Skip to content

LDAP Server Configuration

When you use LDAP to authenticate or authorize users, Management and Security Server makes a read-only connection to the LDAP server. Use these settings to configure that connection.

LDAP Servers

You can ADD, EDIT, TEST, or DELETE the connection for each LDAP server. Check with your organization’s LDAP administrator for more information, if needed to configure these options.

To use more than one LDAP server to authenticate or authorize users, you must first set a property. See Enabling Multiple LDAP Servers, and then proceed with the LDAP configuration for each server.

Enabling Multiple LDAP Servers

More than one LDAP server can be configured to authenticate and authorize users. A property must be set, and then the servers can be added and configured.

To enable multiple LDAP servers:

  1. Open the Kubernetes dashboard:

    a. From the MSS Administrative Console drop-down menu, click Cluster Management.

    b. Click Advanced, and slide the button to enable the Kubernetes dashboard.

    c. Copy the authentication token, click the URL, and paste the token into the field provided.

    d. Click Sign in.

  2. Shell into an application instance (pod) in Kubernetes:

    a. Under Workloads, click Pods.

    b. Use the Name column or the Filter to locate an mss-mss-server pod.

    c. On the far right, click vertical ellipsis Exec to open a shell to access the pod's file system.

  3. At the shell prompt:

    a. Make a backup copy of PropertyDS.xml:
        cp /mssdata/PropertyDS.xml /mssdata/PropertyDS.bak

    b. Then, use the built-in nano editor to open PropertyDS.xml for editing:
        nano /mssdata/PropertyDS.xml

    c. Press Alt+C to show the line numbers in nano

    d. Use the arrow keys to navigate to these XML elements, found around line 15

    <CORE_PROPERTY NAME="AC.DirAllowMultiLdap">
        <BOOLEAN>false</BOOLEAN>
    </CORE_PROPERTY>
    

    e. Change the Boolean value from false to true.

    f. Press Ctrl+O then ENTER to write the file.

    g. Press Ctrl+X to exit the editor.

  4. Return to the MSS Admin Console's Cluster Management view.

    a. Click Services, and locate the mss-mss-server service.

    b. Click ellipsis Redeploy All.

    Important

    Be aware that end users may be affected when a service is redeployed.

  5. Return to the MSS Administrative Console and enter the LDAP Configuration information for each LDAP Server.

    Or, if you are configuring Windows Authentication - Kerberos, return to Configuring Kerberos.

Note

To revert to a single LDAP server, set the property value to false, save the file, and redeploy the MSS server.

LDAP Configuration

Click +ADD to open the LDAP Configuration panel, or select a server and click EDIT.

Enter or edit the LDAP Server information.

  • Server type

    Select the type of LDAP server you are using. The options on this panel change depending on the LDAP server type you select. If you do not see your specific LDAP server in the list, select Generic LDAP Compliant Directory Server (RFC 2256).

  • Security options

    Data can be passed between the MSS Server and the LDAP server as clear text or encrypted. The type of encryption used depends on your LDAP server. TLS is available for all server types, and Kerberos v5 is available for Windows Active Directory.

    Plain Text. By default, Management and Security Server transmits data between the MSS Server and the LDAP server in clear text. If you choose this option, you should prevent users from accessing the network link between these two servers.

    TLS. When using TLS as the security option for an LDAP server, you must import the server’s trusted certificate. Use the IMPORT CERTIFICATE button (below). If you are presented with multiple certificates, it is best to import the CA certificate.

    Kerberos v5. When you select Windows Active Directory with Kerberos, you must enter the name of the Kerberos key distribution centers. Multiple key distribution centers, delimited by commas or spaces, can be used. If you do not know the name of the Kerberos key distribution center, enter the fully-qualified DNS name of the Active Directory server.

    The option under the key distribution center name field allows you to encrypt all data transmitted over the Kerberos connection. By default, only user names and passwords are passed securely between the Server and LDAP servers using Kerberos. Encrypting all data is more secure, but may increase performance overhead.

  • Server name

    Enter the LDAP server name as either a name or a full IP address. If you selected TLS, this LDAP server name must exactly match the Common Name on the LDAP server's certificate.

    Multiple server names, delimited by commas or spaces, can be used for failover support. If an LDAP server is down, the next server on the list will be contacted. In this case, all fields specified on this panel that are used for LDAP connections should be available on all the LDAP servers, and should have identical configurations.

    Windows Active Directory and DNS domain. When Windows Active Directory is selected (without Kerberos), you have the option to use a DNS domain instead of a specific domain controller. No further configuration is required. When selected, you do not need to specify a domain controller address or the corresponding NetBIOS name because Management and Security Server provides the Domain Controller Locator Service. This service can be used only when the MSS running on Windows.

    For example, when you enter a domain name, such as mycompany.com, MSS automatically finds an available domain server and the domain name, which can be different from the DNS domain.

  • Server port

    Enter the port used by your LDAP server. The default is 389 for plain text or 636 for TLS.

    If you are using Windows Active Directory, you may wish to set the server port to the global catalog port, which is 3268 (or 3269 over TLS). Global catalog searches can be faster than referral-based cross-domain searches.

  • Username and Password

    Provide the username and password for an LDAP server account that can be used to access the directory in Read-only mode. Generally, the account does not require any special directory privileges but must be able to search the directory based on the most common directory attributes (such as cn, ou, member and memberOf). Re-enter the password in the Password confirmation box.

    Note

    The username must uniquely identify the user in the directory. The syntax depends on the type of LDAP server you are using.

    • For Windows Active Directory with Plain Text, enter

      NetBIOS domain\sAMAccountName (such as exampledomain\username) userPrincipalName (such as username@exampledomain.com) or distinguished name (such as uid=examplename,DC=examplecorp,DC=com).

    • For any other LDAP server type, enter the distinguished name (such as uid=examplename,DC=examplecorp,DC=com).

    If this account password changes, be sure to update the account password here and apply the new settings.

    To avoid this problem, you may wish to set up an account that is not subject to automatic password aging policies, or that cannot be changed by other administrators without notice.

Search Base and Groups/Folders

  • Directory search base

    Enter the distinguished name of the node in the directory tree you want to use as the base for MSS Server search operations. Examples: DC=my_corp,DC=com or o=my_corp.com.

    For more information about how to describe the search base, contact the LDAP administrator for your organization.

Info

If you are using LDAP authorization with OpenID Connect, return to Configuring OpenID Connect.

Groups or folders

While you can assign sessions to specific users in the directory, you can also assign sessions to either Logical groups or Folders. Choose the option that reflects the way the data is organized in your directory -- and the way you want to Assign Access. For instance if you want to assign access to a folder, then Folders must be selected here.

In Management and Security Server, the term folder is used to describe both organizational units and containers. Most directories have an organizational structure that uses logical groups; for example, groupOfNames and groupOfUniqueNames.

Certificate

Click IMPORT CERTIFICATE to import the LDAP server's trusted certificate into the JRE's default trusted keystore. This button displays when TLS is selected.

Authentication of End Users

LDAP attribute for identifier. The default LDAP attribute to use as an identifier is available when you select an LDAP server type.

Default LDAP identifiers:

Server type Default user identifier
OpenLDAP Directory Server cn
Generic LDAP Compliant Directory Server (RFC 2256) cn
Oracle LDAP Directory Server uid
Windows Active Directory List of domains*
Windows Active Directory with LDAP login form cn

* When you select Windows Active Directory with Kerberos, you must enter a Kerberos realm (such as domain@example.com). If you are using Windows Active Directory with Plain text, enter a NetBIOS domain name with a maximum of 15 characters (such as MYCOMPANY, SALES). If you have more than one domain or realm, separate the entries with commas (for example, 1stDomain, 2ndDomain, 3rdDomain). When an end user requests the list of sessions, the login panel prompts for a username and password and displays available domains or realms in a drop-down list.

Validate LDAP Connection

Click TEST CONNECTION to verify that this LDAP server can connect to the MSS Server. If the test fails, check the logs and resolve the issue before continuing.

Advanced Settings

Maximum nested level for groups

This number determines how assigned sessions are inherited. If Group A contains Group B of which JohnUser is a member, and you assign a session to Group A, JohnUser will also have access to that assigned session.

If users do not inherit sessions as you expect, increase this number. Be careful not to raise this level more than necessary because too high a number can impair performance when you have a large number of users. The default is 5.


After the LDAP servers are configured, you can use Assign Users & Groups to authorize users’ access to sessions.