SSH

Configuring LDAP Authentication Parameters

Tectia Manager includes a feature allowing an external LDAP server to be used to store and verify admin user passwords. This section details how to set up and use this feature.

There are two separate LDAP authentication modes available: the LDAP search authentication and the LDAP bind authentication.

LDAP Search Authentication Parameters

The authentication module, once configured, can search an LDAP server for password hashes belonging to users whose login name on the Management Server is identical to an entry in the LDAP database. The uid field in the LDAP database is the field that is searched to determine if the account exists. The module can handle the following types of password hashes:

  • Password hashes stored in the authPassword field as specified in RFC 3112.

    The SHA1 and MD5 schemes are supported.

  • Password hashes stored in the userPassword field as specified in RFC 2307.

    The SHA, MD5, SSHA, and SMD5 schemes are supported.

[Note]Note

Plaintext passwords are not supported for security reasons.

As an example, if the fields in the settings section are filled out as follows:

LDAP server hostname: ldap.ssh.fi LDAP server port: 389
Base search dn: cn=tectia,dc=ssh,dc=fi
Scope: sub

When an admin user called admin is authenticating using LDAP, the following URL will be used for the search:

ldap://ldap.ssh.fi:389/cn=tectia,dc=ssh,dc=fi??sub?(uid=admin)

If either a userPassword or authPassword field is found during this search, the password hash from that record is compared against a similarly created hash from the user's password input in the administration interface.

To add a new set of LDAP settings, select Settings → Admin Authentication → LDAP search authentication parameters and click Add new.

The parameters for LDAP search

Figure 4.9. The parameters for LDAP search

Fill out the fields accordingly:

Name (required)

This field allows you to give the configuration set a descriptive name. This is the name seen in the Authentication group drop-down menu when you edit an admin's account.

LDAP server hostname (required)

This field contains the FQDN of the LDAP server you wish to connect to for authentication purposes.

LDAP server port (required)

This is the port on which the LDAP server is listening.

LDAP username (optional)

If your LDAP server requires that you bind as a certain privileged user to be able to query the userPassword or authPassword field, this would be the bind name of that user, for example cn=Manager,dc=domain,dc=com.

LDAP password (optional)

The password for the username specified in the LDAP username field.

Base search DN (required)

This field sets where in the schema the query should start searching.

Scope (required)

The scope of the search - either sub or one. The default is sub.

TLS certificate (optional)

If you wish to use TLS to protect the communications between the Management Server and LDAP server, upload a certificate for that purpose here.

TLS mode (required)

Select whether the Transport Layer Security (TLS) mode will be used:

  • Disable causes communications between the Management Server and LDAP server to happen in plaintext. This is the default, but we recommended using TLS protection for security reasons.

  • Require will attempt to use TLS and if it is unavailable, the authentication is considered failed.

Disable Revocation Checks

Select whether to check the validity of the LDAP server TLS certificate in the LDAP and OCSP revocation lists. By default the checking is disabled.

LDAP Bind Authentication Parameters

The LDAP bind authentication module verifies the admin user password by logging in (or binding) to an LDAP directory using the user account itself. The actual password checking is done by the LDAP directory. This has an advantage of account disable and expiration restrictions being checked by the directory.

In the LDAP bind operation the user password will be transmitted to an LDAP directory. It is therefore of utmost importance that the connection to LDAP is properly secured. TLS is recommended for this purpose, but if it cannot be used, other means of lower-level protection must be deployed (such as SecSh tunneling or IPSec).

As in LDAP search authentication, a user account must be created into both Tectia Manager and the LDAP directory. Additionally, in LDAP bind authentication the user has to have an LDAP path that can be constructed using admin user parameters in the Management Database. For example, if Tectia Manager is configured in the following manner:

Bind DN format: CN=${name}, CN=Users, DC=ad-server, DC=ssh, DC=com

and if an admin user account with the real name CSM Test User has been created, Tectia Manager will attempt to bind to the directory using the following username path:

CN=CSM Test User, CN=Users, DC=ad-server, DC=ssh, DC=com

and the user-supplied password. The user object in LDAP has to have enough access rights to perform the bind operation using a password and to read (at least partially) the user object itself.

To add a new set of LDAP bind settings, select Settings → Admin Authentication → LDAP bind authentication parameters and click Add new. Fill in the fields accordingly:

Name (required)

This field allows you to give the configuration set a descriptive name. This is the name seen in the Authentication group drop-down list when you edit an admin account.

LDAP server hostname (required)

This field contains the FQDN of the LDAP server you wish to connect to for authentication purposes.

LDAP server port (required)

This is the port on which the LDAP server is listening. Using TLS with LDAPv2 directory probably requires the port to be set to 636 instead of 389.

Base DN format (required)

Format string for admin user object path construction. Can contain variable fields for user information which are substituted when binding to the directory. Supported fields are:

  • ${name}

    Real name of the admin user.

  • ${account}

    Admin user account name.

  • ${email}

    Admin user email address.

For example the following DN format field

CN=${name}, OU=Tectia Manager Administration, O=SSH, C=FI

will result in the bind DN

CN=John Doe, OU=Tectia Manager Administration, O=SSH, C=FI

if the user real name field in the Management Database contains the name John Doe.

Require TLS (required)

If TLS is not required, clear the check box here. Please note that in this case the admin user password will be transmitted to the LDAP server in plaintext. Disable TLS only if another form of authentication and encryption will be used between Tectia Manager and the LDAP directory.

TLS certificate (optional)

If you wish to use TLS to protect the communications between the Management Server and LDAP server, upload a certificate to be used as a trust anchor in LDAP server authentication.

Disable Revocation Checks

Select whether to check the validity of the LDAP server TLS certificate in the LDAP and OCSP revocation lists. By default the checking is disabled.