000017508 - Troubleshooting LDAP Authentication in Silver Tail

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017508
Applies ToActive Directory
Datastore is Active Directory
Sun One identity source
OpenLDAP is used as a platform for the ldapauth client function used by Silver Tail UIserver to complete LDAP Authentication in the UI
openldap provides ldap.conf which can be used to provide the ldap configuration details when it is not provided within SilverCat.
RHEL6
CentOS
 
IssueConfiguring and Troubleshooting LDAP Authentication in Silver Tail
Resolution

Configuration


The LDAPauth process makes use of openldap libraries installed on the os platform.  ldap.conf exists and can be configured with the required ldap configuration however the preferred and overriding method is vi the LDAP Authentication section of Silver Cat which results in a section called ldapauth being written to the universal.conf as examples below.


Example AD configuration


<ldapauth
        url="ldaps://gcroxford10.gcwin2k3.csuk.eu.rsa.net"
        basedn="DC=gcwin2k3,DC=csuk,DC=eu,DC=rsa,DC=net"
        searchdn="CN=administrator,CN=Users,DC=gcwin2k3,DC=csuk,DC=eu,DC=rsa,DC=net"
        password="passw0rd."
        userattr="userPrincipalName,samAccountName"
        filter="(objectClass=user)"
        scope="subtree"
        />


Example sunone configuration


<ldapauth
        url="ldaps://gcsun1.csuk.eu.rsa.net"
        basedn="o=rsa,c=uk"
        searchdn="uid=ldadmin, ou=sts-grp,ou=admins,o=rsa,c=uk"
        password="passw0rd."
        userattr="uid"
        filter="(objectClass=person)"
        scope="subtree"
        />


 

UI Server Authentication


In order to authenticate user via the UI, the user must exist in the internal db.  NB with a password different to the ldap user password!


The following entry added under Silver Cat allows the UI to try both methods before failing the auth.


    <authentication
        logins="ldap, st"
        fails="2"
        />


 

Diagnostics


The program bin/ldapauth can be used to help diagnose LDAP server authentication.


This program is configured to use ldap configuration in the format used in universal.conf so can be used as follows or with a copy of the universal.conf


ldapauth -d  -f /var/opt/silvertail/etc/universal.conf -u ldapuser -p pa$$word


ldapauth -d  -f gcroxford10.conf -u ldapuser -p pa$$word


bin/ldapauth [params]
 Optional params:
    -f --conf=<CONF FILE>    The configuration file (required).
    -d --diagnostics         Display diagnostic information.
    -u --user=<username>     The user name to evaluate for authentication.
    -p --password=<password> The password to test authentication of user name.
                             A password will be requested interactively if it
                             is not included.
    -D --debug               Use DEBUG priority for logging.


NOTE -D will display the entered parameter and will therefore show the user password in clear text


If a user is not provided then the configuration file is parsed. If diagnostics
are enabled, then the configuration file settings will be shown. If a password
is not provided then a password will be requested. If diagnostics are enabled,
then more information about the authentication process is shown.
Test Environment


NOTE: If you use your own conf file and not universal.conf, the file first line must be <silvertail> and the last line must be </silvertail>


as seen here:


<silvertail>


   <ldapauth
        url="ldaps://gcroxford10.gcwin2k3.csuk.eu.rsa.net"
        basedn="DC=gcwin2k3,DC=csuk,DC=eu,DC=rsa,DC=net"
        searchdn="CN=administrator,CN=Users,DC=gcwin2k3,DC=csuk,DC=eu,DC=rsa,DC=net"
        password="passw0rd."
        userattr="samAccountName"
        filter="(objectClass=user)"
        scope="subtree"
        />


</silvertail>

Notes

LDAP Authentication in Silver Tail UI relies upon internal user database in that the user name must exist in the internal db, with an internal password for the user to be able to authenticate whether using LDAP or not.


When using LDAP, the user is essential presented to the UIserver and their password is evaluated against the internal DB and if the user/password matches, the user is authenticated and ldap is not used.  If the user/password fails and LDAP authentication is configured, the same user/password is passed in an LDAP query to the configured LDAP server.  If this fails, the user bad auth count increments, otherwise the user is authenticated.


 


Login behavior is dictated by SilverCat>Authentication>logins setting. 


According to the help text, you can ?logins can also be a comma-separated list of values: 'st,ldap'?. 


You should be able to switch ldap and st to change the order for where UIServer checks for


authentication and have a backup authentication method.


 


 


LDAPs requires the trusted root and any intermediate chain certificates to be available on the STS server, see LDAPs Authentication with Silver Tail UIserver for further details
Legacy Article IDa62130

Attachments

    Outcomes