ensure that the binary file createTechUserCreds has execute permission set; also, please set up the CentraSite environment by sourcing the file centrasite_setenv.sh (for example, under bsh or bash: . ./centrasite_setenv.sh).

The tool is invoked as follows (note that the UNIX version of the program is named createTechUserCreds):

   <Suite-Install-Dir>\common\security\<architecture>\bin\createTechUserCreds.exe [-f outputfile] [-k keyfile] [-p password] userId

where:

-f outputfile

specifies the name of the output file, i.e. the file into which the tool will write the generated credentials.

-k keyfile

specifies the name of the file that contains the key used for encryption and decryption of the password.

The file should consist of a single line of 64 hexadecimal characters, i.e. each character is in the range [0-9],[a-f] (if it is longer than 64 characters, the excess characters are ignored). As usual, each pair of hexadecimal characters denotes one byte. The first 16 bytes are used as the AES encryption key; the next 16 bytes are used as the AES initialization vector.

If this parameter is omitted, the system uses a default key.

-p password

specifies the password for the given technical principal.

Warning:
This parameter is provided for use in batch scripts. The password is specified "in clear text", i.e. unencrypted, and the batch script therefore presents a potential security risk. Take care to control access to any batch script that uses this parameter. Wherever possible, you should omit this parameter and enter the password interactively instead.
userId

is the user name that will be associated with the generated credentials. Use the full path to the user, for example cn=techprincipal,ou=services,o=bigcompany.

Unless you specified the -p parameter, after entering the command you will be prompted to enter the password (it will not be echoed visibly). The user name and the encrypted password are then stored in the credentials file in the location that you specified.

Top of page