Sentinel Rapid Deployment supports LDAP authentication in addition to database authentication. You can enable users to log in to Sentinel Rapid Deployment by using their Novell eDirectory or Microsoft Active Directory credentials by configuring a Sentinel Rapid Deployment server for LDAP authentication.
You can configure the Sentinel Rapid Deployment server for LDAP authentication over a secure SSL connection with or without using anonymous searches on the LDAP directory.
NOTE:If anonymous search is disabled on the LDAP directory, you must not configure the Sentinel Rapid Deployment server to use anonymous search.
Anonymous Search: When you create Sentinel Rapid Deployment LDAP user accounts, you must specify the directory username, but you do not need to specify the user distinguished name (DN).
When the LDAP user logs in to Sentinel Rapid Deployment, the Sentinel Rapid Deployment server performs an anonymous search on the LDAP directory based on the specified username, finds the corresponding DN, then authenticates the user login against the LDAP directory by using the DN.
Non-Anonymous Search: When you create Sentinel Rapid Deployment LDAP user accounts, you must specify both the directory username and the user DN.
When the LDAP user logs in to the Sentinel Rapid Deployment, the Sentinel Rapid Deployment server authenticates the user login against the LDAP directory by using the specified user DN and does not perform any anonymous search on the LDAP directory.
There is an additional approach applicable only for Active Directory. For more information, see Non-Anonymous LDAP Authentication by Using the UserPrincipalName attribute in Active Directory.
The secure SSL connection to the LDAP server requires the LDAP server CA certificate that you must export to a Base64-encoded file.
eDirectory: See Exporting an Organizational CA's Self-Signed Certificate.
To export an eDirectory CA certificate in iManager, the Novell Certificate Server plug-ins for iManager must be installed.
Active Directory: See How to enable LDAP over SSL with a third-party certification authority.
To perform LDAP authentication by using anonymous search, you must enable anonymous search in the LDAP directory. By default, anonymous search is enabled in eDirectory and is disabled in Active Directory.
To enable anonymous search in the LDAP directory, refer the following:
eDirectory: See ldapBindRestrictions in section Attributes on the LDAP Server Object.
Active Directory: The ANONYMOUS LOGON user object must be given appropriate list permission and read access to sAMAccountName and objectclass attributes. For more information, see Configuring Active Directory to Allow Anonymous Queries.
For Windows Server 2003, you must perform additional configuration. For more information, see Configuring Active Directory on Windows Server 2003 .
Make sure you have met the prerequisites in Section 3.6.2, Prerequisites.
Log in to the Sentinel Rapid Deployment server as the root user.
Copy the exported LDAP server CA certificate file to the <install_directory>/config directory.
Set the ownership and permissions of the certificate file as follows:
chown novell:novell <install_directory>/config/<cert-file>
chmod 700 <install_directory>/config/<cert-file>
Switch to the novell user:
su - novell
Change to the <install_directory>/bin directory.
Run the LDAP authentication configuration script:
./ldap_auth_config.sh
The script takes a backup of the auth.login and configuration.xml configuration files in the config directory as auth.login.sav and configuration.xml.sav before modifying them for LDAP authentication.
Specify the following information:
Press Enter to accept the default value or specify a new value to override the default.
Sentinel install location: The installation directory on the Sentinel server.
LDAP server hostname or IP address: The hostname or the IP address of the machine where the LDAP server is installed. The default value is localhost. However, you should not install the LDAP server on the same machine as the Sentinel server.
LDAP server port: The port number for a secure LDAP connection. The default port number is 636.
Anonymous searches on LDAP directory: Specify y to perform anonymous searches. Otherwise, specify n. The default value is y.
If you specify n, complete the LDAP configuration and perform the steps mentioned in the section LDAP Authentication Without Performing Anonymous Searches.
LDAP Directory used: This parameter is displayed only if you have specified ‘y’ for anonymous searches. Specify 1 for Novell eDirectory or 2 for Active Directory. The default value is 1.
LDAP subtree to search for users: This parameter is displayed only if you have specified ‘y’ for anonymous searches.The subtree in the directory that has the user objects. The following are examples for specifying the subtree in eDirectory and Active Directory:
eDirectory:
ou=users,o=novell
NOTE:For eDirectory, if no subtree is specified, then the search is run on the entire directory.
Active Directory:
CN=users,DC=TESTAD,DC=provo, DC=novell,DC=com
NOTE:For Active Directory, the subtree cannot be blank.
Filename of the LDAP server certificate: The filename of the eDirectory/Active Directory CA certificate that you have copied in Step 3.
Enter one of the following:
y to accept the entered values
n to enter new values
q to quit the configuration
On successful configuration:
The LDAP server certificate is added to a keystore named <install_directory>/config/ldap_server.keystore.
The auth.login and configuration.xml configuration files in the<install_directory>/config directory are updated to enable LDAP authentication.
Enter y to restart the Sentinel service.
IMPORTANT:If there are any errors, revert the changes made to the auth.login and configuration.xml configuration files in the config directory:
cp -p auth.login.sav auth.login cp -p configuration.xml.sav configuration.xml
(Conditional) If you specified n for Anonymous searches on LDAP directory:, continue with LDAP Authentication Without Performing Anonymous Searches.
While configuring the Sentinel Rapid Deployment for LDAP Authentication, if you have specified n for Anonymous searches on LDAP directory, then the LDAP authentication does not perform anonymous search.
When you create the LDAP user account by using the Sentinel Control Center, ensure that you specify for non-anonymous LDAP authentication. You can use this approach for both eDirectory and Active Directory.
For more information, see Creating an LDAP User Account for Sentinel
in the Sentinel Rapid Deployment User Guide.
Additionally, for Active Directory, there is an alternative approach to perform LDAP authentication without anonymous searches. For more information, see Non-Anonymous LDAP Authentication by Using the UserPrincipalName attribute in Active Directory.
For Active Directory, you can also perform LDAP authentication without anonymous searches by using the userPrinicipalName attribute:
Ensure that the userPrinicipalName attribute is set to <sAMAccountName@domain> for the Active Directory user.
For more information, see User-Principal-Name Attribute.
Ensure that you have performed Step 1 through Step 10, and ensure that you specified n for Anonymous searches on LDAP directory:.
On the Sentinel server, edit the LdapLogin section in the <Install Directory>/config/auth.login file:
LdapLogin {
com.sun.security.auth.module.LdapLoginModule required
userProvider="ldap://LDAP server IP:636/DN of the Container that contains the user objects"
authIdentity="{USERNAME}@Domain Name"
userFilter="(&(sAMAccountName={USERNAME})(objectclass=user))"
useSSL=true;
};
For example:
LdapLogin {
com.sun.security.auth.module.LdapLoginModule required
userProvider="ldap://137.65.151.12:636/DC=Test-AD,DC=provo,DC=novell,DC=com"
authIdentity="{USERNAME}@Test-AD.provo.novell.com"
userFilter="(&(sAMAccountName={USERNAME})(objectclass=user))"
useSSL=true;
};
Restart the Sentinel service:
/etc/init.d/sentinel stop
/etc/init.d/sentinel start
To configure one or more LDAP servers as failover servers for LDAP authentication:
Ensure that you have followed Step 2 through Step 10 to configure the Sentinel server for LDAP authentication against the primary LDAP server.
Log in to the Sentinel server as the novell user.
Stop the Sentinel service.
/etc/init.d/sentinel stop
Change to the <install_directory>/config directory:
cd <install_directory>/config
Open the auth.login file for editing.
vi auth.login
Update the userProvider in the LdapLogin section to specify multiple LDAP URLs. Separate each URL by a blank space.
For example:
userProvider="ldap://ldap-url1 ldap://ldap-url2"
For Active Directory, ensure that the subtree in the LDAP URL is not blank.
For more information on specifying multiple LDAP URLs, see the description of the userProvider option in Class LdapLogin Module.
Save the changes.
Export the certificate of each failover LDAP server and copy the certificate file to the <install_directory>/config directory on the Sentinel server.
For more information, see Exporting the LDAP Server CA Certificate.
Ensure that you set the necessary ownership and permissions of the certificate file for each failover LDAP server.
chown novell:novell <install_directory>/config/<cert-file>
chmod 700 <install_directory>/config/<cert-file>
Add each failover LDAP server certificate to the keystore ldap_server.keystore that is created in Step 8 in section Configuring the Sentinel Server for LDAP Authentication.
<install_directory>/jre64/bin/keytool -importcert -noprompt -trustcacerts -file <certificate-file> -alias <alias_name> -keystore ldap_server.keystore -storepass sentinel
Replace <certificate-file> with the LDAP certificate filename in Base64-encoded format and replace <alias_name> with the alias name for the certificate to be imported.
IMPORTANT:Ensure that you specify the alias. If no alias is specified, the keytool takes mykey as the alias by default. When you import multiple certificates into the keystore without specifying an alias, the keytool reports an error that the alias already exists.
Start the Sentinel service.
/etc/init.d/sentinel start
The service might not connect to the failover LDAP server if the Sentinel server times out before it finds that the primary LDAP server is down. To ensure that the Sentinel server connects to the failover LDAP server without timing out:
Log in to the Sentinel server as the root user.
Open the sysct1.conf file for editing:
vi /etc/sysctl.conf
Ensure that the net.ipv4.tcp_syn_retries value is set to 3. If the entry does not exist, add the entry. Save the file:
net.ipv4.tcp_syn_retries = 3
Execute the command for the changes to take effect:
/sbin/sysctl -p
/sbin/sysctl -w net.ipv4.route.flush=1
Set the Sentinel server timeout value by adding the -Desecurity.remote.timeout=60 parameter in control_center.sh and solution_designer.sh in the <install_directory>/bin directory:
control_center.sh:
"<install_directory>/jre/bin/java" $MEMORY -Dcom.esecurity.configurationfile=$ESEC_CONF_FILE -Desecurity.cache.directory="<install_directory>/data/control_center.cache" -Desecurity.communication.service="sentinel_client" -Dfile.encoding=UTF8 -Desecurity.dataobjects.config.file="/xml/BaseMetaData.xml,/xml/WorkflowMetaData.xml,/xml/ActMetaData.xml" -Djava.util.logging.config.file="<install_directory>/config/control_center_log.prop" -Djava.security.auth.login.config="<install_directory>/config/auth.login" $SENTINEL_LANG_PROP $SENTINEL_CTRY_PROP -Dice.pilots.html4.baseFontFamily="Arial Unicode MS" -Desecurity.remote.timeout=60 -jar ../lib/console.jar
solution_designer.sh:
"<install_directory>/jre/bin/java" -classpath $LOCAL_CLASSPATH $MEMORY -Dcom.esecurity.configurationfile="$ESEC_CONF_FILE" -Dsentinel.installer.jar.location="<install_directory>/lib/contentinstaller.jar" -Desecurity.communication.service="sentinel_client" -Dfile.encoding=UTF8 -Desecurity.dataobjects.config.file="/xml/BaseMetaData.xml,/xml/WorkflowMetaData.xml,/xml/ActMetaData.xml" -Djava.util.logging.config.file="<install_directory>/config/solution_designer_log.prop" -Djava.security.auth.login.config="<install_directory>/config/auth.login" $SENTINEL_LANG_PROP $SENTINEL_CTRY_PROP -Desecurity.cache.directory=../data/solution_designer.cache -Desecurity.remote.timeout=60 com.esecurity.content.exportUI.ContentPackBuilder
If the LDAP users to be authenticated are in multiple Active Directory domains, you can configure the Sentinel Rapid Deployment server for LDAP authentication as follows:
Ensure that you have followed Step 2 through Step 10 to configure the Sentinel server for LDAP authentication against the Active Directory domain controller of the first domain. Also ensure that you specified n for Anonymous searches on LDAP directory:.
Log in to the Sentinel server as the novell user.
Stop the Sentinel service.
/etc/init.d/sentinel stop
Change to the <install_directory>/config directory:
cd <install_directory>/config
Open the auth.login file for editing.
vi auth.login
Edit the LdapLogin section to specify multiple LDAP URLs separating each URL by a blank space.
For example:
LdapLogin {
com.sun.security.auth.module.LdapLoginModule required
userProvider="ldap://<IP of the domain 1 domain controller>:636 ldap://<IP of the domain 2 domain controller>:636"
authIdentity="{USERNAME}"
useSSL=true;
};
For more information on specifying multiple LDAP URLs, see the description of the userProvider option in Class LdapLogin Module.
Save the changes.
Export the certificate of the domain controller of each domain and copy the certificate files to the <install_directory>/config directory on the Sentinel server.
For more information, see Exporting the LDAP Server CA Certificate.
Ensure that you set the necessary ownership and permissions of the certificate files.
chown novell:novell <install_directory>/config/<cert-file>
chmod 700 <install_directory>/config/<cert-file>
Add each certificate to the keystore ldap_server.keystore that is created in Step 8 in section Configuring the Sentinel Server for LDAP Authentication.
<install_directory>/jre64/bin/keytool -importcert -noprompt -trustcacerts -file <certificate-file> -alias <alias_name> -keystore ldap_server.keystore -storepass sentinel
Replace <certificate-file> with the LDAP certificate filename in Base64-encoded format and replace <alias_name> with the alias name for the certificate to be imported.
IMPORTANT:Ensure that you specify the alias. If no alias is specified, the keytool takes mykey as the alias by default. When you import multiple certificates into the keystore without specifying an alias, the keytool reports an error that the alias already exists.
Start the Sentinel service.
/etc/init.d/sentinel start
After you successfully configure the Sentinel server for LDAP authentication, you can create Sentinel LDAP user accounts in Sentinel Control Center. For more information on creating LDAP user accounts, see Creating an LDAP User Account for Sentinel
in the Sentinel Rapid Deployment User Guide.
After you create the LDAP user account, you can log in to the Sentinel Rapid Deployment Web user interface, Sentinel Control Center, and Sentinel Solution Designer by using your LDAP username and password.
NOTE:To modify an existing LDAP configuration, run the ldap_auth_config script again and specify the new values for the parameters.