|Applies To||Active Directory|
Datastore is Active Directory
Sun One identity source
OpenLDAP is used as a platform for the ldapauth client function used by Silver Tail UIserver to complete LDAP Authentication in the UI
openldap provides ldap.conf which can be used to provide the ldap configuration details when it is not provided within SilverCat.
|Issue||Configuring and Troubleshooting LDAP Authentication in Silver Tail|
The LDAPauth process makes use of openldap libraries installed on the os platform. ldap.conf exists and can be configured with the required ldap configuration however the preferred and overriding method is vi the LDAP Authentication section of Silver Cat which results in a section called ldapauth being written to the universal.conf as examples below.
Example AD configuration
Example sunone configuration
UI Server Authentication
In order to authenticate user via the UI, the user must exist in the internal db. NB with a password different to the ldap user password!
The following entry added under Silver Cat allows the UI to try both methods before failing the auth.
The program bin/ldapauth can be used to help diagnose LDAP server authentication.
This program is configured to use ldap configuration in the format used in universal.conf so can be used as follows or with a copy of the universal.conf
ldapauth -d -f /var/opt/silvertail/etc/universal.conf -u ldapuser -p pa$$word
ldapauth -d -f gcroxford10.conf -u ldapuser -p pa$$word
NOTE -D will display the entered parameter and will therefore show the user password in clear text
If a user is not provided then the configuration file is parsed. If diagnostics
NOTE: If you use your own conf file and not universal.conf, the file first line must be <silvertail> and the last line must be </silvertail>
as seen here:
LDAP Authentication in Silver Tail UI relies upon internal user database in that the user name must exist in the internal db, with an internal password for the user to be able to authenticate whether using LDAP or not.
When using LDAP, the user is essential presented to the UIserver and their password is evaluated against the internal DB and if the user/password matches, the user is authenticated and ldap is not used. If the user/password fails and LDAP authentication is configured, the same user/password is passed in an LDAP query to the configured LDAP server. If this fails, the user bad auth count increments, otherwise the user is authenticated.
Login behavior is dictated by SilverCat>Authentication>logins setting.
According to the help text, you can ?logins can also be a comma-separated list of values: 'st,ldap'?.
You should be able to switch ldap and st to change the order for where UIServer checks for
authentication and have a backup authentication method.
LDAPs requires the trusted root and any intermediate chain certificates to be available on the STS server, see LDAPs Authentication with Silver Tail UIserver for further details
|Legacy Article ID||a62130|