000033238 - How to create an external LDAP Identity Source in RSA Authentication Manager 8.1 SP1 or later

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000033238
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0
Platform: Linux
O/S Version: Suse Linux

How to create, confiure or setup an external LDAP Identity Source to Active Directory or other supported LDAP Database Server from Authentication Manager 8.1 SP1 or later.

Tasks1. Obtain full Admin rights account to the LDAP directory, e.g. Domain Admin for Active Directory, less than full Admin rights may result in unpredictable behavior.  The Authentication Manager Admin does not need to know the password for this account as the Domain Admin could type it into the external Identity Configuration and it will be obscured.  However, if this account password changes or account no longer works, all users with tokens from this particular external Identity source will fail to authenticate, and the RSA Authentication logs will say the reason is that AM failed to resolve that user.
2. Plan all external Identity sources so that there is no overlap presented to Authentication Manager, e.g. if you have two separate external Identity sources, one with the base DN URL of:
ou=Users, DC=2k8r2-vcloud, dc=local

and a second external Identity Source with:
DC=2k8r2-vcloud, dc=local

You have overlap, as the Users ou can be found in both.
3. If possible, get un-encrypted LDAP working first, then add encryption with LDAPS as the lasts step.  See related KBs on various way to obtain the SSL Certificates from your external Identity Source, e.g. your Domain Controllers.  The the [Test Connection] button in the external Identity Source configuration in the AM Operations Console to prove either LDAP or LDAPS is working.
ResolutionYou create an External Identity source in RSA from the Operations Console, something like:

Navigate to Deployment Configuration - Identity Sources - Add New (or Manage Existing if already created)
You will need the Identity Source Name and URL, e.g. a Domain Controller.  You will need an AD/LDAP Administrator/Password
URL: ldap://<FQDN or IP of Domain Controller>          e.g. ldap://dc01.example.local
UserID:  rsasync@example.local     (needs Full AD admin rights or not supported)
Password: could be entered by AD Admin, unknown by RSA Admin
Test Connection should be successful or we won't be able to read the directory.  This is at the bottom of this first, Connections(s) Tab.  Replicas also need their own Directory URL.  Try to map local DC to Local replica, not across WAN.  You can only [Test Connectivity] for a Replica from that Replica Operations Console.
If the Test Connection is successful you can click next or go to the Map Tab on an existing ID source.
Here you configure:
User Base DN: dc=example, dc=local
Group Base DN:  <same>
UserID typically maps to samAccountName e.g. GuilletJ, with Unique Identifier maps to ObjectGUID
UPN/email=jay.guillette@example.local, but users complain about input.
Determine Base Distinguished Name, DN in Active Directory properties of the group or ou that you plan to map to.
Distinguished Name Mapping
1st name typically maps to givenName
MI maps to initials
Last name maps to sn
eMail maps to mail
Cert DN                     comment?
Password maps to unicodePwd
Either (drill down to Group called RSACitrixAccess)
Search Filter: (&(objectClass=User)(objectcategory=person)(memberOf=CN=RSACitrixAccess))
for just Users under the RSACitrixAccess ou or group, or for everyone in a more generic lookup
Search Filter: (&(objectClass=User)(objectcategory=person))
Search all levels
Object Classes: user,organizationalPerson,person
LDAP Search Filters
User Group name maps to cn
Search Filer: (&(objectClass=group)
Search all levels
Object Classes: group, top
Membership Attribute: member
Enable use of Membership attributes
MemberOf Attribute:  memberOf
NotesAuthentication Manager needs a consistent connection into an LDAP server to work correctly, therefore various types of round-robin DNS lookups, Load Balancing, or Meta-Directories for an LDAP external Identity source are not supported and will cause unpredictable results.  
You may want to consider using an IP address instead of a server or DNS name.  
An AM external Identity Sources should be configured with a Fail-over URL, and that failover will only be used if the primary URL is unavailable, which means that Primary does not respond to TCP SYN connections on port 389 for LDAP or 636 for LDAPS.  
LDAP Failover