3.3 Adding a Repository

A repository is a central location where the user’s data is stored. Advanced Authentication uses the repository only to retrieve the user information and configurations in Advanced Authentication do not affect the repository. The authentication templates are stored inside the appliance and are fully encrypted.

Advanced Authentication supports any LDAP compliant directory such as Active Directory Domain Services, NetIQ eDirectory, Active Directory Lightweight Directory Services, OpenLDAP, and OpenDJ. Advanced Authentication also supports the MSSQL database.

When you add a new repository, you can match the users in the repository to the authentication chains. You require only the read permission to access a repository.

You can add the following repositories:

3.3.1 Adding an LDAP Repository

To add a repository, perform the following steps:

  1. Click Repositories > Add.

  2. Select an applicable repository type from the LDAP type list. The options are:

    • AD for Active Directory Domain Services

    • AD LDS for Active Directory Lightweight Domain Services

    • eDirectory for NetIQ eDirectory

    • Other for OpenLDAP, OpenDJ and other types

    For AD, a repository name is automatically set to the NetBIOS name of the domain. For other LDAP repository types, you need to specify the name in Name.

  3. Specify a container for the users in Base DN. When you select the Subtree option, Advanced Authentication performs a search for the users in all the child nodes. You can change the search scope by selecting the Search one level only option.

  4. Specify a user account in User and specify the password of the user in Password. Ensure that the user's password has no expiry.

  5. You can specify a container for the groups in Group DN (optional). When you select the Subtree option, Advanced Authentication performs a search for the groups in all the child nodes. You can change the search scope by selecting the Search one level only option.

  6. If you have selected AD as the LDAP type, select DNS discovery to find LDAP servers automatically. Specify the DNS zone and Site name (optional) and click Perform DNS Discovery.

    If you want to add LDAP servers manually, select Manual setting.

    NOTE:If you specify an RODC (Read Only Domain Controller) in the LDAP server, the server uses this DC for read requests (get groups, get user info) and for logon requests (LDAP Password method and bind requests for Advanced Authentication LDAP user). These requests are redirected to a writable DC because RODC is installed in untrusted locations and does not have copies of the user’s passwords. Therefore, if a writable DC is not available, Advanced Authentication will not be able to bind to the LDAP repository.

    To solve this issue, you must enable the password replication of a user account specified in Step 4. To do this, you must add the account to the Allowed RODC Password Replication Group.

    However, even when you enable such replication, users cannot use the LDAP Password method because user’s passwords are not replicated. It is recommended not to replicate passwords of all the users. For more information, see the article Understanding “Read Only Domain Controller” authentication.

  7. Click Add server. You can add the different servers in your network. The list is used as a pool of servers. Each time the connection is open, a random server is selected in the pool and unavailable servers are discarded.

    NOTE: A Global Master must have connection to each of the LDAP servers. Therefore, in a data center with Global Master, you must have LDAP servers for all the used domains. In the secondary sites, ensure that the LDAP servers list contains only local LDAP servers to prevent an Advanced Authentication server to communicate to an LDAP Server that is located remotely. This is because communication to servers that are located far may result in delays.

  8. Specify an LDAP server's Address and Port.

  9. Turn SSL to ON to use the SSL technology (if applicable).

  10. Click Save, next to server's credentials.

  11. Add additional servers (if applicable).

  12. (Conditional) To configure custom attributes, expand Advanced Settings. The Advanced Settings are required for OpenDJ, OpenLDAP, and in some cases for NetIQ eDirectory.

  13. Click Save.

    NOTE: If you use NetIQ eDirectory with the option Require TLS for Simple Bind with Password enabled, you may get the error: Can't bind to LDAP: confidentialityRequired. To fix the error, you must either disable the option or do the following:

    1. Click LDAP > LDAP Options > Connections in the NetIQ eDirectory Administration portal.

    2. Set Client Certificate to Not Requested.

    3. Set a correct port number and select SSL in the Repository settings.

    4. Click Sync now with the added repository.

  14. You can change the search scope and the Group DN (optional) functionality. In Advanced Authentication 5.2, you had to specify a common Base DN for users and groups.

  15. To verify the synchronization of a repository, click Edit and you can view the information in Last sync.

  16. Click Full sync to perform a complete synchronization of the repository.

    NOTE:Full sync can be started only on the Global Master server.

    Advanced Authentication performs an automatic synchronization of modified objects (fastsync) on an hourly basis for AD. The complete synchronization (Full sync) is performed on a weekly basis.

NOTE:If an LDAP server is unavailable for 2.5 seconds, Advanced Authentication excludes it from the LDAP requests for a period of 3 minutes.

Advanced Settings

Advanced Settings allow you to customize attributes that Advanced Authentication reads from a repository. Click + to expand the Advanced Settings. The following list describes the different attributes in Advanced Settings:

User Lookup Attributes

Advanced Authentication validates the specified attributes for an entered user name.

For Active Directory (AD), the default attributes are sAMAccountName and userPrincipalName. For other repositories, cn is the default attribute.

User Name Attributes

Advanced Authentication shows a name from the first, non-empty specified field for an entered user name.

For AD, the default attributes are sAMAccountName and userPrincipalName. For other repositories, cn is the default attribute.

User Mail Attributes

Advanced Authentication validates the specified attributes to retrieve a user's email address.

Default attributes are mail and otherMailbox.

User Cell Phone Attributes

Advanced Authentication validates the specified attributes to retrieve a user's phone number. These attributes are used for methods such as SMS OTP, Voice, and Voice OTP. Previously, the first attribute of User cell phone attributes was used as a default attribute for authenticating with SMS OTP, Voice, and Voice OTP methods. Now, users can use different phone numbers for these methods. For example, Bob wants to authenticate with SMS OTP, Voice, and Voice OTP methods. He has a cell phone number, a home phone number, and an IP phone number and wants to use these numbers for each of these methods. He can define these phone numbers in the respective settings of these methods.

Default attributes: mobile, otherMobile.

NOTE:If you have multiple repositories, you must use the same configuration of User cell phone attributes for all the repositories.

Group Lookup Attributes

Advanced Authentication validates the specified attributes for an entered group name.

For Active Directory, the default attribute is sAMAccountName. For other repositories, cn is the default attribute.

Group Name Attributes

Advanced Authentication shows a name from the first, non-empty specified field for an entered group name.

For Active Directory, the default attribute is sAMAccountName. For other repositories, cn is the default attribute.

Advanced Authentication supports the RFC 2037 and RFC 2037 bis. RFC 2037 determines a standard LDAP schema and contains a memberUid attribute (POSIX style). RFC 2037 bis determines an updated LDAP schema and contains a member attribute. Active Directory, LDS, and eDir support RFC 2037 bis. OpenLDAP contains posixAccount and posixGroup that follows RFC 2037.

Advanced Authentication supports the following attributes for the Group Name attributes:

Attribute

Default Value

Value for the Repository

User Object Class

user

OpenDJ and OpenLDAP: person

Group Object Class

group

OpenDJ: groupOfNames

OpenLDAP: posixGroup

Group Member Attribute

member

OpenDJ: member

OpenLDAP: memberUid.

If a required group contains groupOfNames class, disable POSIX style groups. If the group contains posixGroup, enable POSIX style groups.

  • User UID attribute

    This attribute is available only when POSIX style groups is ON.Default value: uid.

Object ID Attribute

This attribute is available only for other LDAP type only.

entryUUID

 

NOTE:For information about the Logon filter settings (Legacy logon tag and MFA logon tag), see Configuring Logon Filter.

Verify SSL Certificate

Enable Verify SSL Certificate to ensure that the LDAP connection to appliance is secured with a valid self-signed SSL certificate. This helps to prevent any attacks on the LDAP connection and ensures safe authentication. Click Browse to browse the self-signed certificate.

Enable Paged Search

The Enable paged search option allows LDAP repositories to support paged search in which the repositories can retrieve a result of a query set in small portions. By default, this option is set to ON. For openLDAP (with file-based backend), the option must be set to OFF.

NOTE:You must not disable the option for Active Directory repositories. It can also affect the performance on other supported repositories such as NetIQ eDirectory.

Enable Nested Groups Support

This option allows you to enable or disable nested groups support. By default, the Enable nested groups support option is set to ON.

If Enable nested groups support option is set to ON, then Advanced Authentication will authenticate all the users of the group and its nested groups assigned to a chain. If Enable nested groups support option is set to OFF, then Advanced Authentication will authenticate only the members of the group assigned to the chain. The members of the nested groups cannot access the chain.

Consider there is a group by name All Users assigned to SMS Authentication chain and the All Users group has subgroups Contractors and Suppliers. When Enable nested groups support option is set to ON, then Advanced Authentication will authenticate All Users group and the nested groups Contractors and Suppliers for SMS Authentication chain. When the option is set to OFF, then Advanced Authentication will authenticate only the members of All Users group and the nested group members will not have access to SMS Authentication chain. This improves the login performance of the appliance.

Framed IPv4 Address Attribute

This attribute is applicable for the RADIUS Server event.

For Active Directory, when the Framed IPv4 Address is blank, the Advanced Authentication RADIUS server returns value of the msRADIUSFramedIPAddress attribute as Framed-IP-Address after you log in with the RADIUS event. When you specify any other attribute in Framed IPv4 Address attribute, then the value of the specified attribute is returned as the Framed-IP-Address instead of the msRADIUSFramedIPAddress attribute value. You can configure the Framed-IP-Address in Active Directory Users and Computers > Dial-in > Assign Static IP Addresses and click Static IP Addresses. It supports only IPv4.

For the other repositories, when the Framed IPv4 Address is blank, the Advanced Authentication RADIUS server returns value of the radiusFramedIPAddress attribute as Framed-IP-Address after you log in with the RADIUS event. When you specify any other attribute in Framed IPv4 Address attribute, then the value of the specified attribute is returned as the Framed-IP-Address instead of the radiusFramedIPAddress attribute value.

Used Attributes

The following table describes the attributes that the appliance uses in the supported directories.

Attribute Name

LDAP Name

Description

Type

Supported in Active Directory

Supported in LDS

Supported in eDirectory

CN (Common Name)

CN

An identifier of an object

String

Mobile

Mobile

A phone number of an object's cellular or mobile phone

Phone number

Email Address

mail

An email address of a user

Email address

User-Principal-Name (UPN)

userPrincipalName

An Internet based format login name for a user

String

SAM-Account-Name

sAMAccountName

The login name used to support clients and servers running earlier versions of operating systems such as Windows NT 4.0

String

×

×

GUID

GUID

An assured unique value for any object

Octet String

×

×

Object Class

Object Class

An unordered list of object classes

String

Member

Member

A list that indicates the objects associated with a group or list

String

User-Account-Control

userAccountControl

Flags that control the behavior of a user account

Enumeration

×

×

ms-DS-User-Account-Control-Computed

msDS-User-Account-Control-Computed

Flags that are similar to userAccountControl, but the attribute's value can contain additional bits that are not persisted

Enumeration

×

Primary-Group-ID

primaryGroupID

A relative identifier (RID) for the primary group of a user

Enumeration

×

×

Object-Guid

objectGUID

A unique identifier for an object

Octet String

×

object-Sid

objectSid

A Binary value that specifies the security identifier (SID) of the user

Octet String

×

Logon-Hours

logonHours

Hours that the user is allowed to logon to the domain

Octet String

×

×

USN-Changed

uSNChanged

An update sequence number (USN) assigned by the local directory for the latest change including creation

Interval

×

NOTE:The sAMAccountName and userPrincipalName attributes are supported only for AD DS repository. The Active Directory LDS and eDirectory repositories do not support the attributes.

LDAP Queries for Repository Sync

Active Directory DS and AD LDS Queries

1. Search users

(&(usnChanged>=217368)(&(objectClass=user)(|(cn=*)(sAMAccountName=*)(userPrincipalName=*))))

Requested attributes:

['objectSID', 'sAMAccountName', 'objectClass', 'logonHours', 'primaryGroupId', 'otherMobile', 'mobile', 'userAccountControl', 'cn', 'usnChanged', 'userPrincipalName', 'msDS-User-Account-Control-Computed', 'objectGUID', 'mail', 'otherMailbox', 'GUID']

2. Search groups

(&(usnChanged>=217368)(&(objectClass=group)(|(cn=*)(sAMAccountName=*))))

Requested attributes:

['objectSID', 'sAMAccountName', 'objectClass', 'logonHours', 'primaryGroupId', 'userAccountControl', 'cn', 'usnChanged', 'msDS-User-Account-Control-Computed', 'objectGUID', 'GUID']

eDirectory Queries

The queries are the same as for Active Directory DS and Active Directory LDS, except for 'usnChanged' (this filter is not used).

1. Search users

(&(objectClass=user)(|(cn=*)(sAMAccountName=*)(userPrincipalName=*)))

Requested attributes:

['objectSID', 'sAMAccountName', 'objectClass', 'logonHours', 'primaryGroupId', 'otherMobile', 'mobile', 'userAccountControl', 'cn', 'userPrincipalName', 'msDS-User-Account-Control-Computed', 'objectGUID', 'mail', 'otherMailbox', 'GUID']

2. Search groups

(&(objectClass=group)(|(cn=*)(sAMAccountName=*)))

Requested attributes:

['objectSID', 'sAMAccountName', 'objectClass', 'logonHours', 'primaryGroupId', 'userAccountControl', 'cn', 'msDS-User-Account-Control-Computed', 'objectGUID', 'GUID']

LDAP Queries During Logon

For Active Directory LDS queries, the attributes are same as Active Directory DS except for the objectSid (the filter is not used in queries on membership in groups).

In the examples below, the username is pjones, base_dn is DC=company,DC=com

Active Directory DS and Active Directory LDS queries

1. Basic user information

(&(objectClass=user)(|(cn=pjones)(sAMAccountName=pjones)(userPrincipalName=pjones)))

Requested attributes:

(&(objectClass=user)(objectGUID=\0f\d1\14\49\bc\cc\04\44\b7\bf\19\06\15\c6\82\55))

Requested attributes:

['otherMobile', 'GUID', 'userAccountControl', 'msDS-User-Account-Control-Computed', 'mobile', 'primaryGroupId', 'cn', 'objectGUID', 'userPrincipalName', 'objectSID', 'mail', 'sAMAccountName', 'objectClass', 'logonHours', 'otherMailbox']

2. Group membership information for user

Active Directory specific query using objectSid filter:

(|(member=CN=pjones,CN=Users,DC=company,DC=com)(objectSid=S-1-5-21-3303523795-413055529-2892985274-513))

Requested attributes:

['GUID', 'userAccountControl', 'msDS-User-Account-Control-Computed', 'primaryGroupId', 'objectGUID', 'cn', 'objectSID', 'objectClass', 'sAMAccountName', 'logonHours']

3. Iteratively query about each group received from above query

(member=CN=Performance Monitor Users,CN=Builtin,DC=company,DC=com)

Requested attributes:

['GUID', 'userAccountControl', 'msDS-User-Account-Control-Computed', 'primaryGroupId', 'objectGUID', 'cn', 'objectSID', 'objectClass', 'sAMAccountName', 'logonHours']

eDirectory Queries

Basic user information

(&(objectClass=user)(|(cn=pjones)(sAMAccountName=pjones)(userPrincipalName=pjones)))

Requested attributes:

['otherMobile', 'GUID', 'userAccountControl', 'msDS-User-Account-Control-Computed', 'mobile', 'primaryGroupId', 'cn', 'objectGUID', 'userPrincipalName', 'objectSID', 'mail', 'sAMAccountName', 'objectClass', 'logonHours', 'otherMailbox']
(&(objectClass=user)(GUID=\57\b6\c2\c1\b9\7f\4b\40\b9\70\5f\9a\1d\76\6c\d2))

Requested attributes:

['otherMobile', 'GUID', 'userAccountControl', 'msDS-User-Account-Control-Computed', 'mobile', 'primaryGroupId', 'cn', 'objectGUID', 'userPrincipalName', 'objectSID', 'mail', 'sAMAccountName', 'objectClass', 'logonHours', 'otherMailbox']

Group membership information for user

                (member=cn=pjones,o=AAF)
              

Requested attributes:

['GUID', 'userAccountControl', 'msDS-User-Account-Control-Computed', 'primaryGroupId', 'objectGUID', 'cn', 'objectSID', 'objectClass', 'sAMAccountName', 'logonHours']

3.3.2 Adding an SQL Database

You can add an MSSQL database to be consumed as a repository by Advanced Authentication. The following version of SQL servers are supported:

  • Microsoft SQL Server 2016

To add an SQL database, perform the following steps:

  1. Click Repositories > Add SQL repo.

  2. Specify the following details of the SQL database:

    • Name: Name of the repository.

    • Database type: Select MSSQL.

    • DB host: IP address of the database host.

    • DB name: Name of the database.

    • DB user: Name of the database user.

    • Password: Password of the database.

    • Table or view name: Name of the table or view in the database.

    • User’s id column and User’s id type: User’s id column and id type in the database.

    • User’s name column and User’s name type: The username column and the type in which the name is specified.

    • User's phone column, and User's email column: The phone and email column in the database.

IMPORTANT:

  • The LDAP Password method is not applicable for the users in SQL repository. The Password method for the users is not enrolled automatically and can be enrolled manually by the Helpdesk administrator only.

  • You must disable the Ask credentials of management user in the Helpdesk Options policy for the SQL repository. This enables the helpdesk administrator to set an authenticator for a user, without getting authenticated with the user's password on the User to Manage page of the Helpdesk portal.

  • The SQL repository supports auto enrollment of Email OTP, SMS OTP, and Voice OTP methods. If you use only these methods, you can create a chain with one or some of these methods. You do not need the Helpdesk administrator’s assistance for the enrollment of these methods. It is not recommended to use a single factor chain with only one of these methods as it is not secure.

3.3.3 Local Repository

The Local repository contains the Advanced Authentication server data. You can manage users and set roles for users in the local repository.

To edit a local repository, perform the following steps:

  1. Click Edit in the LOCAL section of Repositories.

  2. In the Global Roles tab, you can manage the Helpdesk administrators as ENROLL ADMINS and Advanced Authentication administrators as FULL ADMINS.

    By default, there are no ENROLL ADMINS and the account LOCAL\ADMIN is specified as FULL ADMIN. You can change this by adding the user names from local or the repositories in Members.

  3. Click Save.

  4. In the Users tab, you can manage the local users.

    To add the new local account, click Add and specify the required information of the user.

  5. In the Settings tab, you can edit the name of the Local repository.