000012688 - How to create an external identity source to Active Directory in RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Apr 12, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000012688
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition:  8.x
Issue

An identity source is a repository that contains user and user group data. Each user and user group in a deployment is associated with an identity source.



RSA Authentication Manager supports the following as identity sources:



  • Microsoft Active Directory 2008 R2
  • Microsoft Active Directory 2012
  • Microsoft Active Directory 2012 R2
  • Microsoft Active Directory Lightweight Directory Services 2012 R2
  • Microsoft Active Directory 2016
  • Sun Java System Directory Server 7.0
  • Oracle Directory Server Enterprise Edition 11g
  • The default Oracle certificate keysize must be at least 2048
  • OpenLDAP 2.4.40
  • The Authentication Manager internal database

Note:  The certificate used by the LDAPS protocol must be at least 2048-bits. For example, you must replace the default Oracle Directory Server certificate, which is 1024-bits.



In Active Directory, you can add a Global Catalog as an identity source, when some or all of the Active Directory servers in the Active Directory forest are used as identity sources. In such a case, you can use the Global Catalog for runtime activities, such as looking up and identifying users and resolving group membership within the Active Directory forest. You cannot use a Global Catalog identity source to perform administrative tasks.



Authentication Manager supports Active Directory Lightweight Directory Services (LDS) servers if the same server does not also have an Active Directory Domain Controller role. If a server has an Active Directory Domain Controller role, select that identity source type when connecting the identity source to Authentication Manager.



Data from an LDAP Directory



RSA Authentication Manager has read-only access to all LDAP directory identity sources. After a directory is integrated with Authentication Manager, you can use the Security Console to do the following:




  • View (but not add or modify) user and user group data that resides in the directory.



  • Perform Authentication Manager administrative tasks. For example, enable or disable the use of on-demand authentication (ODA) and risk-based authentication (RBA), or assign tokens or user aliases to individual users who reside in the directory.



You must use the LDAP directory native user interface to modify data in a directory.




Data from the Internal Database



Authentication Manager provides an internal database where you can create users and user groups. For users and user groups in the internal database, administrators can use the Security Console to do the following:



  • Add, modify, and view user and user group data.
  • Enable or disable Authentication Manager functions, such as ODA and RBA, for individual users, including users whose accounts are in an LDAP directory.

The following information is stored only in the internal database:



  • Data that is specific to Authentication Manager, such as policies for administrative roles, and records for authentication agents and SecurID authenticators.
  • Data that links Authentication Manager with LDAP directory user and user group records.
Resolution

Creating an external identity source



You create an external identity source from the Operations Console, then use the Security Console to link it to the realm.

The internal database is already linked.


Procedure 



  1. Log on to the Operations Console on the primary instance.
  2. Click Deployment Configuration > Identity Sources > Add New.
  3. When prompted, enter your Super Admin User ID and password.
  4. In the Identity Source Basics section of the Connection(s) tab, specify:
    1. Identity Source Name. The name of the identity source that is displayed in the Security Console.
    2. Type. The type of the identity source that you are adding.
    3. Notes. Information about the identity source.
  5. In the Directory Connection - Primary section, do the following:
    1. Enter the requested information in the following fields. For detailed information, see Identity Source Properties.

    • Directory URL
    • Directory Failover URL
    • Directory User ID
    • Directory Password

    1. Click Test Connection to ensure that the primary instance can connect to the specified directory. If the test fails, make sure that you have correctly imported the certificate for this identity source.
  6. If you have a replica instance, complete the fields in the Directory Connection - Replica section, and click Validate Connection Information to verify that the primary instance can connect to the identity source.

If the attempt fails, do the following:


  1. Verify that you entered the correct settings.
  2. If the settings are correct, make sure the primary instance is able to connect to the identity source.
  3. If the primary instance is able to connect to the identity source, make sure no other network issues are causing the connection failure.
  4. After you make any necessary changes, click Validate Connection Information again.
 

  1. Click Next.
  2. Provide the requested information for each of the following sections on the Add Identity Source - Map page. For detailed information, see Identity Source Properties.
    1. Directory Settings
    2. (Optional) Active Directory Options
    3. Directory Configuration - User Tracking Attributes
    4. Directory Configuration - Users
    5. Directory Configuration - Users Groups
  3. Click Save.
  4. After you finish, use the Security Console to link the new identity source to the system.
    1. Navigate to Setup > Identity Sources > Link Identity Source to System.
    2. Move the identity source from the Available to the Linked box
    3. Click Save.
    4. If you are logged on to the Security Console, you must log off and log back on to view the new identity source.


Identity Source Basics



Identity Source Name. Unique name for the identity source. This name is displayed in the Security Console to identify the identity source.

Type. The type of identity source. For example, an LDAP identity source type can be Microsoft Active Directory, Microsoft Active Directory Lightweight Directory Services, Oracle Directory Server, Sun Java System Directory Server, or OpenLDAP. After an identity source is added to the deployment, you cannot change the identity source type. For the supported list of identity sources, see View the Identity Sources in Your Deployment.

Notes:
You can use up to 255 characters of text to add a note about the identity source.


Directory Connection - Primary and Replica



Directory URL. The URL of the new identity source. If you use the standard SSL-LDAP port 636, specify the value as ldaps://hostname/. For all other ports, you must specify the port number, for example, ldaps://hostname:port/.

Notes:  


  • An SSL connection is required for password management.
  • For Active Directory, the Global Catalog can have the same directory URL as another identity source that is not a Global Catalog.


Directory Failover URL. (Optional) The failover directory server is used if the connection with the primary directory server fails. The failover directory server must be a mirror of the primary directory server.

If you want to permit users to change their passwords during authentication, the LDAP directory administrator account must have write privilege for user records in the identity source. If you do not permit password changes, the directory administrator account does not need write privileges.

Directory User ID. The LDAP directory administrator's User ID.  For example, you might enter cn=Administrator,cn=Users,dc=domain,dc=com or Administrator@domain.com.

Directory Password. The LDAP directory administrator's password.


Make sure that this password is kept up-to-date. If this password expires, the connection to the identity source fails, meaning authentication for all users who use this identity source will fail.




Directory Settings



From the Map tab, use directory settings to narrow the scope of an identity source so that only a subset of the identity source is used. For more information, see "Identity Source Scope" in the RSA Authentication Manager 8.4 Administrator's Guide, or guide relevant to your version.
If you narrow the scope of an identity source, you must schedule a cleanup job to remove references to unresolvable users and user groups from the internal database. For more information, see Schedule a Cleanup Job.

User Base DN. The base DN for directory user definitions. For example, for Active Directory, you might enter cn=Users, dc=domainName, dc=com.

User Group Base DN. The base DN for directory user group definitions. For example, for Active Directory, you might enter ou=Groups, dc=domain, dc=com.


 


It is important to follow these practices:


  • Do not configure multiple identity sources with overlapping scope. If you have multiple identity sources that point to the same User Base DN or User Group Base DN, ensure that the User Search Filter and User Group Search Filter are configured so that each user and user group appears only in one identity source. Improper configuration may result in unresolvable users and authentication problems.
  • If an attribute value contains a comma or an equal sign, you must escape these characters with a backslash. For example, if the attribute ou has the value of A=B, Inc, you must write this out as ou=A\=B\, Inc. If you do not escape these characters in an attribute value, the connection to the identity source fails. This only applies to commas or equal signs used in an attribute value. Do not escape commas separating elements of a distinguished name, for example, cn=Joe Smith, ou=Sales, or equal signs between a moniker and its attribute value, for example, ou=Sales.
  • The default organizational unit “Groups” does not exist in the default Active Directory installation. Make sure you specify a valid container for the User Group Base DN.

Search Results Time-out. Limits how long a search will continue. If searches for users or groups are timing out on the directory server, either extend this time, or narrow individual search results. For example, instead of Last Name = *, use Last Name = G*.
 


User Account Enabled State. Specify where RSA Authentication Manager looks for the enabled/disabled state of user accounts.


  • Select Directory to look in the external identity source only.  If the user account is disabled in the external identity source, the user cannot authenticate. The ability of the user to authenticate is based solely on the User Account Enabled State in the external identity source.
  • Select Directory and Internal Database to look in the internal database in addition to the external identity source.  The user account must be enabled in both the internal database and the external identity source for the user to authenticate. If the user account is disabled in either the internal database or the external identity source, the user cannot authenticate.

Validate Map Against Schema. Validates identity attribute definition mappings to the directory schema when identity attribute definitions are created or modified.

Note:  Do not turn on schema validation for an OpenLDAP directory identity source.


Active Directory Options



Global Catalog. Select this if the identity source is an Active Directory Global Catalog.

User Authentication. Select one of the following as the source for user authentication:


  • Authenticate users to this identity source. Select this option if the identity source is not associated with a Global Catalog. If no Global Catalogs are configured as identity sources, this option is selected automatically.
  • Authenticate users to a global catalog. Select this option if the identity source is associated with a Global Catalog, and select a Global Catalog from the drop-down menu.

Directory Configuration - User Tracking Attributes



User ID. Select one of the following to map the User ID:


Maps to. Select this option to map the User ID to a specified attribute.Uses the same mapping as E-mail. Select this option to map the User ID to the e-mail attribute. If you choose this option, the User ID and e-mail fields have the same value. The e-mail attribute must already be defined in the directory.



When you change the User ID mapping, make sure that the new field is unique for all users and does not overlap with the old field. This prevents administrative data from being associated with the wrong user records for some users. For example, if the old mapping has the User ID of jdoe, the new mapping should not contain the User ID jdoe. 


 


To ensure a smooth transition from the old User ID mapping to the new, you need to clean up unresolvable users to update the internal user records with the new User IDs. Perform this task immediately after you change the mapping. For more information, see Schedule a Cleanup Job.
 


Unique Identifier. A unique identifier to help the Security Console find users whose DNs have changed.
 



The following table lists the recommended default value for the Unique Identifier for each supported LDAP directory identity source.

 


  
LDAP Directory Identity Source

  

  
Unique Identifier Default Value

  

  
Microsoft Active Directory

  

  
ObjectGUID

  

  
Sun Java System Directory Server

  

  
nsUniqueID

  

  
Oracle Directory Server

  

  
nsUniqueID

  

  
OpenLDAP

  

  
entryUUID

  


You must specify the Unique Identifier before you move or rename LDAP directory users who are viewed or managed through the Security Console. Otherwise, the system creates a duplicate record for the users that you move or rename, and disassociates them from data the system has stored for them.
 


Enter an attribute from your directory that meets these requirements:
The attribute must contain unique data for each user. For example, an employee ID number or badge number that is unique for each user in the deployment.



The attribute must contain data for each user. The value cannot be empty.



The attribute value cannot change. If the value for a user changes, Authentication Manager cannot track the user. You cannot map any other fields to the attribute that you map to the Unique Identifier.



The attribute name can contain up to 64 characters.



The attribute value can contain up to 42 characters.



Note:  RSA does not recommend using the default value if you are using third-party directory management tools that handle moving users from one DN to another by deleting the users and adding them back to the directory.


Directory Configuration - Users



First Name. The directory attribute that maps to the first name attribute. By default, First Name maps to givenName.

Middle Name. The directory attribute that maps to the middle name attribute. By default, Middle Name maps to initials.

Last Name. The directory attribute that maps to the last name attribute. By default, Last Name maps to sn.

E-mail. The directory attribute that maps to the e-mail attribute. By default, E-mail maps to mail.

Certificate DN. Reserved for future use. By default, it is mapped to comment. Do not map certificate to critical fields, such as cn or sAMAccountName.

Password. The directory attribute that maps to the password attribute. By default, Password maps to unicodePwd.



Search Filter. The filter that specifies how user entries are distinguished in the LDAP directory, such as a filter on the user object class. Any valid LDAP filter for user entries is allowed, for example, (objectclass=inetOrgPerson).

Search Scope. The scope of user searches in the LDAP tree.

Object Classes. The object class of users in the identity source that are managed using the Security Console, for example, user,organizationalPerson,person.


Directory Configuration - User Groups



User Group Name. The directory attribute that maps to the user group name attribute. For example, the User Group Name might map to cn.

Search Filter. An LDAP filter that returns only group entries, such as a filter on the user group object class, for example, (objectclass=group).

Search Scope. The scope of user group searches in the LDAP tree.

Object Classes. The object class of user groups that are created or updated using the Security Console.

Membership Attribute. The attribute that contains the DNs of all the users and user groups that are members of a user group.

Use MemberOf Attribute. Enables the system to resolve membership queries by using the value specified for the MemberOf attribute.



Note:  For an OpenLDAP directory identity source, do not select the User MemberOf Attribute.

MemberOf Attribute. The attribute of users and user groups that contains the DNs of the user groups to which they belong.



Linking the identity source to the realm



You must link all LDAP directory identity sources to the system. After linking, all users in the identity source can be viewed and managed through the Security Console. Users are visible in the top-level security domain by default, but you can move them to other security domains as necessary. Additionally, you can configure the system to place users from the identity source into a specific security domain automatically. For more information, see Default Security Domain Mappings.
 


Before you begin 



  • You must be a Super Admin.
  • If you link an Active Directory Global Catalog, you must also link each identity source that replicates user data to that Global Catalog. For example, if identity sources IS1 and IS2 replicate information to Global Catalog GC1, and you link GC1 as an identity source, you must also link IS1 and IS2 to the system.

Procedure 



  1. In the Security Console, click Setup > Identity Sources > Link Identity Source to System.
  2. From the list of available identity sources, select the identity source that you want to link , and click the right arrow to move it to the Linked box
  3. Click Save.
WorkaroundUse the Security Console's Help menu in RSA Authentcaiton Manager 8.x or higher, and search for LDAP or any other relevant keywords.

If LDAP connections are not possible, users can be created in the internal database.
 
Legacy Article IDa63091

Attachments

    Outcomes