Before installing LDAP Proxy, NetIQ recommends that you review the prerequisites and considerations.
Your operating system should be running the latest service packs before you begin the installation process.
If you have Security-Enhanced Linux (SELinux) configured on RHEL7.x/8.x, you must either disable it or set its value to Permissive mode to keep the LDAP Proxy to run.
IMPORTANT:The installation program installs all the dependent packages for LDAP Proxy. If any of the packages reside in the system, a message stating that the package is already present is displayed.
This section provides the minimum requirements for the server(s) where you want to install LDAP Proxy.
|
Category |
Minimum Requirement |
|---|---|
|
Disk Space |
2 GB |
|
Memory |
1 GB |
|
Operating System |
Certified for LDAP Proxy:
Certified for NLPManager:
Supported Operating Systems: Latest version of service packs for the certified operating systems. |
|
Operating System Hotfixes |
Before installing LDAP Proxy and NLPManager, NetIQ recommends that you apply the latest operating system patches according to the manufacturer’s automated update facility. |
|
Directory Servers |
LDAP Proxy supports eDirectory, Active Directory, and OpenLDAP as back-end server.
|
Before setting up the advanced authentication server, create a backup user with administrative access in the LOCAL repository. Once the admin user is created, perform the following steps:
Create the followings in the Advanced Authentication Admin panel:
Create LDAP Repositories.
Multiple repositories need to be created in case there are multiple organizations created in eDirectory.
Create an Endpoint.
Ensure to backup the endpoint id and secret generated. These will be required for configuring the MFABroker service.
Create the following Chains based on your requirement:
LDAP Password + TOTP (Time Based One Time Password)
Advanced Authentication Password (AA Password) + TOTP
TOTP + Smartphone
LDAP Password + Smartphone
AA Password + Smartphone
Create an Event.
For example, you can create an event named LDAPProxy. The type of the event should be OS Logon. The MFA chains created in the previous step should be added to this newly created event.
Ensure that only the members of the MFA groups have access to the Self service portal.
This can be achieved by confirming that the MFA groups which are being added to any MFA chains are also added to LDAP Password only chain. The LDAP Password chain is a part of the Authenticator Management event.
Configure the following Policies:
Delete Me Options: Enable the Delete Me policy.
Public External URL: This policy should be enabled to configure the Smartphone authentication method.
Custom Messages (Optional): For smartphone notification, the message can be customized. To customize the message notification, you must select the key .method.smartphone.authentication_hint.
A sample input for the custom message is shown below:
User {user} from client {client_ip} requested the authentication for event {event}, tenant {tenant}, endpoint {endpoint}The following limitations should be considered while configuring multi-factor authentication with Advanced Authentication:
All the LDAP users should have unique CNs.
An LDAP user with MFA should have only one chain available at a time. This can be attained by assigning the user to an individual MFA group only.
The LDAP users cannot have & in the LDAP or AA password.
Those users who are using single-factor authentication, should not have access to the AA Self-Service Portal.
Those users who have enrolled for multi-factor authentication, might see additional chains in the Authenticator’s Management Portal. However, such users must enroll for one authentication chain only.
If a user has already been enrolled for the multi-factor authentication, cannot be rolled back to the single-factor authentication method. Such users can be assigned to a different authentication chain by the administrator. Then the user can login to the AA Self-Service portal to register to the methods based on the new chain assigned by the administrator. The user must delete the methods pertaining to the old chain to ensure that they are associated to only one chain.
Once you have setup the advanced authentication server successfully, refer to Configuring Multi-Factor Authentication for LDAP Proxy to configure multi-factor authentication.