8.1 Adding an LDAP Repository

IMPORTANT:The LDAP Repository is not available in Advanced Authentication as a Service (SaaS) version.

To add a repository, perform the following steps:

  1. Click Repositories > New LDAP repo.

  2. Select an applicable repository type from the LDAP type list. The options are:

    • AD for Active Directory Domain Services

    • AD LDS for Active Directory Lightweight Domain Services

    • eDirectory for NetIQ eDirectory

      NOTE:When eDirectory is used as the LDAP repository then ensure Linux PAM Client's realm name matches the repository name for SSH logins to work properly.

    • Other for OpenLDAP, OpenDJ and other types

      To add the AD LDS repository with the AD LDS proxy, see Adding an AD LDS Repository with the Configured AD LDS Proxy.

    For AD, a repository name is automatically set to the NetBIOS name of the domain. For other LDAP repository types, you need to specify the name in Name.

  3. Specify a container for the users in Base DN. When you select the Subtree option, Advanced Authentication performs a search for the users in all the child nodes. You can change the search scope by selecting the Search one level only option.

  4. Specify a user account in User and specify the password of the user in Password. Ensure that the user's password has no expiry.

  5. You can specify a container for the groups in Group DN (optional). When you select the Subtree option, Advanced Authentication performs a search for the groups in all the child nodes. You can change the search scope by selecting the Search one level only option.

  6. If you have selected AD as the LDAP type, you can perform the DNS discovery either automatically or manually.

    Automatically Performing the DNS Discovery

    1. Select DNS discovery in the LDAP servers option.

    2. Specify the DNS zone.

    3. Specify the Site name (optional).

    4. The Use SSL option is set to OFF by default. This indicates that the DNS discovery is done on a non-SSL mode for the port 389. An _ldap SRV record is retrieved from the DNS server when this option is disabled. For example, _ldap._tcp.test2.local2.

      To use SSL for DNS discovery on port 636, turn Use SSL to ON. An _ldaps SRV record is retrieved from the DNS server. For example, _ldaps._tcp.test2.local2. However, administrators must create the SRV record on the DNS server before using the SSL option.

    5. Click Perform DNS Discovery.

      When the DNS discovery is done, the DNS servers list is updated every three hours.

    Manually Performing the DNS Discovery

    1. Select the Manual setting option in the LDAP servers option to add LDAP servers manually.

    2. Click Add server. You can add the different servers in your network. The list is used as a pool of servers. Each time the connection is open, a random server is selected in the pool and unavailable servers are discarded.

    3. Specify an LDAP server's Address and Port.

    4. Turn SSL to ON to use SSL (if applicable).

      NOTE:If you specify an RODC (Read Only Domain Controller) in the LDAP server, the server uses this DC for read requests (get groups, get user info) and for logon requests (LDAP Password method and bind requests for Advanced Authentication LDAP user). These requests are redirected to a writable DC because RODC is installed in untrusted locations and does not have copies of the user’s passwords. Therefore, if a writable DC is not available, Advanced Authentication will not be able to bind to the LDAP repository.

      To solve this issue, you must enable the password replication of a user account specified in Step 4. To do this, you must add the account to the Allowed RODC Password Replication Group.

      However, even when you enable such replication, users cannot use the LDAP Password method because user’s passwords are not replicated. It is recommended not to replicate passwords of all the users. For more information, see the article Understanding “Read Only Domain Controller” authentication.

      NOTE:If you have a domain per-site architecture, the Global Master Server must have a connection at least to one LDAP server from each site. This is required because the Global Master Server must have access to all domains. In the secondary sites, ensure that the LDAP servers list contains only local LDAP servers to prevent an Advanced Authentication server to communicate to a remote LDAP server. This is because communication to servers that are located far may result in delays.

      For example, suppose you have the company.com domain at the primary site. Also, there are few child domains, located at other sites such as my1.company.com and my2.company.com. If you will put only LDAP servers from company.com to repository configuration, this will mean there is no sync possible with LDAP servers that belong to the child domains.

      It is necessary to put the local and at least one LDAP server from each child domain on the Global Master Server to allow synchronization with those child domains.

    5. Click the save icon next to server's credentials.

      Add additional servers (if applicable).

  7. (Conditional) To configure custom attributes, expand Advanced Settings. The Advanced Settings are required for OpenDJ, OpenLDAP, and in some cases for NetIQ eDirectory.

  8. Click Save.

    NOTE:If you use NetIQ eDirectory with the option Require TLS for Simple Bind with Password enabled, you may get the error: Can't bind to LDAP: confidentialityRequired. To fix the error, you must either disable the option or do the following:

    1. Click LDAP > LDAP Options > Connections in the NetIQ eDirectory Administration portal.

    2. Set Client Certificate to Not Requested.

    3. Set a correct port number and select SSL in the Repository settings.

    4. Click Sync now with the added repository.

  9. You can change the search scope and the Group DN (optional) functionality. In Advanced Authentication 5.2, you had to specify a common Base DN for users and groups.

  10. To verify the synchronization of a repository, click Edit and you can view the information in Last sync.

  11. Click Full synchronization to perform a complete synchronization of the repository.

    NOTE:Full synchronization must be initiated only on the Global Master server.

    Advanced Authentication performs automatic synchronization of only the modified user attributes (fast synchronization) on an hourly basis. The fast sync is supported for AD repositories only.

    The complete synchronization (Full synchronization) is performed weekly for all types of repositories. The full sync capture all the users and groups from a random LDAP server and verifies against the actual data. The full sync is performed to remove the users who are no longer a member of the groups that are assigned to the authentication chains of Advanced Authentication. If the user is no longer a member of the groups assigned in the authentication chains, it will be marked for removal after N days depending on the Retain the deleted users or groups (days) in the policy. After the period, the user including his authenticators will be deleted from the Advanced Authentication database. This allows to release a user license.

NOTE:If an LDAP server is unavailable for 2.5 seconds, Advanced Authentication excludes it from the LDAP requests for a period of 3 minutes.