You can enable users to login to Sentinel using their Novell eDirectory or Microsoft Active Directory credentials by configuring a Sentinel 6.1 server for LDAP authentication.
Export the self-signed certificate of the Certificate Authority (CA) for the eDirectory/Active Directory server to a Base64-encoded file.
eDirectory: For more information on exporting an eDirectory CA certificate, see Exporting an Organizational CA's Self-Signed Certificate.
To export an eDirectory CA certificate to iManager, the Novell Certificate Server plug-ins for iManager must be installed. For more information on installing an iManager plug-in, see Downloading and Installing Plug-in Modules.
Active Directory: For more information on exporting an Active Directory CA certificate, see How to enable LDAP over SSL with a third-party certification authority.
Log in as the root user to the Sentinel 6.1 server in which DAS is installed.
Copy the certificate file to the following directory on the Sentinel 6.1 server:
Windows: %ESEC_HOME%\config
Linux/Solaris: $ESEC_HOME/config
Set the ownership and permissions of the certificate file as follows:
Windows: Not applicable
Linux/Solaris: Run the following commands:
chown esecadm:esec <Install_Directory>/config/<cert-file>
chmod 700 <Install_Directory>/config/<cert-file>
Switch to esecadm user:
Windows: Not applicable
Linux/Solaris: Run the following command:
su - esecadm
Change to the following directory:
Windows: %ESEC_HOME%\bin
Linux/Solaris: $ESEC_HOME/bin
Run the LDAP authentication configuration script:
Windows: ldap_auth_config.bat
Linux/Solaris: ./ldap_auth_config.sh
The script takes a back up of the auth.login and configuration.xml configuration files in the config directory as auth.login.sav and configuration.xml.sav before modifying them for LDAP authentication.
Specify the following information:
Press Enter to accept the default value suggested in the brackets [ ] or specify a new value to override the default value.
Parameter |
Description/Action |
---|---|
Sentinel install location |
The installation directory on the Sentinel 6.1 server. The default location is:
|
LDAP server hostname or IP address |
The hostname or the IP address of the machine where the LDAP server is installed. The default value is localhost. However, it is not recommended to install the LDAP server on the same machine as the Sentinel 6.1 server. |
LDAP server port |
The port number for a secure LDAP connection. The default port number is 636. |
Anonymous searches on LDAP directory |
Specify y to perform anonymous searches on the LDAP directory to fetch the LDAP user DN for authentication based on Sentinel username. Otherwise, specify n. The default value is y. You can search the LDAP directory anonymously to fetch the LDAP user DN based on the Sentinel LDAP username to perform LDAP authentication, by using an LDAP connection that does not use a username or password. For more information on anonymous searches, see Section 5 “Anonymous authentication”. For Active Directory, if you specify y, the ANONYMOUS LOGON user object must be given appropriate list permission and read access to sAMAccountName and objectclass attributes. For more information, see Configuring Active Directory to Allow Anonymous Queries. For Windows Server 2003, you must perform additional configuration. For more information, see Configuring Active Directory on Windows Server 2003 . If you specify n, complete the LDAP configuration and perform the steps mentioned in the section LDAP Authentication Without Performing Anonymous Searches. |
LDAP Directory used This parameter is displayed only if you have specified ‘y’ for anonymous searches. |
Specify 1 for Novell eDirectory or 2 for Active Directory. The default value is 1. |
LDAP subtree to search for users This parameter is displayed only if you have specified ‘y’ for anonymous searches. |
The subtree in the directory that has the user objects. The following are examples for specifying the subtree in eDirectory and Active Directory:
|
Filename of the LDAP server certificate |
The filename of the eDirectory/Active Directory CA certificate that you have copied in Step 3. |
Enter one of the following:
y: to accept the entered values
n: to enter new values
q: to quit the configuration
On successful configuration:
The LDAP server certificate is added to a keystore named <Install_Directory>/config/ldap_server.keystore.
The auth.login and configuration.xml configuration files in the<Install_Directory>/config directory are updated to enable LDAP authentication.
Enter y to restart the Sentinel service.
IMPORTANT:If there are any errors, revert the changes made to the auth.login and configuration.xml configuration files in the config directory:
cp -p auth.login.sav auth.login cp -p configuration.xml.sav configuration.xml
Ensure that you have performed Step 1 through Step 10 in section Configuring the Sentinel 6.1 Server for LDAP Authentication, and you specified n for Anonymous searches on LDAP directory.
Specify the Creating an LDAP User Account for Sentinel
in the Sentinel 6.1 User Guide.
Alternatively, for Active Directory, you can perform LDAP authentication without anonymous searches by using the userPrinicipalName attribute:
Ensure that you have performed Step 1 through Step 10 in section Configuring the Sentinel 6.1 Server for LDAP Authentication, and you specified n for Anonymous searches on LDAP directory.
Ensure that the userPrinicipalName attribute is set to <sAMAccountName@domain> for the Active Directory user.
For more information, see User-Principal-Name Attribute.
On the Sentinel server, edit the LdapLogin section in the <Install Directory>/config/auth.login file:
LdapLogin { com.sun.security.auth.module.LdapLoginModule required userProvider="ldap://LDAP server IP:636/DN of the Container that contains the user objects" authIdentity="{USERNAME}@Domain Name" userFilter="(&(sAMAccountName={USERNAME})(objectclass=user))" useSSL=true; };
For example:
LdapLogin { com.sun.security.auth.module.LdapLoginModule required userProvider="ldap://137.65.151.12:636/DC=Test-AD,DC=provo,DC=novell,DC=com" authIdentity="{USERNAME}@Test-AD.provo.novell.com" userFilter="(&(sAMAccountName={USERNAME})(objectclass=user))" useSSL=true; };
Restart the Sentinel service:
/etc/init.d/sentinel stop
/etc/init.d/sentinel start
You have successfully configured the Sentinel 6.1 server for LDAP authentication, and now you can create Sentinel LDAP user accounts in the Sentinel Control Center. For more information on creating LDAP user accounts, see Creating an LDAP User Account for Sentinel
in the Sentinel 6.1 User Guide.
NOTE:To modify an existing LDAP configuration, run the ldap_auth_config script again and specify the new values for the parameters.
You can configure multiple LDAP servers for failover only on Windows and Linux platforms.
To configure one or more LDAP servers as failover servers for LDAP authentication:
Log in to the Sentinel server as esecadm.
Stop the Sentinel service.
/etc/init.d/sentinel stop
Change to the <Install_Directory>/config directory:
cd <Install_Directory>/config
Open the auth.login file for editing.
vi auth.login
Update the userProvider in the LdapLogin section to specify multiple LDAP URLs. Separate each URL by a blank space.
For example:
userProvider="ldap://ldap-url1 ldap://ldap-url2"
NOTE:For Active Directory, ensure that the subtree in the LDAP URL is not blank.
For more information on specifying multiple LDAP URLs, see the description of the userProvider option in Class LdapLogin Module.
Save the changes.
Export the certificate of each failover LDAP server and copy the certificate file to the <Install_Directory>/config directory on the Sentinel 6.1 server.
For more information, see Step 1 in section Configuring the Sentinel 6.1 Server for LDAP Authentication.
Ensure that you set the necessary ownership and permissions of the certificate file for each failover LDAP sever.
Windows: Not applicable.
Linux/Solaris: Run the following commands:
chown esecadm:esec <Install_Directory>/config/<cert-file>
chmod 700 <Install_Directory>/config/<cert-file>
Add each failover LDAP server certificate to the keystore ldap_server.keystore that is created in Step 9 in section Configuring the Sentinel 6.1 Server for LDAP Authentication.
Windows:
"%ESEC_HOME%\jre64\bin\keytool.exe" -importcert -noprompt -trustcacerts -file <certificate-file> -alias <alias_name> -keystore ldap_server.keystore -storepass sentinel
Linux/Solaris:
$ESEC_HOME/jre64/bin/keytool -importcert -noprompt -trustcacerts -file <certificate-file> -alias <alias_name> -keystore ldap_server.keystore -storepass sentinel
where <certificate-file> is the LDAP certificate filename in Base64-encoded format and <alias_name> is the alias name for the certificate to be imported.
IMPORTANT:Ensure that you specify the alias. If no alias is specified, the keytool takes mykey as the alias by default. When you import multiple certificates into the keystore without specifying an alias, the keytool reports an error that the alias already exists.
Start the Sentinel service.
/etc/init.d/sentinel start
In Linux, the Sentinel 6.1 server times out before it finds that the primary LDAP server is down, and hence does not connect to the failover LDAP server. To ensure that the Sentinel 6.1 server connects to the failover LDAP server without timing out, perform the following steps:
Log in to the Sentinel 6.1 server as root user.
Open the sysct1.conf file for editing:
vi /etc/sysctl.conf
Ensure that the net.ipv4.tcp_syn_retries value is set to 3. If the entry does not exist, add the entry. Save the file:
net.ipv4.tcp_syn_retries = 3
Execute the following commands for the changes to take effect:
/sbin/sysctl -p
/sbin/sysctl -w net.ipv4.route.flush=1
Set the Sentinel 6.1 server time out value by adding the -Desecurity.remote.timeout=60 parameter in control_center.sh and solution_designer.sh in the $ESEC_HOME/bin directory:
control_center.sh:
"$ESEC_HOME/jre/bin/java" $MEMORY -Dcom.esecurity.configurationfile=$ESEC_CONF_FILE -Desecurity.cache.directory="$ESEC_HOME/data/control_center.cache" -Desecurity.communication.service="sentinel_client" -Dfile.encoding=UTF8 -Desecurity.dataobjects.config.file="/xml/BaseMetaData.xml,/xml/WorkflowMetaData.xml,/xml/ActMetaData.xml" -Djava.util.logging.config.file="$ESEC_HOME/config/control_center_log.prop" -Djava.security.auth.login.config="$ESEC_HOME/config/auth.login" $SENTINEL_LANG_PROP $SENTINEL_CTRY_PROP -Dice.pilots.html4.baseFontFamily="Arial Unicode MS" -Desecurity.remote.timeout=60 -jar ../lib/console.jar
solution_designer.sh:
"$ESEC_HOME/jre/bin/java" -classpath $LOCAL_CLASSPATH $MEMORY -Dcom.esecurity.configurationfile="$ESEC_CONF_FILE" -Dsentinel.installer.jar.location="$ESEC_HOME/lib/contentinstaller.jar" -Desecurity.communication.service="sentinel_client" -Dfile.encoding=UTF8 -Desecurity.dataobjects.config.file="/xml/BaseMetaData.xml,/xml/WorkflowMetaData.xml,/xml/ActMetaData.xml" -Djava.util.logging.config.file="$ESEC_HOME/config/solution_designer_log.prop" -Djava.security.auth.login.config="$ESEC_HOME/config/auth.login" $SENTINEL_LANG_PROP $SENTINEL_CTRY_PROP -Desecurity.cache.directory=../data/solution_designer.cache -Desecurity.remote.timeout=60 com.esecurity.content.exportUI.ContentPackBuilder
In Sentinel SP1 Hotfix 2, LDAP users are created by using the
authentication option in the User Manager window of Sentinel Control Center. In Sentinel 6.1 SP2, LDAP users are created by using a new option called Authentication.Use the following procedure to ensure that the existing LDAP users created in SP1 Hotfix 2 function properly in SP2:
Run the LDAP Authentication configuration script.
Log in to Sentinel Control Center, select
tab, then open the User Manager window.For each existing LDAP user, right-click and select
.The LDAP user who was created by using the
option is displayed as type.If you specified n for Anonymous searches on LDAP directory
parameter while configuring LDAP authentication, specify the fully qualified DN of the LDAP user in the field.
For more information, see Creating an LDAP User Account for Sentinel
in the Sentinel 6.1 User Guide.
Click
.