The Lightweight Directory Access Protocol (LDAP) is an industry standard application protocol for accessing and maintaining directory services information. AppNeta provides support for LDAP on a number of monitoring point models. For monitoring points that support LDAP, it allows administrative users to log in to Web Admin or the Admin API using their own credentials rather than the administrator credentials configured on the monitoring point. The benefits include:

  • More convenient for administrators - Administrators login to monitoring points using their own desktop credentials. No new credentials to remember.
  • More secure - Administrators never need to be given local admin credentials to each device. No sharing of credentials.
  • Easy to control access - The network administrator can centrally control who can login to monitoring points simply by adding them to (or removing them from) an authorization group.
  • Centralized password policy - Password policy (eg: password strength, rollover, lockout) for monitoring point access remains under the control of the network administrator and follows central corporate policy.
  • Better security forensics - The audit trail for monitoring point activity can be traced back to individuals through their central authentication identity.

Key concepts

Key concepts include:

  • Network administrator - Has access to the directory server and controls authentication. Applies LDAP configuration to monitoring points (using local monitoring point admin credentials). Retains control over local admin credentials for monitoring points.
  • Monitoring point administrator - Logs into monitoring point (using their own desktop credentials) and assumes administrator privileges to perform monitoring point administration.
  • Authorization group - Created by the network administrator. Only members of this group can log in to monitoring points to perform administration tasks.
  • LDAP configuration - Settings supplied by the network administrator that tell the monitoring point to authenticate via LDAP, and where to find the server and authorization group.

How it works

For the monitoring point to make use of LDAP you need an LDAPv3 compliant server (directory server) that is accessible by the monitoring point and an authorization group on the server containing monitoring point administrators. The monitoring point must then be configured to access the LDAP server and search the correct group for user credentials when a login attempt is made.

Once the monitoring point is configured, administrators can log in to the monitoring point using their credentials as stored on the LDAP server. When they attempt to log in, the monitoring point makes a request to the LDAP server to authenticate the user. If the username is found and the password matches, the login attempt is successful.

The following diagram shows this workflow:

LDAP-workflow.png

Prerequisites for LDAP configuration

Assuming that your LDAP server is already set up, you’ll need to have a few things in place when configuring the monitoring point to access it:

  • Server URI - You need to know the address of the server and, if it is not using the default LDAP port, the port it is using.
  • Server type - Active Directory and Oracle DSEE store credentials in different ways so you need to know the type of LDAP server you are using.
  • Credential location - You need to know the location and name of the authorization group containing admin credentials on the LDAP server.
  • Bind name/password - If required by the server, you’ll need the credentials required to bind the monitoring point to the server.
  • Encryption type - You need to know what type of encryption the LDAP server is using.
  • Certificate requirement - You need to know what your policy is for authenticating responses from the LDAP server. If a CA certificate is required, you’ll need to upload it to the monitoring point.

At this time, LDAP is configured on a monitoring point using the Admin API.

LDAP configuration steps

Configuring the monitoring point for LDAP and confirming that it is working requires only a few steps.

To configure LDAP on a monitoring point:

  1. If required in your environment, upload the LDAP server’s CA certificate file to the monitoring point.
  2. Configure LDAP using one of the JSON examples as a starting point.
  3. Test the configuration.

Upload a CA certificate file

If your security policies require that the monitoring point should authenticate responses from the LDAP server, the server’s CA certificate must be available on the monitoring point. The certificate file can contain one or more trusted CA certificates. The certificates must be in either PEM or DER format.

To upload a CA certificate file to a monitoring point:

  1. Access the Admin API on the monitoring point.
  2. Navigate to LDAP > POST /ldap/file/.
  3. In the tls_cacertfile field, specify the CA certificate file to upload.
  4. Click Submit.
    • The CA certificate file is uploaded to the monitoring point.

Configure LDAP

A convenient way to configure LDAP on a monitoring point is to start with the example JSON file that most closely matches your environment and modify fields as appropriate.

To configure LDAP on a monitoring point:

  1. Access the Admin API on the monitoring point.
  2. Navigate to LDAP > POST /ldap/.
  3. Copy JSON text from the example that most closely matches your environment and paste it to the body field (in the Parameters section).
    • Alternatively, in the Parameters section, click the Model Schema to populate the body field.
  4. Modify LDAP settings (within the body field) as appropriate.
  5. Click Submit.
    • The Response Code should be 200.
    • The monitoring point’s LDAP service is enabled with the updated configuration.

Test the LDAP configuration

Once you have configured LDAP, you’ll want to confirm that you are able to login to the monitoring point using credentials stored on your LDAP server.

To test the configuration:

  1. Log in to Web Admin or the Admin API using credentials stored on the LDAP server.
    • You should also be able to login using the credentials configured on the monitoring point (unless you have explicitly disabled this).

View the LDAP configuration

The LDAP service configuration can be viewed using the Admin API interface.

To view the LDAP configuration on a monitoring point using the Admin API:

  1. Access the Admin API on the monitoring point.
  2. Navigate to LDAP > GET /ldap/
  3. Click Submit.
    • The monitoring point’s LDAP configuration is returned.

Disable LDAP

You can disable the LDAP service if you do not want to authenticate administrative users using LDAP (it is disabled by default). When LDAP is disabled, only the administrator credentials configured on the monitoring point can be used.

To disable the LDAP configuration on a monitoring point using the Admin API:

  1. Access the Admin API on the monitoring point.
  2. Navigate to LDAP > DELETE /ldap/
  3. Click Submit.
    • The monitoring point’s LDAP service is disabled.
    • Reconfiguring LDAP will enable the LDAP service.

View LDAP field descriptions

Documentation for all LDAP fields configurable on the monitoring point can be found using its Admin API.

To view the LDAP field descriptions:

  1. Access the Admin API on the monitoring point.
  2. Navigate to LDAP > POST /ldap/
    • The LDAP field descriptions are provided in the Implementation Notes section.

Nested groups in Active Directory

In Active Directory, the default search does not check nested groups. In order to check all groups up to the root, use the string “1.2.840.113556.1.4.1941” in the authorization_search_filter field. For example, use:

  "authorization_search_filter" : "(&(memberOf:1.2.840.113556.1.4.1941:=cn=AppNeta MP Admin,cn=Users,dc=example,dc=com)(sAMAccountName=$uid))”

rather than:

  "authorization_search_filter" : "(&(memberOf=cn=AppNeta MP Admin,cn=Users,dc=example,dc=com)(sAMAccountName=$uid))”

Settings for Oracle DSEE

The default LDAP configuration works for Active Directory. If you use Oracle’s Directory Server Enterprise Edition (DSEE) you need to change the fields shown in the following table to the values shown.

Field Value
authorization_search_filter (&(isMemberOf=…)(uid=$uid))
filter_passwd (objectClass=person)
map_passwd_id uid

Troubleshooting

If you have configured the LDAP service on the monitoring point but are unable to login as one of the administrative users defined on the LDAP server, check the following:

  • Make sure the monitoring point has network access to the LDAP server. For example, make sure the appropriate firewall ports are open.
    • LDAP uses TCP and UDP port 389.
    • LDAPS uses TCP and UDP port 636.
  • Make sure all fields in the LDAP configuration have been set correctly for your LDAP environment. For example:
    • LDAP server URI(s).
    • Search base.
    • Correct filters for the LDAP server type you are using. Active Directory (default) and Oracle DSEE require different authorization_search_filter, filter_password, and map_password_uid strings.
    • Group name (default = “AppNeta MP Admin”).
    • Correct encryption type.
    • LDAP server CA Certificate file name.
    • Bind DN and password (if required).

Default LDAP configuration

The following table describes the default LDAP configuration on the monitoring point when LDAP is enabled (LDAP is enabled when there is a configuration present).

Field Required / Default? Description of default configuration
uris
(Example: “ldap://my-ldap-server.example.com”)
Required The LDAP server name is required.
search_base
(Example: “ou=MyOrg,dc=example,dc=com”)
Required The search base name on the LDAP server is required.
authorization_search_filter
(Example: “(&(memberOf=cn=AppNeta MP Admin,
cn=Users,dc=example,dc=com)(sAMAccountName=$uid))” - applicable to Active Directory)

(Example: “(&(isMemberOf=
cn=AppNeta MP Admin,
cn=Users,dc=example,dc=com)(uid=$uid))” - applicable to Oracle DSEE
Required Specifies the full LDAP path (distinguished name) of the group whose members will be allowed to login to the monitor point. This setting is critical where only a subset of users in the LDAP directory should be MP admins.
tls_cacertfile
(Example: “server-cert.crt”)
Required in default config The filename of the uploaded LDAP server CA certificate file (used to authenticate LDAP server certificates when using SSL or TLS. TLS is used by default.) is required. This field is required when ssl is set to use an encryption protocol and tls_reqcert is set to validate certificates.
ssl
(Default value: “start_tls”)
Default config Communication between the monitoring point and the LDAP server is encrypted using TLS.
tls_reqcert
(Default value: “hard”)
Default config Authentication will fail if the monitoring point is unable to validate the LDAP server’s certificate. This field is required when ssl is set to use an encryption protocol.
bind_dn
(Default value: “”)
(Example: “cn=Admin,dc=example,dc=com”)
Default config Binding to the LDAP server does not require a username.
bind_password
(Default value: “”)
Default config Binding to the LDAP server does not require a password.
filter_passwd
(Default value: “(objectClass=user)” - applicable to Active Directory)
Default config Within the group, the object class containing the user credentials is found using the default filter.
map_passwd_id
(Default value: “sAMAccountName” - applicable to Active Directory)
Default config Within the object class, the user ID is found in the default attribute.
admin_console_only
(Default value: “false”)
Default config By default, local monitoring point admin credentials can be used for remote access. This setting restricts the local admin credentials for use only on the monitoring point console, providing for additional physical security.

Examples

The examples shown in this section depict the configurations required in a range of different environments. The configurations are shown in JSON format. They can be copied and modified as required then applied using the Configure LDAP procedure. The examples that use a CA certificate file assume that it has already been uploaded.

Default configuration - Active Directory

This is an example environment that uses the default configuration. The environment is as follows:

  • An Active Directory LDAP server is used.
  • The LDAP server URI is “my-ldap-server.example.com”.
  • The search base is in organizational unit “MyOrg”.
  • User credentials are located in the “AppNeta MP Admin” group within “Users” on the LDAP server.
  • TLS encryption is used (with default LDAP port number - 389).
  • An LDAP server CA certificate is required.
  • The CA certificate file name is “server-cert.crt”.
  • The LDAP server uses an anonymous bind (no bind_dn or bind_password are required).
  • The monitoring point’s admin credentials can be used for remote access (in addition to credentials found on LDAP server).

JSON configuration:

{
  "uris": [
    "ldap://my-ldap-server.example.com"
  ],
  "search_base": "ou=MyOrg,dc=example,dc=com",
  "authorization_search_filter" : "(&(memberOf=cn=AppNeta MP Admin,cn=Users,dc=example,dc=com)(sAMAccountName=$uid))",
  "ssl": "start_tls",
  "tls_reqcert": "hard",
  "tls_cacertfile": "server-cert.crt",
  "bind_dn": "",
  "bind_password": "",
  "filter_passwd": "(objectClass=user)",
  "map_passwd_uid": "sAMAccountName",
  "admin_console_only": false
}

Default configuration - Oracle

This is an example environment that uses the default configuration except that the LDAP server is Oracle DSSE rather than Active Directory. The environment is as follows (differences from the default configuration are highlighted):

  • An Oracle DSEE LDAP server is used.
    • Changes to the authorization_search_filter, filter_passwd, and map_passwd_uid fields.
  • The LDAP server URI is “my-ldap-server.example.com”.
  • The search base is in organizational unit “MyOrg”.
  • User credentials are located in the “AppNeta MP Admin” group within “Users” on the LDAP server.
  • TLS encryption is used (with default LDAP port number - 389).
  • An LDAP server CA certificate is required.
  • The CA certificate file name is “server-cert.crt”.
  • The LDAP server uses an anonymous bind (no bind_dn or bind_password are required).
  • The monitoring point’s admin credentials can be used for remote access (in addition to credentials found on LDAP server).

JSON configuration:

{
  "uris": [
    "ldap://my-ldap-server.example.com"
  ],
  "search_base": "ou=MyOrg,dc=example,dc=com",
  "authorization_search_filter" : "(&(isMemberOf=cn=AppNeta MP Admin,cn=Users,dc=example,dc=com)(uid=$uid))",
  "ssl": "start_tls",
  "tls_reqcert": "hard",
  "tls_cacertfile": "server-cert.crt",
  "bind_dn": "",
  "bind_password": "",
  "filter_passwd": "(objectClass=person)",
  "map_passwd_uid": "uid",
  "admin_console_only": false
}

Credentials stored in a different group

This is an example environment that uses the default configuration except that the name of the group storing the credentials is “Admins” rather than “AppNeta MP Admin”. The environment is as follows (differences from the default configuration are highlighted):

  • An Active Directory LDAP server is used.
  • The LDAP server URI is “my-ldap-server.example.com”.
  • The search base is in organizational unit “MyOrg”.
  • User credentials are located in the “Admins” group (rather than “AppNeta MP Admin”) within “Users” on the LDAP server.
    • Change to the authorization_search_filter field.
  • TLS encryption is used (with default LDAP port number - 389).
  • An LDAP server CA certificate is required.
  • The CA certificate file name is “server-cert.crt”.
  • The LDAP server uses an anonymous bind (no bind_dn or bind_password are required).
  • The monitoring point’s admin credentials can be used for remote access (in addition to credentials found on LDAP server).

JSON configuration:

{
  "uris": [
    "ldap://my-ldap-server.example.com"
  ],
  "search_base": "ou=MyOrg,dc=example,dc=com",
  "authorization_search_filter" : "(&(memberOf=cn=Admins,cn=Users,dc=example,dc=com)(sAMAccountName=$uid))",
  "ssl": "start_tls",
  "tls_reqcert": "hard",
  "tls_cacertfile": "server-cert.crt",
  "bind_dn": "",
  "bind_password": "",
  "filter_passwd": "(objectClass=user)",
  "map_passwd_uid": "sAMAccountName",
  "admin_console_only": false
}

No server certificate validation

This is an example environment that uses the default configuration except that there is no server certificate validation required. The environment is as follows (differences from the default configuration are highlighted):

  • An Active Directory LDAP server is used.
  • The LDAP server URI is “my-ldap-server.example.com”.
  • The search base is in organizational unit “MyOrg”.
  • User credentials are located in the “AppNeta MP Admin” group within “Users” on the LDAP server.
  • TLS encryption is used (with default LDAP port number - 389).
  • An LDAP server CA certificate is not required.
    • Change to the tls_reqcert field.
  • The CA certificate file name is not specified.
    • Change to the tls_cacertfile field.
  • The LDAP server uses an anonymous bind (no bind_dn or bind_password are required).
  • The monitoring point’s admin credentials can be used for remote access (in addition to credentials found on LDAP server).

JSON configuration:

{
  "uris": [
    "ldap://my-ldap-server.example.com"
  ],
  "search_base": "ou=MyOrg,dc=example,dc=com",
  "authorization_search_filter" : "(&(memberOf=cn=AppNeta MP Admin,cn=Users,dc=example,dc=com)(sAMAccountName=$uid))",
  "ssl": "start_tls",
  "tls_reqcert": "never",
  "tls_cacertfile": "",
  "bind_dn": "",
  "bind_password": "",
  "filter_passwd": "(objectClass=user)",
  "map_passwd_uid": "sAMAccountName",
  "admin_console_only": false
}

SSL encryption

This is an example environment that uses the default configuration except that SSL encryption is used instead of TLS. The environment is as follows (differences from the default configuration are highlighted):

  • An Active Directory LDAP server is used.
  • The LDAP server URI is “my-ldap-server.example.com”.
  • The search base is in organizational unit “MyOrg”.
  • User credentials are located in the “AppNeta MP Admin” group within “Users” on the LDAP server.
  • SSL encryption is used (with default LDAP port number - 636).
    • Change to the uris field (“ldaps” rather than “ldap”).
    • Change to the ssl field.
  • An LDAP server CA certificate is required.
  • The CA certificate file name is “server-cert.crt”.
  • The LDAP server uses an anonymous bind (no bind_dn or bind_password are required).
  • The monitoring point’s admin credentials can be used for remote access (in addition to credentials found on LDAP server).

JSON configuration:

{
  "uris": [
    "ldaps://my-ldap-server.example.com"
  ],
  "search_base": "ou=MyOrg,dc=example,dc=com",
  "authorization_search_filter" : "(&(memberOf=cn=AppNeta MP Admin,cn=Users,dc=example,dc=com)(sAMAccountName=$uid))",
  "ssl": "on",
  "tls_reqcert": "hard",
  "tls_cacertfile": "server-cert.crt",
  "bind_dn": "",
  "bind_password": "",
  "filter_passwd": "(objectClass=user)",
  "map_passwd_uid": "sAMAccountName",
  "admin_console_only": false
}

No encryption

This is an example environment that uses the default configuration except that no encryption is used (instead of TLS). The environment is as follows (differences from the default configuration are highlighted):

  • An Active Directory LDAP server is used.
  • The LDAP server URI is “my-ldap-server.example.com”.
  • The search base is in organizational unit “MyOrg”.
  • User credentials are located in the “AppNeta MP Admin” group within “Users” on the LDAP server.
  • No encryption is used.
    • Change to the ssl field.
  • An LDAP server CA certificate is not required.
    • Change to the tls_reqcert field.
  • The CA certificate file name is not specified.
    • Change to the tls_cacertfile field.
  • The LDAP server uses an anonymous bind (no bind_dn or bind_password are required).
  • The monitoring point’s admin credentials can be used for remote access (in addition to credentials found on LDAP server).

JSON configuration:

{
  "uris": [
    "ldap://my-ldap-server.example.com"
  ],
  "search_base": "ou=MyOrg,dc=example,dc=com",
  "authorization_search_filter" : "(&(memberOf=cn=AppNeta MP Admin,cn=Users,dc=example,dc=com)(sAMAccountName=$uid))",
  "ssl": "off",
  "tls_reqcert": "never",
  "tls_cacertfile": "",
  "bind_dn": "",
  "bind_password": "",
  "filter_passwd": "(objectClass=user)",
  "map_passwd_uid": "sAMAccountName",
  "admin_console_only": false
}

Different port used

This is an example environment that uses the default configuration except that port 1389 is used. The environment is as follows (differences from the default configuration are highlighted):

  • An Active Directory LDAP server is used.
  • The LDAP server URI is “my-ldap-server.example.com”.
  • The search base is in organizational unit “MyOrg”.
  • User credentials are located in the “AppNeta MP Admin” group within “Users” on the LDAP server.
  • TLS encryption is used (with non-default LDAP port number - 1389).
    • Change to the uris field.
  • An LDAP server CA certificate is required.
  • The CA certificate file name is “server-cert.crt”.
  • The LDAP server uses an anonymous bind (no bind_dn or bind_password are required).
  • The monitoring point’s admin credentials can be used for remote access (in addition to credentials found on LDAP server).

JSON configuration:

{
  "uris": [
    "ldap://my-ldap-server.example.com:1389"
  ],
  "search_base": "ou=MyOrg,dc=example,dc=com",
  "authorization_search_filter" : "(&(memberOf=cn=AppNeta MP Admin,cn=Users,dc=example,dc=com)(sAMAccountName=$uid))",
  "ssl": "start_tls",
  "tls_reqcert": "hard",
  "tls_cacertfile": "server-cert.crt",
  "bind_dn": "",
  "bind_password": "",
  "filter_passwd": "(objectClass=user)",
  "map_passwd_uid": "sAMAccountName",
  "admin_console_only": false
}