000033238 - How to create an external LDAP identity source in RSA Authentication Manager 8.1 SP1 or later

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jun 15, 2018
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000033238
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 SP1, 8.2
IssueThis article explains how to create, configure or set up an external LDAP identity source to Active Directory or aother supported LDAP database server from Authentication Manager 8.1 SP1 or later.
 
TasksBefore continuing,
  1. Obtain a full admin rights account to the LDAP directory; for example, a domain admin for Active Directory.  Less than full admin rights may result in unpredictable behavior.  The Authentication Manager admin does not need to know the password for this account, as the domain admin could type it into the External Identity Configuration page in the Operations Console and it will be obscured. 

Note that if this account password changes or the account no longer works, all users with tokens from this particular external identity source will fail to authenticate, and the reason in the authentication activity logs will be that Authentication Manager failed to resolve that user.  To correct the error,  simply update the;Directory User ID field and Directory password values to the correct information.  Ideally, work with the domain admin so that if the user ID or password are scheduled to change, the RSA admin is notified so  that  the  Directory User ID and  Directory Password are updated at the same time they are updated on the external identity source to avoid authentication failures.



  1. Plan all external identity sources so that there is no overlap in the LDAP search query presented to Authentication Manager.  For example, two separate external identity sources, one with the base DN URL of ou=Users, DC=2k8r2-vcloud, dc=local and the second external identity source of DC=2k8r2-vcloud, dc=local would be considered an overlap because one is a subset of the other.  Such overlap will cause conflicts in  the underlying system, resulting in authentication failures.
  2. If possible, get unencrypted LDAP working first, then add encryption with LDAPS as the last step.  See related articles on various way to obtain the SSL certificates from your external identity source, such as 000030537 - Get the external Identity Source LDAPS certificate using openssl for Authentication Manager 8.1)
  3. Use the Test Connection button in the external identity source configuration in the Authentication Manager Operations Console to prove either LDAP or LDAPS is working.
Resolution

Create or update an external identity source in Authentication Manager



  1. Launch the Operations Console from  a browser.  The URL will be similar to https://<RSA_server>:7072/operations-console/.
  2. Navigate to Deployment Configuration > Identity Sources and select either Add New or Manage Existing, if the external identity source was already created.


The Connection(s) tab


Complete the following:

I.  Identity Source Basics



  1. Enter the name of the identity source.
  2. Choose the type of external identity source (Microsoft Active Directory, Oracle  Directory Server/Sun Java System Directory Server or Open LDAP).

II.  Directory Connection - Primary



  1. Enter the directory URL of the identity source; for example, a domain controller.  This can be the FQDN or IP address of the domain controller.
  2. Optional,  add the Directory Failover URL.  Note that this is not required but is highly recommended.  This information should point to an alternate site.
  3. Enter the directory user ID and password, as discussed above.
  4. Click Test  Connection to verify the connection between Authentication Manager and the DC.  The Test Connection must pass before moving forward.

III.  Directory Connection - Replica



  1. Follow the steps as above to enter the directory URL, failover URL (optional), directory user ID and password.  Note that replicas also need their own directory URL.  Try to map the local DC to the local replica, rather than mapping across a WAN.
  2. To  validate, click Validate Connection Information. Note that you can only use the Test Connectivity option for a replica from that replica's Operations Console.
  3. Once  the Test Connection is successful, click Next or go to the Map tab on an existing identity source.

The Map tab


Modify the following settings on the Map tab or accept the defaults.

I.  Directory Settings



  1. Enter the User Base DN, for example, cn=Users,dc=2k8r2-vcloud,dc=local.
  2. Enter the same string for the Group Base DN.
  3. For User Account Enabled State, select Directory or Directory and Internal Database. 

  • Select Directory to search only in  the external identity source.
  • Select Directory and Internal Database to search both the external source and the internal database.
  • Select Validate Map Against Schema to validate the schema settings each time the settings a re created or modified (optional).

II.  Active Directory Options



  1. Global  Catalog.  If this external identity source is a global catalog select this option.  Note that if you choose this as a global catalog, you must also create a runtime source to perform administrative tasks.  See 000034202 - Unable to link Global Catalog (runtime identity source) to RSA Authentication Manager 8.x for more information.
  2. User Authentication.  Indicate if the users will be authenticated to this identity source or to a global catalog.

III.  Directory Configuration - User Tracking Attributes



  • Configure the User ID and Unique Identifier values to help the system track users.
  • Note that the Unique Identifier is typically mapped to the objectGUID.

IV.  Directory Configuration - User



a.  Field Mapping



The following  Authentication Manager fields are mapped to the AD fields below by default.  Depending on your environment these maps can be modified.




FieldMaps To
UserIDsamAccountName
Unique IdentifierobjectGUID
First or given namegivenName
Middle Nameinitials
Last namesn
Emailmail
Certificate DNcomment
PasswordunicodePwd



b.  LDAP  Search Filters



  • To search for all users in the scope, use the following filter: 

(&(objectClass=User)(objectcategory=person))


  • To filter on all users in the RSACitrixAccess group, for example, use the following search filter:

(&(objectClass=User)(objectcategory=person)(memberOf=CN=RSACitrixAccess))


  • Determine the distinguishedName (DN) in Active Directory properties of the group or OU to which you plan to map. 

Distinguished Name Mapping


c.  Directory Configuration -  User Groups



  • Typically the User Group name maps to cn
  • A recommended search filter would be:

(&(objectClass=group)


  • For Search scope,  set to Single level or to Search all sublevels in LDAP tree.
  • Set Object Classes to group, top.
  • For User Memberof Attribute set Membership Attribute to member.
  • Set MemberOfAttribute to memberOf.

When done, click Save And Finish.
Notes
  • Authentication Manager needs a consistent connection into an LDAP server to work correctly; therefore, various types of round-robin DNS lookups, load balancing, or metadirectories for an LDAP external identity source are not supported and will cause unpredictable results.  
  • You may want to consider using an IP address instead of a server or DNS name.  
  • Authentication Manager external identity sources should be configured with a failover URL.  That failover will only be used if the primary URL is unavailable, which means that the primary does not respond to TCP SYN connections on port 389 for LDAP or 636 for LDAPS.  
  • Connectivity between the Authentication Manager primary and replica server and the external identity source are shown below:

LDAP Failover

Attachments

Outcomes