8.4 Configuring Sentinel Log Manager Server for LDAP Authentication

You can enable users to log in to Sentinel Log Manager by using their Novell eDirectory™ username or Microsoft Active Directory* sAMAccountName and password. You do this by configuring a Sentinel Log Manager server for LDAP authentication.

NOTE:LDAP authentication is currently supported only on Linux systems that have Sentinel Log Manager 1.0.0.4 or later installed.

8.4.1 Configuring the Server

To configure a Sentinel Log Manager server for LDAP authentication:

  1. Log in to the Sentinel Log Manager server as the novell user:

    su - novell

  2. Change to the following directory: 

    Install_Directory/bin

  3. Run the ldap_auth_config.sh script:

    ./ldap_auth_config.sh

  4. Specify the following information:

    Press Enter to accept the default value suggested in the brackets [ ] or enter a new value to override the default value.

    Parameter

    Description

    Sentinel Log Manager install location

    The default location of Sentinel Log Manager server installation directory is /opt/novell/Sentinel_log_mgr_1.0_x86-64

    LDAP directory

    The value is 1 for Novell eDirectory or 2 for Active Directory. The default value is 1.

    LDAP server hostname or IP address

    The hostname or the IP address of the machine where the LDAP server is installed. The default value is localhost.

    Use SSL/TLS (secured or non-secured LDAP connection port )

    Enter one of the following:

    • y to use the secured connection port and perform the below steps:

      1. Login as the root user.

      2. Export the self-signed certificate of the Certificate Authority (CA) for the eDirectory/Active Directory tree to a Base64-encoded file.

        eDirectory: For exporting an eDirectory CA certificate in iManager, the Novell Certificate Server plug-ins for iManager must be installed. For more information on installing an iManager plug-in, see Downloading and Installing Plug-in Modules.

        For more information on exporting an eDirectory CA certificate, see Exporting an Organizational CA's Self-Signed Certificate.

        Active Directory: For more information on exporting an Active Directory CA certificate, see How to enable LDAP over SSL.

        For the Sentinel LDAP authentication, the ANONYMOUS LOGON user object must be given read access to sAMAccountName and objectclass attributes. For more information, see Configuring Active Directory to Allow Anonymous Queries.

        For Windows Server 2003, you must perform additional configuration. For more information, see Configuring Active Directory on Windows Server 2003.

      3. Copy the certificate file to the following directory on Sentinel Log Manager server: 

        Install_Directory/config

      4. Set the ownership and permissions of the certificate file as follows:

        chown novell:novell Install_Directory/config/<cert-file>

        chmod 400 Install_Directory/config/<cert-file>

    • n to use the non-secured connection port.

    • q to quit the configuration.

    LDAP server port

    The default port number for a secured LDAP connection is 636.

    The default port number for a non-secured LDAP connection is 389.

    LDAP subtree to search for users

    The subtree in the directory that has the user objects.

    The following are examples for specifying subtree in eDirectory and Active Directory:

    • eDirectory: 

      ou=users, o=novell

      For eDirectory, if no subtree is specified, the search is run on the entire directory.

    • Active Directory:

      CN=users, DC=TEST AD, DC=provo, DC=novell, DC=com

      For Active Directory, the subtree cannot be blank.

    Filename of the LDAP server certificate

    This parameter is displayed only if you have specified ‘y’ for Use SSL/TLS.

    The filename of the eDirectory/Active Directory CA certificate that you have copied in Step 4.

  5. Enter one of the following:

    • y to accept the values.

    • n to enter new values.

    • q to quit the configuration.

  6. Enter y to restart the Sentinel Log Manager server.

  7. Log in to Sentinel Log Manager as admin. Create a Directory user and select the directory authentication type to authenticate with an existing user’s LDAP credentials.

    For more information about creating a user, see Adding a User.

You have successfully configured Sentinel Log Manager server for LDAP authentication, and users can log in to Sentinel Log Manager by using an eDirectory username or Active Directory sAMAccountName and password.

8.4.2 Modifying the LDAP Authentication Configuration

To modify an existing LDAP authentication configuration for a Sentinel Log Manager server:

  1. Log in to a Sentinel Log Manager server as the novell user:

    su - novell

  2. Change to the Install_Directory/config directory:

    cd Install_Directory/config

  3. Modify the LdapLogin entry in the auth.login file of the Install_Directory/config directory.

  4. Modify the .activemqkeystore.jks file in the Install_Directory/config directory.

  5. Perform Step 1 through Step 7 in Section 8.4, Configuring Sentinel Log Manager Server for LDAP Authentication.

IMPORTANT:Modifying the auth.login or .activemqkeystore.jks incorrectly causes LDAP authentication to fail. The user can also modify the .activemqkeystore.jks file with the java keytool utility available in the Install_Directory/jre/bin directory.