A repository is a central location where the user’s data is stored. In Advanced Authentication, the existing repository is not changed and is used only to retrieve user information. The authentication templates are stored inside the appliance and are fully encrypted.
Advanced Authentication supports any LDAP compliant directory. This can be Active Directory Domain Services, NetIQ edirectory, Active Directory Lightweight Directory Services, OpenLDAP, and OpenDJ.
When you add a new repository, you can match the users in the repository to authentication chains. You require only read permission to access a repository.
To add a repository, perform the following steps:
In the Repositories section, click Add.
Select an applicable repository type from the LDAP type list. The options are:
AD for Active Directory Domain Services
AD LDS for Active Directory Lightweight Domain Services
eDirectory for NetIQ eDirectory
Other for OpenLDAP, OpenDJ and other types
For AD, a repository name is automatically set to NetBIOS name of domain. For other LDAP types, you need to enter it in Name.
Specify a container for the users in Base DN. When you select the Subtree option, Advanced Authentication performs a search for users in all the child nodes. You can change the search scope by selecting the Search one level only option.
Specify a user account in User and enter the password of the user in Password. Ensure that user's password has no expiry.
You can specify a container for the groups in Group DN (optional). When you select the Subtree option, Advanced Authentication performs a search for the groups in all the child nodes. You can change the search scope by selecting the Search one level only option.
If you have selected AD as the LDAP type, select DNS discovery if you want to find LDAP servers automatically. Specify the DNS zone and Site name (optional) and click Perform DNS Discovery.
NOTE:For LDAPS Servers you must have the SRV records on your DNS server:
Name: _ldap
Protocol: _tcp
Port: 636
If you want to add LDAP servers manually, select Manual setting.
Click Add server. You can add the different servers in your network. The list is used as a pool of servers, each time the connection is open a random server is selected in the pool and unavailable servers are discarded.
Specify an LDAP server's Address and Port. Turn SSL to ON to use the SSL technology (if applicable). Click Save, next to server's credentials. Add additional servers (if applicable).
You can also expand Advanced Settings if you need to configure custom attributes. This is required for OpenDJ, OpenLDAP and in some cases for NetIQ edirectory.
Click Save to verify and save the specified credentials.
NOTE: If you use NetIQ eDirectory with the option Require TLS for Simple Bind with Password enabled, you may get the error: Can't bind to LDAP: confidentialityRequired. To fix the error, you must either disable the option or do the following:
Set Client Certificate to Not Requested in the NetIQ eDirectory Administration Portal - LDAP - LDAP Options - Connections tab.
Ensure that you set a correct port number and select SSL in the Repository settings.
Click Sync now in block with the added repository.
NOTE:You can change the search scope and the Group DN (optional) functionality now. In Advanced Authentication 5.2 it you had to specify a common Base DN for users and groups.
To check the sync status of a repository, click Edit and you can view the information in Last sync. Click Full sync to perform a complete synchronisation of the repository.
Advanced Authentication performs an automatic synchronization of modified objects (fastsync) on an hourly basis for AD. The complete synchronization (fullsync) is performed on a weekly basis.
NOTE:If an LDAP server is unavailable for 2.5 seconds, Advanced Authentication excludes it from LDAP requests for a period of 3 minutes.
Expand Advanced Settings by clicking +. The settings allow you to customize attributes that Advanced Authentication reads from a repository. The following list describes the different attributes in the Advanced Settings:
Advanced Authentication checks the specified attributes for an entered user name.
For Active Directory (AD), the default attributes are sAMAccountName and userPrincipalName. For other repositories, cn is the default attribute.
Advanced Authentication shows a name from a first non-empty specified field for an entered user name.
For AD, the default attributes are sAMAccountName and userPrincipalName. For other repositories, cn is the default attribute.
Advanced Authentication checks the specified attributes to get a user's email address.
Default attributes are mail and otherMailbox.
Advanced Authentication checks the specified attributes to get a user's phone number. These attributes are used for methods such as SMS OTP, Voice, and Voice OTP. Previously, the first attribute of User cell phone attributes was used as a default attribute for authenticating with SMS OTP, Voice, and Voice OTP methods. Now users can use different phone numbers for these methods. For example, Bob wants to authenticate with SMS OTP, Voice, and Voice OTP methods. He has a cell pone number, a home phone number, and an ip phone number and wants to use these numbers for each of these methods, which is possible by defining in the respective settings of these methods.
Default attributes: mobile, otherMobile.
NOTE:If you have multiple repositories, you must use the same configuration of User cell phone attributes for all the repositories.
Advanced Authentication checks the specified attributes for an entered group name.
For AD, the default attribute is sAMAccountName. For other repositories, cn is the default attribute.
Advanced Authentication shows a name from a first non-empty specified field for an entered group name.
For AD, the default attribute is sAMAccountName. For other repositories, cn is the default attribute.
Advanced Authentication supports the RFC 2037 and RFC 2037 bis. RFC 2037 determines a standard LDAP schema and contains a memberUid attribute (POSIX style). RFC 2037 bis determines an updated LDAP schema and contains a member attribute. AD, LDS, eDir support RFC 2037 bis. OpenLDAP contains posixAccount and posixGroup that follows RFC 2037.
The following attributes are supported:
Default value: user.Value for OpenDJ, OpenLDAP: person.
Default value: group.Value for OpenDJ: groupOfNames.Value for OpenLDAP: posixGroup.
Default value: member.Value for OpenDJ: member.Value for OpenLDAP: memberUid.
If a required group contains groupOfNames class, disable POSIX style groups. If the group contains posixGroup, enable POSIX style groups.
User UID attribute
This attribute is available only when POSIX style groups is ON.Default value: uid.
This attribute is available only for other LDAP type only.Default value: entryUUID.
NOTE:For information on Logon filter settings (Legacy logon tag and MFA logon tag), see Configuring Logon Filter.
Enable Verify SSL Certificate to ensure that the LDAP connection to appliance is secured with a valid self-signed SSL certificate. This helps to prevent any attacks on the LDAP connection and ensures safe authentication. Click Choose File to browse the self-signed certificate.
The Enable paged search option allows LDAP repositories to support paged search in which the repositories can retrieve a result of a query set in small portions. By default, this option is set to ON. For openLDAP (with file-based backend), the option must be set to OFF.
NOTE:You must not disable the option for Active Directory repositories. It can also affect the performance on other supported repositories such as NetIQ eDirectory.
This option allows you to enable or disable nested groups support. By default Enable nested groups support option is set to ON.
If Enable nested groups support option is set to ON, then Advanced Authentication will authenticate all the users of the group and its nested groups assigned to a chain. If Enable nested groups support option is set to OFF, then Advanced Authentication will authenticate only the members of the group assigned to the chain. The members of the nested groups cannot access the chain. For example, If there is a group by name All Users assigned to SMS Authentication chain and All Users group has subgroups Contractors and Suppliers. When Enable nested groups support option is set to ON, then Advanced Authentication will authenticate All Users group and its nested groups Contractors and Suppliers for SMS Authentication chain. When the option is set to OFF, then Advanced Authentication will authenticate only the members of All Users group and the nested group members will not have access to SMS Authentication chain. This improves the logon performance to the appliance.
The table describes the attributes used by the appliance in the supported directories.
|
Attribute Name |
LDAP Name |
Description |
Type |
Supported in Active Directory |
Supported in LDS |
Supported in eDirectory |
|---|---|---|---|---|---|---|
|
CN (Common Name) |
CN |
An identifier of an object |
String |
✓ |
✓ |
✓ |
|
Mobile |
Mobile |
A phone number of an object's cellular or mobile phone |
Phone number |
✓ |
✓ |
✓ |
|
Email Address |
|
An email address of a user |
Email address |
✓ |
✓ |
✓ |
|
User-Principal-Name (UPN) |
userPrincipalName |
An Internet based format login name for a user |
String |
✓ |
✓ |
✓ |
|
SAM-Account-Name |
sAMAccountName |
The login name used to support clients and servers running earlier versions of operating systems such as Windows NT 4.0 |
String |
✓ |
× |
× |
|
GUID |
GUID |
An assured unique value for any object |
× |
× |
✓ |
|
|
Object Class |
Object Class |
An unordered list of object classes |
String |
✓ |
✓ |
✓ |
|
Member |
Member |
A list that indicates the objects associated with a group or list |
String |
✓ |
✓ |
✓ |
|
User-Account-Control |
userAccountControl |
Flags that control the behavior of a user account |
✓ |
× |
× |
|
|
ms-DS-User-Account-Control-Computed |
msDS-User-Account-Control-Computed |
Flags that are similar to userAccountControl, but the attribute's value can contain additional bits that are not persisted |
✓ |
✓ |
× |
|
|
Primary-Group-ID |
primaryGroupID |
A relative identifier (RID) for the primary group of a user |
✓ |
× |
× |
|
|
Object-Guid |
objectGUID |
A unique identifier for an object |
✓ |
✓ |
× |
|
|
object-Sid |
objectSid |
A Binary value that specifies the security identifier (SID) of the user |
✓ |
✓ |
× |
|
|
Logon-Hours |
logonHours |
Hours that the user is allowed to logon to the domain |
✓ |
× |
× |
|
|
USN-Changed |
uSNChanged |
An update sequence number (USN) assigned by the local directory for the latest change including creation |
✓ |
✓ |
× |
NOTE:The sAMAccountName and userPrincipalName attributes are supported only for AD DS repository. In AD LDS and eDirectory repositories, the attributes are not supported.
1.1. AD DS and AD LDS queries
1.1.1. Search users
(&(usnChanged>=217368)(&(objectClass=user)(|(cn=*)(sAMAccountName=*)(userPrincipalName=*))))
Requested attributes:
['objectSID', 'sAMAccountName', 'objectClass', 'logonHours', 'primaryGroupId', 'otherMobile', 'mobile', 'userAccountControl', 'cn', 'usnChanged', 'userPrincipalName', 'msDS-User-Account-Control-Computed', 'objectGUID', 'mail', 'otherMailbox', 'GUID']
1.1.2. Search groups
(&(usnChanged>=217368)(&(objectClass=group)(|(cn=*)(sAMAccountName=*))))
Requested attributes:
['objectSID', 'sAMAccountName', 'objectClass', 'logonHours', 'primaryGroupId', 'userAccountControl', 'cn', 'usnChanged', 'msDS-User-Account-Control-Computed', 'objectGUID', 'GUID']
1.2. eDirectory queries
The queries are the same as for AD DS and AD LDS, except for 'usnChanged' (this filter is not used).
1.2.1. Search users
(&(objectClass=user)(|(cn=*)(sAMAccountName=*)(userPrincipalName=*)))
Requested attributes:
['objectSID', 'sAMAccountName', 'objectClass', 'logonHours', 'primaryGroupId', 'otherMobile', 'mobile', 'userAccountControl', 'cn', 'userPrincipalName', 'msDS-User-Account-Control-Computed', 'objectGUID', 'mail', 'otherMailbox', 'GUID']
1.2.2. Search groups
(&(objectClass=group)(|(cn=*)(sAMAccountName=*)))
Requested attributes:
['objectSID', 'sAMAccountName', 'objectClass', 'logonHours', 'primaryGroupId', 'userAccountControl', 'cn', 'msDS-User-Account-Control-Computed', 'objectGUID', 'GUID']
For AD LDS queries the attributes are same as for AD DS except for 'objectSid' (the filter
is not used in queries about membership in groups).
In the examples below, the username is pjones, base_dn is DC=company,DC=com
2.1. AD DS and AD LDS queries
2.1.1. Basic user information
(&(objectClass=user)(|(cn=pjones)(sAMAccountName=pjones)(userPrincipalName=pjones)))
Requested attributes:
(&(objectClass=user)(objectGUID=\0f\d1\14\49\bc\cc\04\44\b7\bf\19\06\15\c6\82\55))
Requested attributes:
['otherMobile', 'GUID', 'userAccountControl', 'msDS-User-Account-Control-Computed', 'mobile', 'primaryGroupId', 'cn', 'objectGUID', 'userPrincipalName', 'objectSID', 'mail', 'sAMAccountName', 'objectClass', 'logonHours', 'otherMailbox']
2.1.2 Group membership information for user
AD specific query using objectSid filter:
(|(member=CN=pjones,CN=Users,DC=company,DC=com)(objectSid=S-1-5-21-3303523795-413055529-2892985274-513))
Requested attributes:
['GUID', 'userAccountControl', 'msDS-User-Account-Control-Computed', 'primaryGroupId', 'objectGUID', 'cn', 'objectSID', 'objectClass', 'sAMAccountName', 'logonHours']
2.3 Iteratively query about each group received from above query
(member=CN=Performance Monitor Users,CN=Builtin,DC=company,DC=com)
Requested attributes:
['GUID', 'userAccountControl', 'msDS-User-Account-Control-Computed', 'primaryGroupId', 'objectGUID', 'cn', 'objectSID', 'objectClass', 'sAMAccountName', 'logonHours']
2.2. eDirectory queries
2.2.1. Basic user information
(&(objectClass=user)(|(cn=pjones)(sAMAccountName=pjones)(userPrincipalName=pjones)))
Requested attributes:
['otherMobile', 'GUID', 'userAccountControl', 'msDS-User-Account-Control-Computed', 'mobile', 'primaryGroupId', 'cn', 'objectGUID', 'userPrincipalName', 'objectSID', 'mail', 'sAMAccountName', 'objectClass', 'logonHours', 'otherMailbox']
(&(objectClass=user)(GUID=\57\b6\c2\c1\b9\7f\4b\40\b9\70\5f\9a\1d\76\6c\d2))
Requested attributes:
['otherMobile', 'GUID', 'userAccountControl', 'msDS-User-Account-Control-Computed', 'mobile', 'primaryGroupId', 'cn', 'objectGUID', 'userPrincipalName', 'objectSID', 'mail', 'sAMAccountName', 'objectClass', 'logonHours', 'otherMailbox']
2.2.2. Group membership information for user
(member=cn=pjones,o=AAF)
Requested attributes:
['GUID', 'userAccountControl', 'msDS-User-Account-Control-Computed', 'primaryGroupId', 'objectGUID', 'cn', 'objectSID', 'objectClass', 'sAMAccountName', 'logonHours']
To edit a local repository, perform the following steps:
Click Edit in the LOCAL section of Repositories.
In the Global Roles tab, you can manage Helpdesk or Security Officers as ENROLL ADMINS and Advanced Authentication Administrators as FULL ADMINS.
By default, there are no ENROLL ADMINS and the account LOCAL\ADMIN is only specified as FULL ADMIN. You can change this by adding the user names from local or the used repositories in Members.
Click Save.
In the Users tab, you can manage the local users.
To add the new local account, click Add and specify the required information of the user.