5.3 LDAP Authentication Against Multiple LDAP Servers Or Domains

You can now configure LDAP authentication against multiple LDAP severs or domains for unique users. The procedures in this section consider three servers or domains for as examples. You can add the required number of servers or domains.

5.3.1 Prerequisites

  • Complete the prerequisites listed in Enablement Considerations.

  • (Conditional) Edit the Sentinel server Hosts file. If the Sentinel server is not a member of the enterprise domain, update the /etc/hosts file with the fully qualified domain name (FQDN) of the Sentinel server.

  • Update the hosts file on all the client machines that access Sentinel:

    1. Open the hosts file:

      Windows: Browse to C:\Windows\System32\Drivers\etc directory.

      Linux: Go to /etc directory.

    2. Add the following entry: <sentinel_ip> <sentinel_fqdn> <sentinel_hostname>

      Where:

      <sentinel_ip> is the IP address of the Sentinel server.

      <sentinel_fqdn> is the FQDN of the Sentinel server.

      <sentinel_hostname> is the host name of the Sentinel server.

      For example: 1.2.3.4 sentinel.mycompany.com sentinel

  • Ensure that all LDAP users have an email ID and that the email ID is populated in the mail attribute in the LDAP directory.

  • (Conditional) If you are using LDAP with SSL and you want the Sentinel server to communicate with LDAP servers over the SSL port (default 636), perform the following:

    • If the Sentinel server is running in non-FIPS mode, import the CA certificate chain of each LDAP server into the Sentinel server keystore:

      1. Log in to the Sentinel server as root.

      2. Execute the following commands:

        cd /opt/novell/sentinel/jdk/jre/bin

        ./keytool -importcert -file <cert_file_path> -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -alias <alias>

        Where:

        <cert_file_path> is the path of the certificate file you want to import.

        <alias> is the alias name you want to assign to the certificate in the Sentinel keystore.

    • If the Sentinel server is running in FIPS mode, import the CA certificate chain of each LDAP server into the Sentinel FIPS keystore. For more information about importing certificates in FIPS mode, see Importing Certificates into FIPS Keystore Database.

5.3.2 Enabling Strong Authentication

  1. Log in as root user to the Sentinel server.

  2. Open the /etc/opt/novell/sentinel/config/configuration.properties file.

  3. Set strong.authentication.enabled=true

  4. Add admin.user.auth.dn=<ldap_dn_for_sentinel_admin_user>

    Where <ldap_dn_for_sentinel_admin_user> is the LDAP User DN to which the Sentinel admin user will be mapped to. You can specify the DN of a LDAP User in any of the LDAP servers or domains. For example, admin.user.auth.dn=CN=Administrator,CN=Users,DC=mycompany,DC=com

  5. (Conditional) If you are using Sentinel in High Availability (HA) mode, add

    sentinel.ha.cluster.hostname=<cluster_virtual_fqdn>

    Where <cluster_virtual_fqdn> is the virtual FQDN of the HA cluster.

5.3.3 Configuring LDAP Servers Or Domains Properties

  1. Log in as the root user to the Sentinel server.

  2. Open the /etc/opt/osp-configuration.properties file.

  3. Add the following properties to configure the details of the first LDAP server or domain:

    NOTE:Ensure that there are no extra spaces when you add the following properties.

    • com.netiq.sentinel.osp.ldap.host=<ldap_host>

      Where <ldap_host> is the IP address or hostname of the LDAP server.

    • com.netiq.sentinel.osp.ldap.port=<ldap_port>

      Where <ldap_port> is the port number of the LDAP connection. The default SSL port number is 636 and the default non-SSL port number is 389.

    • com.netiq.sentinel.osp.ldap.use-ssl=true/false

      Where true/false specifies whether the LDAP connection uses SSL or not.

    • com.netiq.sentinel.osp.ldap.dir-type=<ldap_directory_type>

      Where <ldap_directory_type> is the directory type of the LDAP server. For example, the directory type of Active Directory is AD and the directory type of eDirectory is edir.

    • com.netiq.sentinel.osp.as.naming-attr=<naming_attribute>

      Where <naming_attribute> is the naming attribute of the LDAP server. Naming attribute is the LDAP attribute that contains the user login name and is used in the LDAP search filter while searching for users. For example, the naming attribute for Active Directory can be sAMAccountName and the naming attribute for eDirectory can be uid or cn.

    • com.netiq.sentinel.osp.as.admins-container-dn=<admins_container_dn>

      Where <admins_container_dn> is the DN of the container for admin users in the LDAP server. For example, CN=Users,DC=mycompany,DC=com.

    • com.netiq.sentinel.osp.as.users-container-dn=<users_container_dn>

      Where <users_container_dn> is the DN of the container for users in the LDAP server. For example, CN=Users,DC=mycompany,DC=com.

    • com.netiq.sentinel.osp.ldap.admin-dn=<ldap_admin_dn>

      Where <ldap_admin_dn> is the DN of the admin user in the LDAP server. For example, CN=Administrator,CN=Users,DC=mycompany,DC=com.

    • com.netiq.sentinel.osp.ldap.admin-pwd=<ldap_admin_pwd>

      Where <ldap_admin_pwd> is the encrypted password of the admin user in the LDAP server.

      To get the encrypted password, run the encryptpwd script. Log in as the novell user and go to the /opt/novell/sentinel/bin directory. Run the following command:

      ./encryptpwd -e LDAPAdminPassword

  4. Configure every additional LDAP server or domain by adding the properties of each additional LDAP server or domain to the osp-configuration.properties as follows:

    • For the second LDAP server or domain, add:

      com.netiq.sentinel.osp.ldap.host2, com.netiq.sentinel.osp.ldap.port2, com.netiq.sentinel.osp.ldap.use-ssl2, com.netiq.sentinel.osp.ldap.dir-type2, com.netiq.sentinel.osp.as.naming-attr2, com.netiq.sentinel.osp.as.admins-container-dn2, com.netiq.sentinel.osp.as.users-container-dn2, com.netiq.sentinel.osp.ldap.admin-dn2, com.netiq.sentinel.osp.ldap.admin-pwd2

    • For the third LDAP server or domain, add:

      com.netiq.sentinel.osp.ldap.host3, com.netiq.sentinel.osp.ldap.port3, com.netiq.sentinel.osp.ldap.use-ssl3, com.netiq.sentinel.osp.ldap.dir-type3, com.netiq.sentinel.osp.as.naming-attr3, com.netiq.sentinel.osp.as.admins-container-dn3, com.netiq.sentinel.osp.as.users-container-dn3, com.netiq.sentinel.osp.ldap.admin-dn3, com.netiq.sentinel.osp.ldap.admin-pwd3

    Repeat the same instructions for subsequent LDAP servers or domains.

5.3.4 Configuring -LDAP Servers Or Domains As Authentication Sources

The first LDAP server or domain is already configured as an authentication source in the authcfg.xml file. You can configure additional LDAP servers or domains as authentication sources in the authcfg.xml file using the procedure below.

To configure LDAP Servers Or Domains As Authentication Sources

  1. Log in as root user to the Sentinel server.

  2. Open the/etc/opt/novell/sentinel/osp/WEB-INF/conf/current/siem/services/authcfg.xml file.

  3. Add additional LDAPDataSource elements:

    1. Search for the existing LDAPDataSource element corresponding to the first LDAP server or domain:

    2. Add a new LDAPDataSource element below the existing element in a sequence, for every additional LDAP server or domain, as follows:

      • For the second LDAP server or domain:

        <LDAPDataSource
                        displayName="LDAP Datasource2"
                        id="ds-ldap2"
                        adminName="${com.netiq.sentinel.osp.ldap.admin-dn2}"
                        adminPassword="${com.netiq.sentinel.osp.ldap.admin-pwd2}"
                        dirType="${com.netiq.sentinel.osp.ldap.dir-type2}"
                        >
                        <Server
                                secureConnection="${com.netiq.sentinel.osp.ldap.use-ssl2}"
                                host="${com.netiq.sentinel.osp.ldap.host2}"
                                maxConnections="${com.netiq.sentinel.osp.ldap.max-connections2:31}"
                                port="${com.netiq.sentinel.osp.ldap.port2}"
                                />
                </LDAPDataSource>
      • For the third LDAP server or domain:

        <LDAPDataSource
                        displayName="LDAP Datasource3"
                        id="ds-ldap3"
                        adminName="${com.netiq.sentinel.osp.ldap.admin-dn3}"
                        adminPassword="${com.netiq.sentinel.osp.ldap.admin-pwd3}"
                        dirType="${com.netiq.sentinel.osp.ldap.dir-type3}"
                        >
                        <Server
                                secureConnection="${com.netiq.sentinel.osp.ldap.use-ssl3}"
                                host="${com.netiq.sentinel.osp.ldap.host3}"
                                maxConnections="${com.netiq.sentinel.osp.ldap.max-connections3:31}"
                                port="${com.netiq.sentinel.osp.ldap.port3}"
                                />
                </LDAPDataSource>

      Repeat these instructions for the subsequent LDAP servers or domains.

  4. Add additional LDAPAuthenticationSource elements:

    1. Search for the existing LDAPAuthenticationSource element corresponding to the first LDAP server or domain.

    2. Add a new LDAPAuthenticationSource element below the existing element in a sequence, for every additional LDAP server or domain, as follows:

      • For the second LDAP server or domain:

        <LDAPAuthenticationSource
                        displayName="LDAP Authentication Source2"
                        id="as-ldap2"
                        restrictToContexts="${com.netiq.sentinel.osp.as.restrict-to-contexts2:false}"
                        >
                        <Reference refId="ds-ldap2" type="DataSource"/>
                        <!-- NamingAttr values for LDAP define which attributes are used in an LDAP search filter when search for a user object -->
                        <NamingAttr name="${com.netiq.sentinel.osp.as.naming-attr2:cn}"/>
                        <NamingAttr name="mail"/>
                        <!-- Context values define the base context(s) in which to search for users. Each context will be searched in order -->
                        <Context context="${com.netiq.sentinel.osp.as.users-container-dn2}" decorator="search" order="0" scope="${com.netiq.sentinel.osp.as.scope2:subtree}"/>
                        <Context context="${com.netiq.sentinel.osp.as.admins-container-dn2}" decorator="search" order="1" scope="${com.netiq.sentinel.osp.as.scope2:subtree}"/>
                        <AttributeMapping>
                                <AttributeMapEntry localName="userDN" nativeName="{$dn}"/>
                                <!-- The "dn" entry is for use in admin-defined SelectExpression instances ("{$dn}" is a predefined "pseudo" attr name) -->
                                <AttributeMapEntry localName="dn" nativeName="{$dn}"/>
                                <AttributeMapEntry localName="userName" nativeName="${com.netiq.sentinel.osp.as.naming-attr2:cn}"/>
                                <AttributeMapEntry localName="saml2-mapping-attr" nativeName="${com.netiq.sentinel.osp.login.saml2.mapping-attr2:mail}"/>
                        </AttributeMapping>
                </LDAPAuthenticationSource>
      • For the third LDAP server or domain:

         <LDAPAuthenticationSource
                        displayName="LDAP Authentication Source3"
                        id="as-ldap3"
                        restrictToContexts="${com.netiq.sentinel.osp.as.restrict-to-contexts3:false}"
                        >
                        <Reference refId="ds-ldap3" type="DataSource"/>
                        <!-- NamingAttr values for LDAP define which attributes are used in an LDAP search filter when search for a user object -->
                        <NamingAttr name="${com.netiq.sentinel.osp.as.naming-attr3:cn}"/>
                        <NamingAttr name="mail"/>
                        <!-- Context values define the base context(s) in which to search for users. Each context will be searched in order -->
                        <Context context="${com.netiq.sentinel.osp.as.users-container-dn3}" decorator="search" order="0" scope="${com.netiq.sentinel.osp.as.scope3:subtree}"/>
                        <Context context="${com.netiq.sentinel.osp.as.admins-container-dn3}" decorator="search" order="1" scope="${com.netiq.sentinel.osp.as.scope3:subtree}"/>
                        <AttributeMapping>
                                <AttributeMapEntry localName="userDN" nativeName="{$dn}"/>
                                <!-- The "dn" entry is for use in admin-defined SelectExpression instances ("{$dn}" is a predefined "pseudo" attr name) -->
                                <AttributeMapEntry localName="dn" nativeName="{$dn}"/>
                                <AttributeMapEntry localName="userName" nativeName="${com.netiq.sentinel.osp.as.naming-attr3:cn}"/>
                                <AttributeMapEntry localName="saml2-mapping-attr" nativeName="${com.netiq.sentinel.osp.login.saml2.mapping-attr3:mail}"/>
                        </AttributeMapping>
                </LDAPAuthenticationSource>

      Repeat these instructions for the subsequent LDAP servers or domains.

  5. Add additional PrincipalMapping elements:

    1. Search for the existing PrincipalMapping element corresponding to the first LDAP server or domain.

    2. Add a new PrincipalMapping element below the existing element in a sequence, for every additional LDAP server or domain, as follows:

      • For the second LDAP server or domain:

        <PrincipalMapping
                        id="ldap-mapping2"
                displayName="LDAP User to Sentinel User Mapping2"
                        enabled="true"
                >
                <Reference refId="as-ldap2" type="AuthenticationSource" decorator="srcId"/>
                <Reference refId="as-sentinel" type="AuthenticationSource" decorator="destId"/>
                <And>
                    <Or>
                        <Equal sourceAttrName="userDN" targetAttrName="userDN"/>
                        <Equal sourceAttrName="userName" targetAttrName="userName"/>
                    </Or>
                    <Equal targetAttrName="authSource">LDAP</Equal>
                </And>
            </PrincipalMapping>
      • For the third LDAP server or domain:

        <PrincipalMapping
                        id="ldap-mapping3"
                displayName="LDAP User to Sentinel User Mapping3"
                        enabled="true"
                >
                <Reference refId="as-ldap3" type="AuthenticationSource" decorator="srcId"/>
                <Reference refId="as-sentinel" type="AuthenticationSource" decorator="destId"/>
                <And>
                    <Or>
                        <Equal sourceAttrName="userDN" targetAttrName="userDN"/>
                        <Equal sourceAttrName="userName" targetAttrName="userName"/>
                    </Or>
                    <Equal targetAttrName="authSource">LDAP</Equal>
                </And>
            </PrincipalMapping>

      Repeat these instructions for the subsequent LDAP servers or domains.

  6. Add references to the LDAPAuthenticationSource elements created earlier:

    In the existing PasswordAuthentication element whose id="np-auth", there is an existing Reference element whose refId="as-ldap".

    Add additional Reference elements below this element to refer to the LDAPAuthenticationSource elements created earlier in Step 4 as follows:

    <PasswordAuthentication
                displayName="Name/Password (Form)"
          id="np-auth"
                enabled="${com.netiq.sentinel.osp.np-enabled:true}"
          continueButton="${com.netiq.sentinel.osp.login.use-continue-button:true}"
          showHide="${com.netiq.sentinel.osp.login.allow-show-hide:undefined}"
          showHideInitialState="${com.netiq.sentinel.osp.login.show-hide-initial-state:undefined}"
          useHints="${com.netiq.sentinel.osp.login.use-hints:false}"
    <!--  these references define which authentication sources will be used with the name/password auth class -->
          <!-- disabled db user login in strong auth mode -->
          <!--<Reference refId="as-sentinel" type="AuthenticationSource">
                 <Reference refId="ul-sentinel" type="UserLookup" decorator="additional-criteria"/>
          </Reference>-->
          <Reference refId="as-ldap" type="AuthenticationSource"/>
          <Reference refId="as-ldap2" type="AuthenticationSource"/>
          <Reference refId="as-ldap3" type="AuthenticationSource"/>
          <!-- And so on... -->
        </PasswordAuthentication>
  7. Add references to the PrincipalMapping elements created earlier:

    In the existing AuthContract element whose id="np-contract", search for the existing Reference element whose refId="ldap-mapping".

    Add additional Reference elements below this element to refer to the PrincipalMapping elements created in Step 5, as follows:

    <AuthContract
                displayName="Username/Password Login"
          id="np-contract"
                uri="sentinel:login:user:np"
          expiredPasswordUrl="${com.netiq.sentinel.osp.auth.pwd.expire.url}"
                showExpiredPwdUI="${com.netiq.sentinel.osp.auth.pwd.expire.show:false}"
          enabled="${com.netiq.sentinel.osp.np-enabled:true}"
          >
          <Reference refId="np-auth" type="ContractExecutable"/>
                <Reference refId="ldap-mapping" type="ContractExecutable"/>
          <Reference refId="ldap-mapping2" type="ContractExecutable"/>
          <Reference refId="ldap-mapping3" type="ContractExecutable"/>
          <!-- And so on... -->
                <Reference refId="unlocked-validator" type="ContractExecutable"/>      
          <Reference refId="admin-role-mapping" type="ContractExecutable"/>
        </AuthContract>
  8. (Conditional) If you are using Sentinel in High Availability (HA) mode, perform the steps at Configuring Sentinel In High Availability.

  9. For the above configuration changes to take effect, restart the Sentinel server:

    rcsentinel restart

5.3.5 Logging In With LDAP User Credentials

  1. Specify the following URL in your web browser to launch Sentinel:

    https://<hostname>:<port>/sentinel/views/main.html

    Where <hostname> is the host name of the Sentinel server.

    <port> is the Sentinel web server port (8443 by default).

    NOTE:After you enable LDAP authentication against multiple LDAP servers or domains, you can only use the hostname in the URL, and not the IP address.

  2. Log in to Sentinel with the value of the naming attribute of the LDAP user to which you mapped the Sentinel admin user.

    You mapped the Sentinel admin user to a corresponding LDAP user DN in Step 4 and configured the LDAP naming attribute when Configuring LDAP Servers Or Domains Properties.

    NOTE:After you enabled LDAP authentication against multiple LDAP servers or domains, you cannot use the user name admin to log in to Sentinel as the admin user.

    For example, consider you had set admin.user.auth.dn=CN=Administrator,CN=Users,DC=mycompany,DC=com in Step 4 and configured the LDAP naming attribute as sAMAccountName in Configuring LDAP Servers Or Domains Properties. Log in to Sentinel as Administrator, which is the sAMAccountName of the LDAP User whose DN is CN=Administrator,CN=Users,DC=mycompany,DC=com

  3. Create a Sentinel user account for every LDAP user who will access Sentinel:

    1. In Sentinel Main, click Users > Users and Roles.

    2. Specify the Email and LDAP User DN. For more information, see Creating Users.

      For example, specify Email as john@mycompany.com and LDAP User DN as CN=john,CN=Users,DC=mycompany,DC=com.

  4. Log in to Sentinel by specifying the value of the LDAP naming attribute of the users created in the Step 3.

    For example, you specified a LDAP User DN as CN=john,CN=Users,DC=mycompany,DC=com in Step 3 and configured the LDAP naming attribute as sAMAccountName in Configuring LDAP Servers Or Domains Properties.

    You can log in as john, which is the sAMAccountName of the LDAP user whose DN is CN=john,CN=Users,DC=mycompany,DC=com.