How To Add or Configure an External LDAP Identity Source On RSA Authentication Manager
5 hours ago
Originally Published: 2016-06-01
Article Number
000066290
Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x

Issue

An administrator is unable to add, configure, or successfully connect an external LDAP identity source in RSA Authentication Manager. After an incorrect or incomplete configuration, users from the identity source may also fail to authenticate.

Observable symptoms may include one or more of the following:

  • The Test Connection button in the Operations Console returns a failure when configuring the identity source
  • Users from the external identity source fail to authenticate against any protected agent
  • The Authentication Activity Monitor shows the following error:
    Authentication Manager failed to resolve that user
  • Authentication failures occur after an LDAP directory account password change without updating the identity source credentials in Authentication Manager
  • Two identity sources with overlapping base DNs conflict, causing unpredictable authentication failures across both sources
Tasks

Before continuing,

  1. Obtain a full admin rights account to the LDAP directory; for example, a domain admin for Active Directory.  Less than full admin rights may result in unpredictable behavior.  The Authentication Manager admin does not need to know the password for this account, as the domain admin could type it into the External Identity Configuration page in the Operations Console and it will be obscured. 

Note that if this account password changes or the account no longer works, all users with tokens from this particular external identity source will fail to authenticate, and the reason in the authentication activity logs will be that Authentication Manager failed to resolve that user.  To correct the error,  simply update the Directory User ID field and Directory password values to the correct information.  Ideally, work with the domain admin so that if the user ID or password are scheduled to change, the RSA admin is notified so  that  the  Directory User ID and  Directory Password are updated at the same time they are updated on the external identity source to avoid authentication failures.

  1. Plan all external identity sources so that there is no overlap in the LDAP search query presented to Authentication Manager.  For example, two separate external identity sources, one with the base DN URL of ou=Users, DC=2k8r2-vcloud, dc=local and the second external identity source of DC=2k8r2-vcloud, dc=local would be considered an overlap because one is a subset of the other.  Such overlap will cause conflicts in  the underlying system, resulting in authentication failures.
  2. If possible, get unencrypted LDAP working first, then add encryption with LDAPS as the last step. 
  3. Use the Test Connection button in the external identity source configuration in the Authentication Manager Operations Console to prove either LDAP or LDAPS is working.
Resolution

Before You Begin

  1. Obtain a directory account with full admin rights to the LDAP directory (e.g., a domain admin account for Active Directory). Using an account with less than full admin rights may cause unpredictable behavior.

    NOTE: The Authentication Manager administrator does not need to know this account's password — the domain admin can enter it directly into the Operations Console, where it will be obscured. However, if this account's password changes or the account becomes inactive, all users from this identity source will immediately fail to authenticate. Coordinate with the domain admin to ensure the Operations Console credentials are updated whenever this account's credentials change.

  2. Plan all external identity sources to ensure no overlap in LDAP search query scopes. Two identity sources where one base DN is a subset of the other will conflict and cause authentication failures. For example, the following two base DNs overlap and must not be used together:
    ou=Users,DC=<domain>,dc=<tld>
    DC=<domain>,dc=<tld>
  3. If configuring LDAPS (SSL/TLS), first verify that unencrypted LDAP connectivity is working before adding encryption. For instructions on obtaining the LDAPS certificate from your identity source, see KB 000030537 — Get the external Identity Source LDAPS certificate using openssl for Authentication Manager 8.1.

Part 1: Configure the Connection Tab

  1. Open a browser and log in to the Operations Console:
    https://<AM_server_FQDN>:7072/operations-console/
  2. Navigate to Deployment Configuration > Identity Sources.
  3. Click Add New to create a new identity source, or click Manage Existing to update one already created.

Identity Source Basics

  1. In the Identity Source Name field, enter a name for the identity source.
  2. From the Type dropdown, select the type of external identity source:
    • Microsoft Active Directory
    • Oracle Directory Server / Sun Java System Directory Server
    • OpenLDAP

Directory Connection — Primary

  1. In the Directory URL field, enter the FQDN or IP address of the primary directory server (e.g., the primary domain controller).
  2. In the Directory Failover URL field, enter the FQDN or IP address of a failover directory server.

    NOTE: The failover URL is optional but highly recommended. It should point to an alternate site. The failover is only activated if the primary URL stops responding to TCP SYN connections on port 389 (LDAP) or port 636 (LDAPS).

  3. Enter the Directory User ID and Directory Password for the full admin rights account from Step 1.
  4. Click Test Connection.

    CAUTION: The Test Connection must pass before proceeding. If the test fails, verify the directory URL, credentials, and network connectivity before continuing.

Directory Connection — Replica (if applicable)

  1. In the Directory Connection — Replica section, enter the Directory URL, Failover URL (optional), Directory User ID, and Directory Password for the replica instance.

    NOTE: Replicas require their own directory URL. Map each replica to its local domain controller rather than routing across a WAN.

  2. Click Validate Connection Information.

    NOTE: The Test Connectivity option for a replica can only be run from that replica's own Operations Console.

  3. Once the Test Connection is successful, click Next to proceed to the Map tab.

Part 2: Configure the Map Tab

Directory Settings

  1. In the User Base DN field, enter the base DN for your user directory. For example:
    cn=Users,dc=<domain>,dc=<tld>
  2. Enter the same value in the Group Base DN field.
  3. For User Account Enabled State, select one of the following:
    • Directory — searches only the external identity source
    • Directory and Internal Database — searches both the external source and the internal database
  4. Optionally, select Validate Map Against Schema to validate schema settings each time they are created or modified.

Active Directory Options (Active Directory only)

  1. If this identity source is a Global Catalog, select the Global Catalog option.

    NOTE: If you configure this as a Global Catalog, you must also create a runtime source to perform administrative tasks. See KB 000034202 — Unable to link Global Catalog (runtime identity source) to RSA Authentication Manager 8.x for instructions.

  2. Under User Authentication, indicate whether users will be authenticated against this identity source or a Global Catalog.

Directory Configuration — User Tracking Attributes

  1. Configure the User ID and Unique Identifier values.

    NOTE: The Unique Identifier is typically mapped to objectGUID.

Directory Configuration — Users: Field Mapping

  1. Review or modify the default field mappings as needed for your environment:
    Authentication Manager FieldDefault AD Attribute
    UserIDsamAccountName
    Unique IdentifierobjectGUID
    First or given namegivenName
    Middle Nameinitials
    Last namesn
    Emailmail
    Certificate DNcomment
    PasswordunicodePwd

Directory Configuration — Users: LDAP Search Filters

  1. Configure the LDAP search filter. To search for all users in scope, use:
    (& (objectClass=User)(objectcategory=person))
    To filter users by group membership, use:
    (& (objectClass=User)(objectcategory=person)(memberOf=CN=<GroupName>,<BaseDN>))
  2. Determine the distinguishedName (DN) in Active Directory for the group or OU to which you plan to map.

Distinguished Name Mapping

Directory Configuration — User Groups

  1. Confirm the User Group Name is mapped to cn (default).
  2. Set the search filter to:
    (& (objectClass=group))
  3. For Search Scope, select Single level or Search all sublevels in LDAP tree.
  4. Set Object Classes to group, top.
  5. Under User MemberOf Attribute, set Membership Attribute to member.
  6. Set MemberOfAttribute to memberOf.
  7. Click Save And Finish.

Verify

  • Log in to the Security Console.
  • Navigate to Identity > Users > Manage Existing.
  • Set the Identity Source filter to the newly created identity source and confirm that users appear in search results.
  • Test authentication for at least one user from the new identity source against a protected agent and confirm it succeeds.

NOTE: After saving a new identity source, you must log out and log back in to the Security Console before the new identity source appears in search and filter options.

 
Notes
  • Authentication Manager needs a consistent connection into an LDAP server to work correctly; therefore, various types of round-robin DNS lookups, load balancing, or metadirectories for an LDAP external identity source are not supported and will cause unpredictable results.  
  • You may want to consider using an IP address instead of a server or DNS name.  
  • Authentication Manager external identity sources should be configured with a failover URL.  That failover will only be used if the primary URL is unavailable, which means that the primary does not respond to TCP SYN connections on port 389 for LDAP or 636 for LDAPS.  
  • Connectivity between the Authentication Manager primary and replica server and the external identity source are shown below:

                                              LDAP Failover