You can configure a Change Guardian server for LDAP authentication to enable users to log in to Change Guardian with their LDAP directory credentials. On the other hand, Change Guardian uses LDAP to process each user group in a policy as a list of the group members.
Following sections provide information about configuring LDAP.
LDAP authentication can be performed either using an SSL connection or an unencrypted connection to the LDAP server.
You can configure the Change Guardian server for LDAP authentication either with or without using anonymous searches on the LDAP directory.
Anonymous: When you create Change Guardian LDAP user accounts, the directory user name must be specified and the user distinguished name (DN) does not need to be specified.
When the LDAP user logs in to Change Guardian, the Change Guardian server performs an anonymous search on the LDAP directory based on the specified user name, finds the corresponding DN, then authenticates the user log in against the LDAP directory by using the DN.
Non Anonymous: When you create Change Guardian LDAP user accounts, the user DN must be specified along with the user name.
When the LDAP user logs in to Change Guardian, the Change Guardian server authenticates the user log in against the LDAP directory by using the specified user DN and does not perform any anonymous search on the LDAP directory.
NOTE:If anonymous search is disabled on the LDAP directory, you must not configure the Change Guardian server to use anonymous search.
Perform the following procedure to set up LDAP authentication:
Prerequisite: Enable TLS 1.1 and TLS 1.2 protocols on your SSL enabled AD computer by adding appropriate registry keys for server and client.
From Administration Console, click Users in the toolbar.
On the Users page, click the LDAP Settings tab.
Specify the following to configure LDAP authentication:
Host: Specify the hostname or the IP address of the LDAP server.
This is a required field if you select the SSL option.
SSL: Select this option if you want to connect to the LDAP server by using a Secure Socket Layer (SSL) connection.
Port: Specify the port number for the LDAP connection. The default SSL port number is 636 and the default non-SSL port number is 389.
Certificate File Path: Specify the path of the CA certificate file for the LDAP server.
This field should be used only if you selected the SSL option and if the LDAP server certificate is not signed by well-known CA and is not trusted by default.
Anonymous Search: Select Yes to perform anonymous searches or select No if you do not want to perform anonymous searches on the LDAP directory.
Base DN: Specify the root container to search for users, such as o=netiq for eDirectory or CN=administrator,CN=users,DC=<example>,DC=<com> for Active Directory.
If Anonymous Search is Yes: Specify the root container in the LDAP directory to search for users.
This is optional for eDirectory, and mandatory for Active Directory. For eDirectory, if the Base DN is not specified, the entire directory is searched to locate the users.
If Anonymous Search is No: Specify the root container in the LDAP directory that contains the users.
This is mandatory if you are using Active Directory and if you set a domain name. For all other cases, this is optional.
Search Attribute: Specify the LDAP attribute holding the user log in name. This is used to search for users.
For example:
eDirectory:
uid
Active Directory:
sAMAccountName
This field is available only if you selected Yes for Anonymous Search.
Domain Name: Specify the name of the Active Directory domain.
This is an additional approach applicable only for Active Directory for performing LDAP authentication without using anonymous search.
When you specify the Domain Name, username@domainname (userPrincipalName) is used to authenticate the user before searching for the LDAP user object.
For example, test.example.com
This field is applicable only for Active Directory and is available only if you selected No for Anonymous Search.
NOTE:If Base DN is set and Domain Name is not set, the Base DN is appended to the relative user DN to construct the absolute user DN.
For example, if the Base DN is set to o=netiq and the absolute user DN is cn=sentinel_ldap_user,o=netiq when the LDAP user account is created, only the relative user DN of cn=sentinel_ldap_user can be specified.
Click Test Connection to test whether the LDAP connection is successful.
Specify the test credentials to connect to the LDAP server:
If Anonymous Search is Yes: Specify the user name and password.
If you selected No for Anonymous Search and did not specify the Domain Name: Specify the user DN and password. The user DN can be relative to the Base DN.
The User DN is based on the RFC 2253 standard. According to RFC 2253, when some reserved special characters are used as literals in a User DN, they must be escaped with a backslash (\). The following characters must be escaped:
A space or # character occurring at the beginning of the string
A space character occurring at the end of the string
One of the characters , +, ", \, <, > or ;
For more information, see RFC 2253.
For example, if the User DN contains a comma (,) as a literal, specify the User DN as follows:
CN=Test\,User,CN=Users,DC=netiq,DC=com
eDirectory or Active Directory might require additional characters to be escaped. Refer the eDirectory or Active Directory documentation for any additional characters to be escaped.
If you selected No for Anonymous Search and specified the Domain Name: Specify the user name and password.
Click Test Connection to test the LDAP connection.
A message is displayed that indicates whether the connection is successful.
If there is an error, review the configuration details you provided and test the connection again.You can determine the cause of the failure by examining the /var/opt/novell/sentinel/log/server0.0.log file. You must ensure that the test connection is successful before saving the LDAP settings.
Click Save to save the LDAP settings.
On successful configuration:
The LdapLogin section of the /etc/opt/novell/sentinel/config/auth.login file is updated. For example:
LdapLogin {
com.sun.security.auth.module.LdapLoginModule required
java.naming.ldap.factory.socket="com.esecurity.common.communication.ProxyLdapSSLSocketFactory"
userProvider="ldap://10.0.0.1:636/o=netiq"
userFilter="(&(uid={USERNAME})(objectclass=user))"
useSSL=true;
};The LDAP server CA certificate, if provided, is added to a keystore named /etc/opt/novell/sentinel/config/.ldapkeystore.jks.
After saving the LDAP settings successfully, you can create LDAP user accounts to enable users to log in to Change Guardian by using their LDAP directory credentials.
NOTE:You can also configure the Change Guardian server for LDAP authentication by running the ldap_auth_config.sh script in the /opt/novell/sentinel/setup directory.
The script also supports command line options. To view the command line options, run the script as follows:
/opt/novell/sentinel/setup/ldap_auth_config.sh --help
After you successfully configure the Change Guardian server for LDAP authentication, you can create Change Guardian LDAP user accounts. For more information on creating LDAP user accounts, see Creating Users.
After you create the LDAP user account, you can log in to the Change Guardian by using your LDAP user name and password.
Change Guardian uses LDAP to process each user group in a policy as a list of the group members. For example, if a policy monitors Group A, LDAP allows Change Guardian to monitor the activity performed by the individual users in Group A. If the policy returns an event, the name of the user performing the change is included in the event report. You must configure LDAP settings for every grouped resource you intend to monitor. If you do not configure LDAP settings for a grouped resource, and you specify that grouped resource in a policy, the Policy Editor submits the policy to the Change Guardian server, but the policy cannot monitor the group members correctly. You can also browse Active Directory to select items for use in a policy.
To access and configure the domain controller in LDAP settings:
In Policy Editor, click Settings > LDAP Settings.
In the LDAP Settings window, click New.
Specify the following fields:
Domain name Specify the name of the Active Directory domain. For example, test.example.com
User name Specify the name of the Active Directory user name. You can specify the user name in the following format:
<user_name>
<domain_name\user_name>
<user_name@domain_name.com>
Password Specify the password for the Active Directory user.
Polling interval It is the time interval at which the Change Guardian server synchronizes with the active directory for delta information.
Click Test, to test the authentication of the Active Directory user before searching for the LDAP object.
Click Apply to save the configuration.
The LDAP Settings window displays the domain name for each resource. From this window, you can also edit, and delete settings.
NOTE:You cannot delete a setting that an active policy is using.